diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 9d74228e1..c9a8f0724 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -178,10 +178,14 @@
   },
   "logs-azure.activitylogs-*": {
     "azure.activitylogs.properties.authentication_protocol": "keyword",
-    "azure.activitylogs.properties.appId": "keyword", 
-    "azure.activitylogs.properties.resourceDisplayName": "keyword", 
+    "azure.activitylogs.properties.appId": "keyword",
+    "azure.activitylogs.properties.resourceDisplayName": "keyword",
     "azure.activitylogs.properties.appDisplayName": "keyword"
   },
+  "logs-azure.graphactivitylogs-*": {
+    "azure.graphactivitylogs.properties.c_idtyp": "keyword",
+    "azure.graphactivitylogs.properties.user_principal_object_id": "keyword"
+  },
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",
     "okta.debug_context.debug_data.flattened.grantType": "keyword"
diff --git a/pyproject.toml b/pyproject.toml
index 3a34ffe15..e44594a8f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.1.5"
+version = "1.1.6"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/integrations/azure/initial_access_entra_susp_visual_code_signin.toml b/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml
similarity index 74%
rename from rules/integrations/azure/initial_access_entra_susp_visual_code_signin.toml
rename to rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml
index da5a67dc7..b07416330 100644
--- a/rules/integrations/azure/initial_access_entra_susp_visual_code_signin.toml
+++ b/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml
@@ -2,21 +2,27 @@
 creation_date = "2025/04/23"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/04/23"
+updated_date = "2025/04/30"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies login activity where the Visual Studio Code `client_id` is used in combination with a resourceDisplayName containing `Microsoft Graph`. This may indicate an attempt to authenticate via Visual Studio Code phishing.
+Detects potentially suspicious OAuth authorization activity in Microsoft Entra ID where the Visual Studio Code
+first-party application (client_id = aebc6443-996d-45c2-90f0-388ff96faa56) is used to request access to Microsoft Graph
+resources. While this client ID is legitimately used by Visual Studio Code, threat actors have been observed abusing it
+in phishing campaigns to make OAuth requests appear trustworthy. These attacks rely on redirect URIs such as VSCode's
+Insiders redirect location, prompting victims to return an OAuth authorization code that can be exchanged for access
+tokens. This rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or
+credential phishing activity.
 """
 from = "now-25m"
-index = ["filebeat-*", "logs-azure.activitylogs-*", "logs-azure.signinlogs-*"]
+index = ["filebeat-*", "logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Azure Sign-in via Visual Studio Code"
+name = "Microsoft Entra ID OAuth Phishing via Visual Studio Code Client"
 note = """## Triage and analysis
 
-### Investigating Suspicious Azure Sign-in via Visual Studio Code
+### Investigating Microsoft Entra ID OAuth Phishing via Visual Studio Code Client
 
 ### Possible investigation steps
 
@@ -30,12 +36,9 @@ note = """## Triage and analysis
 
 ## False positive analysis
 
-### Common benign scenarios
 - Automated scripts or applications using non-interactive authentication may trigger this detection, particularly if they rely on legacy authentication protocols recorded in `azure.signinlogs.properties.authentication_protocol`.
 - Corporate proxies or VPNs may cause multiple users to authenticate from the same IP, appearing as repeated failed attempts under `source.ip`.
 - User account lockouts from forgotten passwords or misconfigured applications may show multiple authentication failures in `azure.signinlogs.properties.status.error_code`.
-
-### How to reduce false positives
 - Exclude known trusted IPs, such as corporate infrastructure, from alerts by filtering `source.ip`.
 - Exlcude known custom applications from `azure.signinlogs.properties.app_id` that are authorized to use non-interactive authentication.
 - Ignore principals with a history of failed logins due to legitimate reasons, such as expired passwords or account lockouts, by filtering `azure.signinlogs.properties.user_principal_name`.
@@ -43,15 +46,12 @@ note = """## Triage and analysis
 
 ## Response and remediation
 
-### Immediate actions
 - Block the source IP address in `source.ip` if determined to be malicious.
 - Reset passwords for all affected user accounts listed in `azure.signinlogs.properties.user_principal_name` and enforce stronger password policies.
 - Ensure basic authentication is disabled for all applications using legacy authentication protocols listed in `azure.signinlogs.properties.authentication_protocol`.
 - Enable multi-factor authentication (MFA) for impacted accounts to mitigate credential-based attacks.
 - Review conditional access policies to ensure they are correctly configured to block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
 - Review Conditional Access policies to enforce risk-based authentication and block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
-
-### Long-term mitigation
 - Implement a zero-trust security model by enforcing least privilege access and continuous authentication.
 - Regularly review and update conditional access policies to ensure they are effective against evolving threats.
 - Restrict the use of legacy authentication protocols by disabling authentication methods listed in `azure.signinlogs.properties.client_app_used`.
@@ -60,7 +60,7 @@ note = """## Triage and analysis
 """
 references = [
     "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
-    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/"
+    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 ]
 risk_score = 47
 rule_id = "14fa0285-fe78-4843-ac8e-f4b481f49da9"
@@ -68,6 +68,8 @@ severity = "medium"
 tags = [
     "Domain: Cloud",
     "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Resources: Investigation Guide",
     "Tactic: Initial Access",
@@ -76,11 +78,16 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:("azure.signinlogs" or "azure.activitylogs") and 
-event.action : "Sign-in activity" and event.outcome:(success or Success) and 
-(azure.activitylogs.properties.resourceDisplayName : "Microsoft Graph" or azure.signinlogs.properties.resource_display_name : "Microsoft Graph") and 
-(azure.signinlogs.properties.app_id : "aebc6443-996d-45c2-90f0-388ff96faa56" or azure.signinlogs.properties.app_display_name : "Visual Studio Code" or 
- azure.activitylogs.properties.appDisplayName : "Visual Studio Code" or azure.activitylogs.properties.appId : "aebc6443-996d-45c2-90f0-388ff96faa56")
+event.dataset: "azure.signinlogs" and
+event.action: "Sign-in activity" and
+event.outcome: "success" and
+(
+  azure.signinlogs.properties.resource_display_name: "Microsoft Graph" or
+  azure.signinlogs.properties.resource_id: "00000003-0000-0000-c000-000000000000"
+) and (
+  azure.signinlogs.properties.app_id: "aebc6443-996d-45c2-90f0-388ff96faa56" or
+  azure.signinlogs.properties.app_display_name: "Visual Studio Code"
+)
 '''
 
 
@@ -90,9 +97,25 @@ framework = "MITRE ATT&CK"
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
 
 
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+
diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml
new file mode 100644
index 000000000..135c45efb
--- /dev/null
+++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml
@@ -0,0 +1,129 @@
+[metadata]
+creation_date = "2025/04/23"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/04/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+This New Terms rule focuses on the first occurrence of a client application ID
+(azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID
+(azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule
+may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully
+compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the
+user.
+"""
+false_positives = [
+    """
+    Users legitimately accessing Microsoft Graph API using the specified client application ID and tenant ID. This may
+    include authorized applications or services that interact with Microsoft Graph on behalf of users.
+    """,
+    """
+    Authorized third-party applications or services that use the specified client application ID to access Microsoft
+    Graph API resources for legitimate purposes.
+    """,
+    """
+    Administrative or automated tasks that involve accessing Microsoft Graph API using the specified client application
+    ID and tenant ID, such as provisioning or managing resources.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft Graph First Occurrence of Client Request"
+note = """## Triage and analysis
+
+### Investigating Microsoft Graph First Occurrence of Client Request
+
+This rule detects the first observed occurrence of a Microsoft Graph API request by a specific client application ID (`azure.graphactivitylogs.properties.app_id`) in combination with a user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) and tenant ID (`azure.tenant_id`) within the last 14 days. This may indicate unauthorized access following a successful phishing attempt, token theft, or abuse of OAuth workflows.
+
+Adversaries frequently exploit legitimate Microsoft or third-party application IDs to avoid raising suspicion during initial access. By using pre-consented or trusted apps to interact with Microsoft Graph, attackers can perform actions on behalf of users without triggering conventional authentication alerts or requiring additional user interaction.
+
+### Possible investigation steps
+
+- Review `azure.graphactivitylogs.properties.user_principal_object_id` and correlate with recent sign-in logs for the associated user.
+- Determine whether `azure.graphactivitylogs.properties.app_id` is a known and approved application in your environment.
+- Investigate the `user_agent.original` field for signs of scripted access (e.g., automation tools or libraries).
+- Check the source IP address (`source.ip`) and geolocation data (`source.geo.*`) for unfamiliar origins.
+- Inspect `azure.graphactivitylogs.properties.scopes` to understand the level of access being requested by the app.
+- Examine any follow-up Graph API activity from the same `app_id` or `user_principal_object_id` for signs of data access or exfiltration.
+- Correlate with device or session ID fields (`azure.graphactivitylogs.properties.c_sid`, if present) to detect persistent or repeat activity.
+
+### False positive analysis
+
+- First-time use of a legitimate Microsoft or enterprise-approved application.
+- Developer or automation workflows initiating new Graph API requests.
+- Valid end-user activity following device reconfiguration or new client installation.
+- Maintain an allowlist of expected `app_id` values and known developer tools.
+- Suppress detections from known good `user_agent.original` strings or approved source IP ranges.
+- Use device and identity telemetry to distinguish trusted vs. unknown activity sources.
+- Combine with session risk or sign-in anomaly signals where available.
+
+### Response and remediation
+
+- Reach out to the user and verify whether they authorized the application access.
+- Revoke active OAuth tokens and reset credentials if unauthorized use is confirmed.
+- Search for additional Graph API calls made by the same `app_id` or `user_principal_object_id`.
+- Investigate whether sensitive resources (mail, files, Teams, contacts) were accessed.
+- Apply Conditional Access policies to limit Graph API access by app type, IP, or device state.
+- Restrict user consent for third-party apps and enforce admin approval workflows.
+- Monitor usage of new or uncommon `app_id` values across your tenant.
+- Provide user education on OAuth phishing tactics and reporting suspicious prompts.
+"""
+references = [
+    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
+]
+risk_score = 21
+rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Graph",
+    "Data Source: Microsoft Graph Activity Logs",
+    "Resources: Investigation Guide",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Initial Access",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "azure.graphactivitylogs"
+    and event.type: "access"
+    and azure.graphactivitylogs.properties.c_idtyp: "user"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = [
+    "azure.graphactivitylogs.properties.app_id",
+    "azure.graphactivitylogs.properties.user_principal_object_id",
+    "azure.tenant_id",
+]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+
diff --git a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml
new file mode 100644
index 000000000..f1a46b348
--- /dev/null
+++ b/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml
@@ -0,0 +1,120 @@
+[metadata]
+creation_date = "2025/04/23"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/04/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects potentially suspicious OAuth authorization activity in Microsoft 365 where the Visual Studio Code first-party
+application (client_id = aebc6443-996d-45c2-90f0-388ff96faa56) is used to request access to Microsoft Graph resources.
+While this client ID is legitimately used by Visual Studio Code, threat actors have been observed abusing it in phishing
+campaigns to make OAuth requests appear trustworthy. These attacks rely on redirect URIs such as VSCode Insiders
+redirect location, prompting victims to return an OAuth authorization code that can be exchanged for access tokens. This
+rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or credential phishing
+activity.
+"""
+from = "now-25m"
+index = ["filebeat-*", "logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 OAuth Phishing via Visual Studio Code Client"
+note = """## Triage and analysis
+
+### Investigating Microsoft 365 OAuth Phishing via Visual Studio Code Client
+
+This rule identifies successful Microsoft 365 sign-ins where the Visual Studio Code first-party application (`ApplicationId = aebc6443-996d-45c2-90f0-388ff96faa56`) was used to initiate an OAuth 2.0 authorization code flow targeting Microsoft Graph. While this is common for legitimate development workflows, it has been abused in real-world phishing campaigns to trick users into returning authorization codes that attackers can exchange for access tokens.
+
+The behavior is typically seen in targeted attacks where users are lured into clicking a Microsoft login URL that redirects to a legitimate Microsoft URI (such as `insiders.vscode.dev`) and displays an OAuth code. If the user returns this code (e.g., via Signal, WhatsApp, or email), the attacker can use it to gain access to the user’s data via Microsoft Graph APIs — all without prompting for explicit consent or MFA, especially when default or pre-consented apps are abused.
+
+### Possible investigation steps
+
+- Review `user.name` or `o365.audit.UserId` to identify the impacted account.
+- Validate whether the user expected to authorize the Visual Studio Code app at the time of the event.
+- Check if `o365.audit.ActorIpAddress` is an unexpected or geolocated IP — especially outside of corporate ranges or from proxy networks.
+- Look at `user_agent.original` and `o365.audit.DeviceProperties` to determine the device and browser involved — known attacker flows often show Chrome + MacOS or headless browser variants.
+- Confirm the `Target.ID` (Microsoft Graph: `00000003-0000-0000-c000-000000000000`) matches the scope of access the attacker might attempt.
+- Check for follow-up access events or mailbox enumeration using the Graph API from unfamiliar service principals or devices.
+- Review the `ExtendedProperties.RequestType` = `OAuth2:Authorize` and `ResultStatusDetail` = `Redirect` — this indicates that the user was redirected after authorization, which typically exposes the OAuth `code`.
+
+### False positive analysis
+
+- Developers or IT users intentionally using Visual Studio Code to connect to Microsoft 365 may trigger this rule.
+- Legitimate Visual Studio Code extensions that sync or query Graph API data (e.g., calendars, tasks, cloud-hosted notebooks).
+- Enterprise use cases where VS Code is used for integrated identity workflows.
+- Exclude known user agents and hosts that regularly use Visual Studio Code against Graph.
+- Whitelist specific source IPs or devices tied to developer machines.
+- Correlate with user context and behavior — if the user has no reason to be developing or testing code, the event may be more suspicious.
+- Add exception rules for managed devices or corporate laptops using this flow regularly.
+
+### Response and remediation
+
+- Reach out to the user to confirm if they expected this login or may have shared an OAuth code.
+- Suspend or reset credentials if the login appears suspicious or if the code was likely returned to a third party.
+- Review recent Microsoft Graph activity (email, file access, Teams) for this user and service principal.
+- Block or restrict future use of OAuth tokens from unknown apps or IPs via Conditional Access.
+- Add alerts for `ApplicationId = aebc6443-...` combined with low-reputation IPs or unexpected device fingerprints.
+- Require MFA and Conditional Access for all OAuth flows — even for Microsoft first-party apps.
+- Disable or restrict app consent for users, and require admin approval for Graph API scopes.
+- Educate users about OAuth-based phishing techniques — especially those that ask users to share "codes" after clicking a Microsoft login link.
+- Regularly audit `ApplicationId`, `RequestType`, and `ResultStatusDetail` values in `o365.audit` to spot anomalous usage patterns.
+"""
+references = [
+    "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
+    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
+]
+risk_score = 47
+rule_id = "929d0766-204b-11f0-9c1f-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Resources: Investigation Guide",
+    "Tactic: Initial Access",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "o365.audit"
+    and event.action: "UserLoggedIn"
+    and o365.audit.ApplicationId: "aebc6443-996d-45c2-90f0-388ff96faa56"
+    and o365.audit.Target.ID: "00000003-0000-0000-c000-000000000000"
+    and o365.audit.ExtendedProperties.RequestType: "OAuth2:Authorize"
+    and o365.audit.ExtendedProperties.ResultStatusDetail: "Redirect"
+    and o365.audit.UserType: ("0" or "2" or "3" or "5" or "6" or "10")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+