The Long-Lived Risk of Malicious OAuth Applications: A Practical Threat Hunting Guide for M365

This report details investigations into malicious Microsoft 365 applications that abused OAuth consent and application identities to persist undetected across customer tenants for years, enabling data access, large-scale exposure of sensitive records, and phishing/MFA-bypass activity; it documents known campaigns and homoglyph/impersonation techniques, lists IOCs, and provides metadata-first hunting and remediation guidance.