I am in Refcount Hell right now, trying to fix a new chunk of our codebase for COM refcounting issues. Debugging missing AddRefs consumes most of my time, and I might write about that one day, but yesterday I managed to over-Release an object and of course I crashed. Finding over-Releases is trivial by comparison:
Assuming you can determine the instance of your object that will be over-released, just set a 4-byte data breakpoint on that pointer value. When the object gets over-released, and its destructor called (by "delete this") the debugger will stop right at that point. This happens because a destructor will overwrite the vtable address with its base class, firing the data breakpoint.
(This assumes you are using some inheritance to get COM refcounting, such as ATL)