[ { "appId": "e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd", "appDisplayName": "eM Client", "appOwnerOrganizationId": "146ecd75-4414-4ecf-ba6d-ea611895da8c", "appPublisherName": "eM Client s.r.o.", "appPublisherId": "5365206", "description": "A robust email client often leveraged by attackers due to its extensive capabilities. eM Client allows attackers to sync multiple inboxes into the same client, download all emails from an inbox, mass mail spam, export calendars and contacts, and create inbox rules to stage financial transaction fraud.", "permissions": [ { "resource": "Microsoft Graph", "permission": "EWS.AccessAsUser.All", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "offline_access", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "email", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "openid", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "IMAP.AccessAsUser.All", "type": "Delegated" } ], "tags": [ "BEC", "email", "spam" ], "references": [ "https://www.emclient.com/", "https://www.huntress.com/blog/legitimate-apps-as-traitorware-for-persistent-microsoft-365-compromise", "https://cybercorner.tech/malicious-usage-of-em-client-in-business-email-compromise/" ], "mitreTTP": [], "contributors": [ "Huntress Research Team", "sfaxluke" ], "dateAdded": "2024-08-05" }, { "appId": "ff8d92dc-3d82-41d6-bcbd-b9174d163620", "appDisplayName": "PerfectData Software", "appOwnerOrganizationId": "unknown", "appPublisherName": "PerfectData Software Ltd.", "appPublisherId": "unknown", "description": "An application that can export mailboxes for backup purposes. Used maliciously to exfiltrate data and stage financial fraud transactions.", "permissions": [ { "resource": "Microsoft Graph", "permission": "offline_access", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "profile", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "User.Read", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "openid", "type": "Delegated" }, { "resource": "Microsoft Exchange", "permission": "EWS.AccessAsUser.All", "type": "Delegated" } ], "tags": [ "exfiltration", "BEC", "backup" ], "references": [ "https://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/", "https://darktrace.com/blog/how-abuse-of-perfectdata-software-may-create-a-perfect-storm-an-emerging-trend-in-account-takeovers", "https://www.secureworks.com/blog/qr-phishing-leads-to-microsoft-365-account-compromise", "https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json" ], "mitreTTP": [], "contributors": [ "Huntress Research Team", "randomaccess3" ], "dateAdded": "2024-08-14" }, { "appId": "a245e8c0-b53c-4b67-9b45-751d1dff8e6b", "appDisplayName": "Newsletter Software Supermailer", "appOwnerOrganizationId": "unknown", "appPublisherName": "unknown", "appPublisherId": "unknown", "description": "Software used for email mass mailing, often abused to send phishing emails. Requires administrator consent to use with Microsoft365, which then allows the application to send from any mailbox within the tenant.", "permissions": [ { "resource": "Microsoft Graph", "permission": "Contacts.Read", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Mail.Read", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Mail.Send", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "offline_access", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Mail.Read", "type": "Application" }, { "resource": "Microsoft Graph", "permission": "Mail.Send", "type": "Application" }, { "resource": "Microsoft Graph", "permission": "Contacts.Read", "type": "Application" } ], "tags": [ "BEC", "spam", "phishing" ], "references": [ "https://int.supermailer.de/", "https://www.darkreading.com/endpoint-security/supermailer-abuse-email-security-super-sized-credential-theft", "https://trustifi.com/blog/what-is-a-supermailer-email-phishing-attack/", "https://darktrace.com/blog/business-email-compromise-to-mass-phishing-campaign-attack-analysis", "https://www.linkedin.com/posts/damien-miller-mcandrews_businessemailcompromise-activity-7231350791607881732-UAWJ?utm_source=share&utm_medium=member_desktop" ], "mitreTTP": [ "T1583.006", "T1566", "T1588.002", "T1657" ], "contributors": [ "Syne0" ], "dateAdded": "2024-08-23" }, { "appId": "b15665d9-eda6-4092-8539-0eec376afd59", "appDisplayName": "rclone", "appOwnerOrganizationId": "unknown", "appPublisherName": "unknown", "appPublisherId": "unknown", "description": "Rclone is a command-line program to manage files on cloud storage. It allows the user to download all files the user account can access within OneDrive and SharePoint.", "permissions": [ { "resource": "Microsoft Graph", "permission": "Files.Read", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Files.ReadWrite", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Files.Read.All", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Files.ReadWrite.All", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Sites.Read.All", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Files.ReadWrite", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "offline_access", "type": "Delegated" } ], "tags": [ "exfiltration", "BEC" ], "references": [ "https://attack.mitre.org/software/S1040/", "https://rclone.org/onedrive/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json" ], "mitreTTP": [ "T1567", "T1083", "T1048" ], "contributors": [ "Syne0", "randomaccess3" ], "dateAdded": "2024-09-05" }, { "appId": "a43e5392-f48b-46a4-a0f1-098b5eeb4757", "appDisplayName": "CloudSponge", "appOwnerOrganizationId": "unknown", "appPublisherName": "unknown", "appPublisherId": "unknown", "description": "CloudSponge allows you to export all contacts from an inbox. These contacts can be used as targets for phishing emails, allowing an email compromise campaign to spread more.", "permissions": [ { "resource": "Microsoft Graph", "permission": "openid", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "profile", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Contacts.Read", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "People.Read", "type": "Delegated" } ], "tags": [ "exfiltration", "BEC", "AddressBook" ], "references": [ "https://www.exportmycontacts.com", "https://cybercorner.tech/common-oauth-apps-used-in-business-email-compromise/#cloudsponge", "https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json" ], "mitreTTP": [ "T1567" ], "contributors": [ "Syne0", "randomaccess3" ], "dateAdded": "2024-09-29" }, { "appId": "caffae8c-0882-4c81-9a27-d1803af53a40", "appDisplayName": "SigParser", "appOwnerOrganizationId": "28300cff-466f-4374-a59a-f3e5a6fc2c56", "appPublisherName": "unknown", "appPublisherId": "unknown", "description": "SigParser is used to exfiltrate contacts and recipients from an account's address list, calendars, and email, allowing malicious email such as spam or phishing to easily target relevant recipients.", "permissions": [ { "resource": "Microsoft Graph", "permission": "Calendars.Read.Shared", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Contacts.ReadWrite.Shared", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "Mail.Read.Shared", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "User.ReadBasic.All", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": "offline_access", "type": "Delegated" }, { "resource": "Microsoft Graph", "permission": " User.Read", "type": "Delegated" } ], "tags": [ "collecion", "exfiltration", "phishing", "BEC" ], "references": [ "https://cybercorner.tech/common-oauth-apps-used-in-business-email-compromise/#SigParser", "https://support.sigparser.com/en/articles/8844405-i-think-someone-hacked-my-mailbox-can-you-delete-my-account", "https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json" ], "mitreTTP": [ "T1530", "T1567", "T1087.003" ], "contributors": [ "Syne0", "randomaccess3" ], "dateAdded": "2025-3-24" } ]