Investigating OAuth Applications Requires E5

• Bad actors are increasingly using OAuth-based applications to attack Microsoft 365 customers, perform malicious actions, and move laterally after a breach occurs.
• Organizations must invest time in logging, hunting, and removing rogue applications to minimize damage.
• OAuth logging and hunting features from Microsoft require tenant-wide licensing for Microsoft 365 E5, leaving customers unprotected if they are unwilling or unable to pay to license E5.

Attackers are increasingly using OAuth-based applications to phish users in order to use the application as a gateway for furthering a breach. Recently, OAuth was a key component used by Midnight Blizzard to attack Microsoft. This attack, initially detected in Jan. 2024, allowed the attackers to access Microsoft source code, read e-mails, and in some cases, reveal customer data. Microsoft provides tools to monitor OAuth applications and investigate (“hunt”) suspicious behavior of OAuth-based applications. However, these security tools require licensing Microsoft 365 E5, which could raise costs substantially. Some of the tools are also not yet available to all organizations, including U.S. government agencies and contractors.