This rule detects Entra ID sign-in activity indicative of Tycoon2FA AiTM phishing campaigns by identifying sign-ins where the Microsoft Authentication Broker requests tokens for Graph or Exchange Online or the Office web client authenticates to itself, combined with Node.js style user agents such as node, axios, or undici. Tycoon2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and Gmail. Legitimate automation or developer tooling using the same apps or first party IDs can produce false positives; developers using axios or undici with delegated flows may resemble this pattern. The query uses the azure signinlogs dataset to filter for specific app_id and resource_id pairs associated with Graph, Exchange Online and Office web clients and requires a user_agent.original containing node, axios or undici. The risk score is 73 and severity high. MITRE mapping includes T1566 Phishing for Initial Access and T1539 Steal Web Session Cookie for Credential Access. Investigations should correlate with Graph activity, mailbox audits, review conditional access and MFA outcomes, and hunt for other signins from the same IP. Remediation includes revoking refresh tokens, resetting credentials, reviewing app consent, and blocking or monitoring the source IP per incident procedures.