Back to Documentation

Incident Response: M365 Account Compromise

Detecting and remediating a malicious OAuth app attack

SecurityMicrosoft 365Case Study

Incident Overview

Attack involving a malicious OAuth application ("PerfectData Software") designed to export mailbox contents and enable business email compromise (BEC) attacks.

Detection & Initial Response

Detection

Unusual activity detected in a user's Microsoft 365 account triggered investigation.

Immediate Response Actions

  1. 1
    Password Resets:Forced password change for affected user's O365 and connected accounts (Dropbox)
  2. 2
    Device Management: Removed all mobile devices from email access, verified only authorized laptop was connected
  3. 3
    System Checks: Examined Task Scheduler, ran security scans, cleared temp files and downloads
  4. 4
    Email Security: Verified no suspicious forwarding rules configured during breach
  5. 5
    App Removal: Removed unauthorized OAuth application from Azure AD, isolated and hid from users

Policy Changes Implemented

User Consent Disabled

Blocked user consent for apps accessing organizational data without admin approval

Admin Approval Required

All new OAuth app consents now require administrator approval

Designated Consent Admins

Named specific administrators responsible for reviewing and approving app consent requests

Follow-Up Investigation

Attack Chain Analysis

Stage 1:"PerfectData Software" OAuth app installed in Azure AD
Stage 2:Secondary app "Newsletter Software Supermailer" attempted installation (blocked)
Stage 3 (Prevented): Would have sent fraudulent invoices for wire transfers from compromised accounts

PerfectData Software Capabilities

  • • Export entire user mailbox to PST file
  • • Extract calendar events
  • • Extract contacts
  • • Extract emails and attachments

Key Finding: No Data Compromised

Two sign-in events were detected but both were interrupted due to single-factor authentication failing and MFA authentication failure. The user's data was protected by MFA enforcement.

Log Analysis Results

Log SourceFinding
Email logsNo definitive indicators of initial intrusion trigger
Audit logsNo signs of unauthorized access beyond app installation
Mailbox logsNo unauthorized mailbox access detected
Exchange logsNo increase in email volume (no fraudulent emails sent)

Lessons Learned

MFA Saved the Day

Multi-factor authentication prevented the attacker from successfully exporting mailbox data even after the malicious app was installed.

OAuth App Control

Restricting user consent for OAuth apps to admin-only prevents users from inadvertently granting access to malicious applications.

Quick Response Matters

Rapid detection and response prevented the attack from progressing to the BEC (Business Email Compromise) phase.

Document Everything

Detailed incident documentation enables better future response and helps identify patterns across incidents.

Reference

For more information about this attack pattern, see:

Darktrace: PerfectData Software Abuse Analysis