Microsoft 365 : Malicious Application Consent - PerfectData
submitted
D
Devon Chorney
This application has actively been used during account compromises to create a backup of the accounts mailbox.Create an actionable alert for this and audit all environments.
ServicePrincipals[?appId== , [join( , [ , to_string(appDisplayName)]), join( , [
ff8d92dc-3d82-41d6-bcbd-b9174d163620
].join( :
, to_string(createdDateTime)])])T
Todd Smith
Thank you! This helped us proactively find 18 tenants and over 30 individual user accounts that were compromised.Highly recommend using this Metric and building Actionalble Alert!