Bad actors are always on the search for new methods of attack, making it our job to always stay two steps ahead of them. Adaptive Shield security researchers have discovered a new attack vector due to a vulnerability within Microsoft’s OAuth application registration. Through this vulnerability, an attack can use Exchange’s legacy API to create hidden forwarding rules in Microsoft 365 mailboxes.
Third-party app access combined with hidden forwarding rules creates a sort of SaaS rootkit.
An attack through these hidden forwarding rules should not be mistaken for a one-off, but rather the start of a new attack method through SaaS apps.