diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
index dd16980f85b..e441b5a2a43 100644
--- a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
+++ b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
@@ -2,7 +2,8 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/04/18"
+
 
 [rule]
 author = ["Elastic"]
@@ -91,6 +92,9 @@ from logs-azure.signinlogs*
   and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
   and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
   and event.outcome != "success"
+  and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
+      and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
+      and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken")) 
   // for tuning review azure.signinlogs.properties.status.error_code
   // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes