Ever clicked “Approve” just to get something working?
We all have. You’re in a rush, trying to convert a file, access a tool, or sign into something new—and up pops a little window that says:
“This app would like to access your account. Approve to continue.”
And without thinking, you click yes.
But here’s the kicker:
That one click could give a rogue app full access to your email, files, calendar, and more—without ever triggering MFA or showing up in your login history.
🧠 What’s Actually Happening?
These are called OAuth apps (short for Open Authorization).
They’re designed to let apps connect to your Microsoft 365 account without needing your password. Sounds convenient, right?
But attackers love them.
They build fake apps that look legit—like “Mail Backup” or “PDF Converter”—and trick users into approving them. Once approved, the app gets a token that acts like a backstage pass to your account.
No password. No MFA. No alerts.
🧨 Real-World Scenario: The “Mail Backup” Disaster
We were investigating an incident when an employee clicked on a link. As we reviewed the admin portal of the company’s Microsoft 365 tenant, we noticed a tool called “eM Client” was installed. It looked helpful—it is described as “a desktop email client with full Microsoft Office 365 synchronization.” Email Client for Microsoft Office 365 | eM Client
But behind the scenes, it was used as a rogue app.
Once approved, it started siphoning emails, contacts, and calendar invites. The attacker didn’t need to log in—they just used the app’s token to access everything silently.
And because it was an enterprise app, it bypassed most security controls.
With eM Client, attackers can:
- Sync multiple inboxes into one interface—making it easy to monitor several accounts at once
- Download every email—yes, every single message, including sensitive threads and attachments
- Mass-send spam or phishing emails—using your domain and reputation
- Export calendars and contacts—perfect for social engineering and impersonation
- Create inbox rules—to silently redirect or hide financial transactions, setting the stage for fraud
It’s not just a tool—it’s a launchpad for identity-based attacks.
And the worst part? Most users wouldn’t even know it’s happening.
Why does this matter?
Because once an attacker has access to your inbox, they’re not just reading emails—they’re controlling the narrative. They can impersonate you, manipulate workflows, and intercept deals.
⚠️ Why This Is So Dangerous
- It’s invisible: OAuth apps don’t show up in login logs.
- It’s persistent: Tokens can last for weeks or months.
- It’s hard to revoke: Unless you know where to look, you won’t even know it’s there.
- It bypasses MFA: Because it’s already “approved.”
🛡️ What You Can Do (Even If You’re Not Technical)
You don’t need to be an IT expert to protect your business. You just need to ask the right questions.
Start here:
“Can anyone in our company approve apps without oversight?”
If the answer is “yes,” it’s time to lock things down.
✅ Quick Fixes You Can Ask For:
- Turn off user consent for apps
- Only allow admins to approve apps.
- Require verified publishers
- Only apps from trusted sources should be allowed.
- Enable admin consent workflow
- Let users request access, but require approval.
- Review existing app permissions
- Audit which apps have access to your environment—and remove anything suspicious.
🧠 Analogy Time: OAuth Apps = Master Keys
Think of OAuth apps like master keys.
When you approve one, you’re handing over a key to your digital office.
Would you give a stranger a master key to your building?
No way.
So why let unknown apps roam freely in your Microsoft 365 environment?
🚀 Coming Up Next…
In the next post, we’ll talk about Copilot—Microsoft’s new AI assistant—and why it’s only as smart (and safe) as your data permissions. If Copilot can see it, so can anyone with access.
👣 Your Action Step Today
✅ Ask your IT team:
“Have we disabled user consent for apps and enabled admin approval?”
If they haven’t, don’t panic. You’re ahead of the curve just by asking.
Want help reviewing your app permissions?
We’ll walk through it with you—no jargon, no judgment, just clarity.
