In this video, I uncover how attackers are exploiting OAuth applications in Microsoft 365 to maintain persistence, exfiltrate data, and launch phishing campaigns—often without triggering any red flags. Whether it’s through legitimate-looking apps or cleverly crafted malicious ones, these backdoor access points can put your entire tenant at risk.
🚨 What You'll Learn:
✅ What OAuth and Enterprise Applications are in Microsoft 365
✅ How attackers leverage them for persistent access
✅ Real-world examples of app-based attacks (including multi-tenant phishing campaigns)
✅ How to lock down your tenant settings to prevent unauthorized app consent
✅ Hunting techniques to detect suspicious or over-permissioned applications
✅ Tools and scripts (including CloudCapsule) to automate app security reviews
🔒 Why Watch?
OAuth abuse is one of the stealthiest tactics in the modern attacker’s playbook. This video walks through real-world attack chains, then arms you with the practical tools and steps needed to detect and prevent malicious applications inside your Microsoft 365 environment.
🔧 Automate Your M365 Security Assessments:
Try CloudCapsule, my tool for fast, automated security audits of Microsoft 365 environments. Instantly find risky applications, permission misconfigurations, and more. Run a free assessment in under 90 seconds 👉
https://hubs.ly/Q03g2tK80
📖 Related Blog Post:
https://tminus365.com/find-risky-apps-in-microsoft-365/
⏳ Table of Contents:
00:00 - Intro
00:46 - What is an OAuth / Enterprise Application
02:48 - Attack Kill Chain
07:18 - Real-world OAuth attack examples
09:07 - TraderWare vs. Malicious Custom Apps
14:40 - Locking down user consent
16:04 - How to hunt for suspicious apps
18:03 - Tools, scripts, and automation with CloudCapsule
28:33 - Final tips for cleaning up your app inventory
👍 Engage with Me:
Enjoyed this video? Hit 'Like', subscribe for more Microsoft 365 security deep dives, and share with anyone responsible for securing cloud environments. Got questions or tips? Drop them in the comments—I’d love to hear your insights.
🎵 Intro Music: Jordyn Edmonds
https://www.youtube.com/watch?v=y06dz2cX4r0
#Microsoft365 #OAuthSecurity #CyberSecurity #MicrosoftSecurity #MSP #EntraID #CloudCapsule #AzureAD #OAuthAttack #Phishing #ZeroTrust #SecurityTools