Suspicious O Auth Applications Used To Retrieve And Send Emails
Query
// Suspicious OAuth applications used to retrieve and send emails
// https://security.microsoft.com/threatanalytics3/ba008625-320a-4c71-b996-977049575144/analystreport
let MonitoredScope = dynamic(["Files.ReadWrite","IMAP.AccessAsUser.All","Mail.Read","Mail.ReadBasic","Mail.ReadWrite","Mail.Send","POP.AccessAsUser.All","SMTP.Send","User.Read"]);
OAuthAppInfo
| where AddedOnTime > ago(1h)
| where AppOrigin == "External"
| where VerifiedPublisher == "{}"
| where Permissions has_any(MonitoredScope)Explanation
This query is designed to identify potentially suspicious OAuth applications that have recently been added and might be used to access or manipulate emails. Here's a simple breakdown of what the query does:
-
Monitored Permissions: It defines a list of specific permissions related to email access and user data that are considered sensitive or potentially risky.
-
Data Source: It looks at the
OAuthAppInfotable, which contains information about OAuth applications. -
Time Filter: It filters for applications that were added within the last hour.
-
Application Origin: It only considers applications that originate externally, meaning they are not from within the organization.
-
Publisher Verification: It checks for applications that do not have a verified publisher, which could indicate a higher risk.
-
Permission Check: Finally, it filters for applications that request any of the permissions from the predefined list, as these permissions could be used to read, write, or send emails.
Overall, the query aims to flag new, unverified external applications with certain permissions that could be used for malicious activities involving email access.
Details

Steven Lim
Released: July 3, 2025
Tables
Keywords
Operators