Updated: April 29, 2024 (April 29, 2024)

  Analyst Report

Investigating OAuth Applications Requires E5

My Atlas / Analyst Reports

2,044 wordsTime to read: 11 min
Wes Miller by
Wes Miller

Wes Miller analyzes and writes about Microsoft’s security, identity management, and systems management technologies. Before joining Directions on Microsoft, Wes... more

  • Bad actors are increasingly using OAuth-based applications to attack Microsoft 365 customers, perform malicious actions, and move laterally after a breach occurs.
  • Organizations must invest time in logging, hunting, and removing rogue applications to minimize damage.
  • OAuth logging and hunting features from Microsoft require tenant-wide licensing for Microsoft 365 E5, leaving customers unprotected if they are unwilling or unable to pay to license E5.

Attackers are increasingly using OAuth-based applications to phish users in order to use the application as a gateway for furthering a breach. Recently, OAuth was a key component used by Midnight Blizzard to attack Microsoft. This attack, initially detected in Jan. 2024, allowed the attackers to access Microsoft source code, read e-mails, and in some cases, reveal customer data. Microsoft provides tools to monitor OAuth applications and investigate (“hunt”) suspicious behavior of OAuth-based applications. However, these security tools require licensing Microsoft 365 E5, which could raise costs substantially. Some of the tools are also not yet available to all organizations, including U.S. government agencies and contractors.

Atlas Members have full access

Get access to this and thousands of other unbiased analyses, roadmaps, decision kits, infographics, reference guides, and more, all included with membership. Comprehensive access to the most in-depth and unbiased expertise for Microsoft enterprise decision-making is waiting.

Membership Options

Already have an account? Login Now