/
MaliciousOauthAppDetections.json
68 lines (68 loc) · 3.23 KB
/
MaliciousOauthAppDetections.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
{
"applications": [
{
"name": "PerfectData Software",
"description": "Exports mailboxes for backup purposes",
"categories": ["Mailbox exfiltration"],
"appid": "ff8d92dc-3d82-41d6-bcbd-b9174d163620",
"Permissions": [],
"References": ["https://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/", "https://darktrace.com/blog/how-abuse-of-perfectdata-software-may-create-a-perfect-storm-an-emerging-trend-in-account-takeovers", "https://www.secureworks.com/blog/qr-phishing-leads-to-microsoft-365-account-compromise"]
},
{
"name": "Newsletter Software Supermailer",
"description": "",
"categories": ["phishing"],
"appid": "a245e8c0-b53c-4b67-9b45-751d1dff8e6b",
"Permissions": [],
"References": ["https://www.huntress.com/blog/legitimate-apps-as-traitorware-for-persistent-microsoft-365-compromise"]
},
{
"name": "rclone",
"description": "",
"categories": ["Data exfiltration", "Sharepoint/OneDrive exfiltration"],
"appid": "4761b959-9780-4c2d-87a3-512b4638f767",
"Permissions": [],
"References": ["https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone"]
},
{
"name": "eM Client",
"description": "eM Client is a desktop email client with full Microsoft Office 365 synchronization.",
"categories": ["Mailbox exfiltration"],
"appid": "e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd",
"Permissions": [],
"References": ["https://www.huntress.com/blog/legitimate-apps-as-traitorware-for-persistent-microsoft-365-compromise", "https://cybercorner.tech/malicious-usage-of-em-client-in-business-email-compromise/"]
},
{
"name": "CloudSponge",
"description": "CloudSponge is a software-as-a-service product that imports all the major address books. Most websites use our product so that their users don’t have to type email addresses into their referral forms when they want to send an invitation, greeting card or coupon to someone they know.",
"categories": ["Address book exfiltration"],
"appid": "a43e5392-f48b-46a4-a0f1-098b5eeb4757",
"Permissions": [],
"References": []
},
{
"name": "Zoominfo Login",
"description": "",
"categories": ["Address book exfiltration"],
"appid": "858d7e42-35f0-44b7-9033-df309239a47f",
"Permissions": [],
"References": []
},
{
"name": "SigParser",
"description": "SigParser securely scans emails, calendars, address books, spreadsheets, and more to automatically generate profiles on the people and companies who have interacted with your business.",
"categories": ["Address book exfiltration"],
"appid": "",
"Permissions": [],
"References": ["https://sigparser.com/"]
},
{
"name": "Fastmail",
"description": "",
"categories": ["Mailbox exfiltration"],
"appid": "77468577-4f6e-40e7-b745-11d3d0c28095",
"Permissions": [],
"References": ["https://x.com/mwaski88/status/1775904383382802502"]
}
]
}