The app had access to everything. Nobody approved it.

The scenario:

A marketing assistant clicked "Allow" on what looked like a meeting scheduler. It asked for calendar access. And email access. And contacts. And files. 

She didn’t read the permissions. Nobody does. The app was a data harvester disguised as productivity software. Within 30 minutes, it had copied 18 months of email correspondence and every shared document in her OneDrive. 

The attack:

STAGE 1: SOCIAL ENGINEERING 

Attacker creates a professional-looking OAuth application named "MeetSync Pro." 

Registers it with permissions: Mail.Read, Files.Read.All, Contacts.Read. 

Sends a phishing email disguised as a meeting invite with "Connect your calendar" button. 

 -

STAGE 2: CONSENT PHISHING 

Target clicks the button and sees a Microsoft OAuth consent screen. 

The consent screen is real (Microsoft-hosted). The app behind it is malicious. 

Target clicks "Accept" without reviewing the permission list. 

App now has persistent API access to her mailbox, files, and contacts. 

 -

STAGE 3: DATA EXFILTRATION 

App uses Graph API to download all email from the past 18 months. 

Copies all OneDrive documents including shared team files. 

Harvests the contact list to target additional employees. 

Access persists even if the user changes their password. 

 -

STAGE 4: LATERAL EXPANSION 

Sends similar consent requests to contacts harvested from the first account. 

5 additional employees grant consent within 48 hours. 

Combined access covers finance, operations, and executive mailboxes. 

Total data exfiltration: 14GB across 6 accounts. 

What stopped it:

A security review of OAuth application grants revealed an unrecognised app with broad permissions across multiple accounts. Revoking the app’s tokens immediately cut off access.