High Severity

Suspicious Office 365 app authorization (OAuth) link

Labels

Description

Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.

References

https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset

Sublime Security

Created Aug 17th, 2023 • Last updated Feb 4th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        .href_url.domain.domain == 'login.microsoftonline.com'
        and (
          strings.ilike(.href_url.query_params,
                        '*offline_access*',
                        '*.readwrite*',
                        '*.read*',
                        '*ctx=*'
          )
          or (
            strings.icontains(.href_url.path, '/common/reprocess')
            and strings.icontains(.href_url.query_params, 'ctx=')
            and strings.icontains(.href_url.query_params, 'sessionId=')
          )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.