Event Status: RESOLVED and REMEDIATIONS IN PLACE

 

To Whom it May Concern,

We completed a full review of a recent email security event affecting two of our users’ mailboxes within our Microsoft 365 environment. This was not a password breach and did not involve unauthorized logins. Instead, the activity came from a third-party email automation tool that gained access through an OAuth permission request, possibly as part of a phishing attack.

 

Findings

• A third-party app (SecureMailMerge) obtained delegated mailbox access.
• No user in our organization recalls intentionally approving it, which aligns with current phishing trends where attackers request app permissions instead of passwords.
• There were no suspicious login attempts, no foreign IP connections, and no forwarding rules.

 

Remediation

• Removed the unauthorized application and revoked all permissions
• Forced MFA re-enrollment for all accounts
• Signed out all active sessions across all devices
• Disabled legacy authentication protocols (IMAP, POP, SMTP Auth)
• Verified no forwarding or server-level mail rules existed
• Verified no local email client rules 
• Disabled additional OAuth applications until validated
• All potential persistence routes have been eliminated.

 

Current Status

• No evidence of email forwarding or data extraction
• No active app-based access remains
• Tenant is stable and protected with MFA and app consent restrictions
• Continuous monitoring for non-interactive API access is now in place

 

Conclusion

This was not a credential or system breach, but a permission-based access event. It is now resolved, and enhanced security measures have been taken to prevent recurrence.