This rule is designed to detect suspicious access to email resources via the Microsoft Graph API by first-party applications, potentially indicating the use of compromised OAuth tokens. The rule focuses on identifying requests to specific email-related endpoints (such as `/me/mailFolders/inbox/messages` and `/users/{user_id}/messages`) when accessed through a public client application ID and user principal object ID that have not been seen in activity logs for the past 14 days. This is implemented with a New Terms approach, meaning it will only trigger when certain thresholds are met regarding the novelty of application and user IDs involved. The detection logic involves querying for Graph API activity logs considering specific request URIs, user credentials, and associated OAuth scopes. The rule integrates comprehensive investigation steps for responding to any detected activity, which may involve user actions such as phishing.