Notifications
Clear all
Topic starter
27/06/2026 1:42 pm
TL;DR: Microsoft 365 environments can still be abused through OAuth consent and legacy protocols even when MFA, passwords, and standard identity controls are enabled, according to Abnormal AI. The real issue is control coverage and behavioral drift, not the absence of security features.
NHIMG editorial — based on content published by Abnormal AI: Microsoft 365 identity blind spots, OAuth consent abuse, and legacy authentication bypass
Questions worth separating out
Q: How should security teams handle OAuth consent risk in Microsoft 365?
A: Treat user-consented application grants as persistent access, not as a one-time sign-in event.
Q: Why do legacy authentication protocols create risk after MFA is enabled?
A: Legacy protocols such as IMAP and POP can bypass MFA because they use password-only authentication paths that sit outside modern sign-in enforcement.
Q: What do security teams get wrong about Microsoft 365 configuration drift?
A: They often assume a secure design remains secure as the environment evolves.
Practitioner guidance
- Inventory every delegated OAuth grant Review all user-consented applications, classify them by scope and age, and remove grants that no longer align to active business need.
- Disable or isolate legacy authentication paths Identify IMAP, POP, and other password-only protocols still enabled in Microsoft 365, then remove them or constrain them to tightly governed exceptions.
- Validate policy coverage against live access routes Compare documented identity policy to actual protocol exposure, application grants, and third-party integrations.
What's in the full article
Abnormal AI's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step analysis of the Microsoft Teams OAuth consent attack path and token persistence mechanics
- Specific examples of how IMAP and POP bypass modern MFA enforcement in Microsoft 365
- Behavioral detection logic for spotting legitimate-looking access that is still abnormal
- Practical guidance on closing environment drift across identity, email, and collaboration settings
👉 Read Abnormal AI's analysis of Microsoft 365 OAuth consent and legacy auth blind spots →
Microsoft 365 blind spots: are your controls keeping up?
Explore further
27/06/2026 3:09 pm
Microsoft 365 security failures here are coverage failures, not control failures. MFA, identity protection, and policy enforcement can all be present and still leave room for compromise if consented tokens or legacy protocols sit outside the effective control boundary. That means the question is not whether the stack exists, but whether every access path is actually governed. Practitioners should audit for control completeness rather than control count.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do teams decide whether behavioral analysis is necessary alongside policy controls?
A: Use behavioral analysis when policy can say an action is allowed but cannot tell whether it is normal. If consented apps, mailbox actions, or API calls can look legitimate while still supporting attacker persistence, behavior context becomes essential. Policy answers permission, behaviour answers expectation.
👉 Read our full editorial: Microsoft 365 blind spots expose OAuth consent and legacy auth risk
