This resource will be periodically updated as new findings occur.
Malicious OAUTH Applications
| Application Name | Application ID | Comments |
|---|---|---|
| PERFECTDATA SOFTWARE | ff8d92dc-3d82-41d6-bcbd-b9174d163620 | Backup/Export mailboxes. UAL does not show items synced. |
| eM Client | e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd | Email client with full synchronisation capabilities. UAL typically shows items synced identified by ‘MailItemsAccessed’ events. |
| Edison Mail | 62db40a4-2c7e-4373-a609-eda138798962 | Email client with full synchronisation capabilities. UAL typically shows items synced identified by ‘MailItemsAccessed’ events. |
| Newsletter Software Supermailer | a245e8c0-b53c-4b67-9b45-751d1dff8e6b | Bulk email sending software. |
| Rclone | 4761b959-9780-4c2d-87a3-512b4638f767 | Manage files within M365. |
| CloudSponge | a43e5392-f48b-46a4-a0f1-098b5eeb4757 | Address book exfiltration |
| Zoominfo Login | 858d7e42-35f0-44b7-9033-df309239a47f | Address book exfiltration |
| ZoomInfo Communitiez Login | 497ac034-5120-4c1a-929a-0351f5c09918 | Address book exfiltration |
| SigParser | caffae8c-0882-4c81-9a27-d1803af53a40 | Address book exfiltration |
| Fastmail | 77468577-4f6e-40e7-b745-11d3d0c28095 | Mailbox exfiltration/persistence |
| PostBox | 179d5108-412b-4c95-8e34-06786784ab39 | Email client with full synchronisation capabilities. |
| Spike | 946c777c-bc85-489e-b034-392389ae23d6 | Mailbox exfiltration/persistence |
Suspicious Microsoft 365 Applications (During BEC Investigations)
| Application Name | Application ID | Comments |
|---|---|---|
| My Profile | 8c59ead7-d703-4a27-9e55-c96a0054c8d2 | Initial application before modifying MFA configuration. (To navigate to My Signins) |
| My Signins | 19db86c3-b2b9-44cc-b339-36da233a3be2 | Modifying MFA configuration |
| Microsoft Account Controls V2 | 7eadcef8-456d-4611-9480-4fff72b8b9e2 | Modifying MFA configuration |
| Microsoft Edge | ecd6b820-32c2-49b6-98a6-444530e5a77a f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34 e9c51622-460d-4d3d-952d-966a5b1da34c | Synchronizing Saved Passwords in Microsoft Wallet |
| Microsoft Outlook | 5d661950-3475-41cd-a2c3-d671a3162bc1 | Mailbox exfiltration (if used by an attacker) |
| Outlook Lite | e9b154d0-7658-433b-bb25-6b8e0a8a7c59 | Mailbox exfiltration (if used by an attacker) |
| Outlook Mobile | 27922004-5251-4030-b22d-91ecd9a37ea4 | Mailbox exfiltration (if used by an attacker) |
Other Microsoft 365 Applications
| Application Name | Application ID | Comments |
|---|---|---|
| AADJ CSP | b90d5b8f-5503-4153-b545-b31cecfaece2 | |
| AADPasswordProtectionProxy | dda27c27-f274-469f-8005-cce10f270009 | |
| Aadrm Admin PowerShell | 90f610bf-206d-4950-b61d-37fa6fd1b224 | |
| Accounts Control UI | a40d7d7d-59aa-447e-a655-679a4107e548 | |
| ACOM Azure Website | 23523755-3a2b-41ca-9315-f81f3f566a95 | |
| ADIbizaUX | 74658136-14ec-4630-ad9b-26e160ff0fc6 | |
| AEM-DualAuth | 69893ee3-dd10-4b1c-832d-4870354be3d8 | |
| Afdx Resource Provider | 92b61450-2139-4e4a-a0cc-898eced7a779 | |
| AI Builder Prod Non God Mode | be5f0473-6b57-40f8-b0a9-b3054b41b99e | |
| App Protection | c6e44401-4d0a-4542-ab22-ecd4c90d28d7 | |
| App Service | 7ab7862c-4c57-491e-8a45-d52a7e023983 | |
| Arc Public Cloud – Networking | 9449a792-6831-40e2-9097-29dbc6dd4753 | |
| Arc Public Cloud – Servers | aacceff9-8ec3-413c-83eb-cb131aaf55c6 | |
| Arc Token Service | d00b5d58-cae5-42ad-ae0a-5a2e6f7ee6c9 | |
| ASM Campaign Servicing | 0cb7b9ec-5336-483b-bc31-b15b5788de71 | |
| AssistAPI | 2b8844d8-6c87-4fce-97a0-fbec9006e140 | |
| Audit Search Api Service | e158eb19-34ac-4d1b-a930-ec92172f7a97 | |
| Azure Active Directory PowerShell | 1b730954-1685-4b74-9bfd-dac224a7b894 | |
| Azure Advanced Threat Protection | 7b7531ad-5926-4f2d-8a1d-38495ad33e17 | |
| Azure Arc Data Services | bb55177b-a7d9-4939-a257-8ab53a3b2bc6 | |
| Azure Arc Data Services Billing | a12e8ccb-0fcd-46f8-b6a1-b9df7a9d7231 | |
| Azure Data Explorer | 2746ea77-4702-4b45-80ca-3c97e680e8b7 | |
| Azure Data Lake | e9f49c6b-5ce5-44c8-925d-015017e9f7ad | |
| Azure Diagnostics Resource Provider | fd225045-a727-45dc-8caa-77c8eb1b9521 | |
| Azure Guest Container Update Manager | c8f5141d-83e0-4e9a-84d0-bb6677e26f64 | |
| Azure Lab Services Portal | 835b2a73-6e10-4aa5-a979-21dfda45231c | |
| Azure Portal | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | |
| Azure Purview | 73c2949e-da2d-457a-9607-fcc665198967 | |
| Azure Security Insights | 98785600-1bb7-4fb9-b9fa-19afe2c8a360 | |
| Azure SQL Database | 022907d3-0f1b-48f7-badc-1ba6abab6d66 | |
| AzureSupportCenter | 37182072-3c9c-4f6a-a4b3-b3f91cacffce | |
| AzureUpdateCenter | 8c420feb-03df-47cc-8a05-55df0cf3064b | |
| Bing | 9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7 | |
| Business Central to Common Data Service | 88c57617-94ff-4043-a396-8a85a8d38922 | |
| CAP Package Deployer Service | 4c9fc70a-8d18-4528-9113-c6f1318c4d89 | |
| CMAT | 64a7b174-5779-4506-b54c-fbb0d80f1c9b | |
| console-m365d | f18b59c9-5926-4a65-8605-c23ec8c7e074 | |
| Consumption Billing | 12ff570a-8284-47ed-adb3-fcc72b594c36 | |
| ContactsInferencingEmailProcessor | 20a11fe0-faa8-4df5-baf2-f965f8f9972e | |
| CPIM Service | bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4 | |
| CRM Power BI Integration | e64aa8bc-8eb4-40e2-898b-cf261a25954f | |
| Customer Experience Platform CDPA Provisioning PROD | e3cf99e1-a6e5-4284-9f92-261c7713bc54 | |
| Customer Experience Platform CDPA Provisioning TIP | f5223e1a-4d50-4fda-9049-55d819fbb03e | |
| Customer Service Trial PVA | 944861d3-5975-4f8b-afd4-3422c0b1b6ce | |
| Customer Service Trial PVA – readonly | 6abc93dc-978e-48a3-8e54-458e593ed8cf | |
| Dataverse | 00000007-0000-0000-c000-000000000000 | |
| Dataverse Resource Provider | d6101214-691f-47d0-8ea3-dca752e62d71 | |
| Defender for IoT – Management | 3157152d-b5ae-4606-a145-6c660069bc5e | |
| Device Management Client | de50c81f-5f80-4771-b66b-cebd28ccdfc1 | |
| Dynamics 365 collaboration with Microsoft Teams | a8adde6c-aeb4-4fd6-9d8f-c2dfdecac60a | |
| Dynamics 365 Customer Insights – Consent | 9e3b502c-b4a1-441d-98fd-28e482bf7e88 | |
| Dynamics 365 Universal Resource Scheduling | b2b4502c-fedd-4748-8828-09e1eae11d6a | |
| EASM API | b7faa489-a4c8-4b39-bb0c-842c3de2de6a | |
| easmApiDev | 9a751391-6e9f-4199-ad8d-360712a1285c | |
| Enterprise Roaming and Backup | 60c8bde5-3167-4f92-8fdb-059f6176dc0f | |
| EOP Admin API Web Service | 10214c11-ebd3-44e8-af2f-ebcb8a79c569 | |
| Event Hub MSI App | 6201d19e-14fb-4472-a2d6-5634a5c97568 | |
| EventGrid Data API | 823c0a78-5de0-4445-a7f5-c2f42d7dc89b | |
| Exchange Admin Center | 497effe9-df71-4043-a8bb-14cf78c4b63b | |
| Exchange Online | fe93bfe1-7947-460a-a5e0-7a5906b51360 | |
| Exchange Online | a3883eba-fbe9-48bd-9ed3-dca3e0e84250 | |
| Exchange Online | aa813f0e-407a-459d-93af-805f2bf10f33 | |
| Exchange Online | d396de1f-10d4-4023-aae2-5bb3d724ba9a | |
| Exchange Online | 82d8ab62-be52-a567-14ea-1616c4ee06c4 | |
| Exchange Online | 34421fbe-f100-4e5b-9c46-2fea25aa7b88 | |
| Exchange Online | 1150aefc-07de-4228-b2b2-042a536703c0 | |
| FindTime | f5eaa862-7f08-448c-9c4e-f4047d4d4521 | |
| FindTime | 9758a0e2-7861-440f-b467-1823144e5b65 | |
| Focused Inbox | b669c6ea-1adf-453f-b8bc-6d526592b419 | |
| FrontendTransport | b24835c0-6b13-41e7-822c-94c9effb98ee | |
| Funnel and Engagement Data Service | 707aa1ac-be0a-478d-9ce7-0d2765a5c1d6 | |
| Gatekeeper PPE App | 5a8800f2-f31d-4654-9bed-f5b368c703f8 | |
| Gatekeeper Prod App | 5bab4c7f-51c3-479b-a199-06b31afecc8f | |
| Grade Sync | 75cba773-c367-4ba4-8d4f-65f91b68c384 | |
| Group Configuration Processor | 1690c5aa-925a-4d0e-836b-722c795bd0d0 | |
| GroupsRemoteApiRestClient | c35cb2ba-f88b-4d15-aa9d-37bd443522e1 | |
| HxService | d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0 | |
| Hybrid Connectivity RP | e18cedde-9458-482f-9dd1-558c597ac42e | |
| Hybrid RP Application | d2a590e7-6906-4a45-8f41-cecfdca9bca1 | |
| IAM Supportability | a57aca87-cbc0-4f3c-8b9e-dc095fdc8978 | |
| IC3 Modern Effective Config | f6e5c0c2-4746-4152-b162-91309d5556df | |
| IC3 Modern Effective Config Worker | 481115cb-6d15-4cc0-8caf-f2fee7bfbd2b | |
| Intune DeviceCheckIn ConfidentialClient | 4c1a3aed-b389-4824-99b0-514c07906851 | |
| Intune Remote Help | 7e9f2fca-0cd8-4a6c-a1a0-7ffe48aec7c6 | |
| IpLicensingService | 189cf920-d3d8-4133-9145-23adcc6824fa | |
| Iris Provider EOP Web Service | 61c28d8b-814f-4a57-9c7f-8cd0580aead2 | |
| IrisSelectionFrontDoor | 16aeb910-ce68-41d1-9ac3-9e1673ac9575 | |
| K8 Bridge | 319f651f-7ddb-4fc6-9857-7aef9250bd05 | |
| M365 Compliance Drive | cedebc57-38a2-4f0a-8472-dfcbba5b04c6 | |
| M365 Compliance Drive Client | be1918be-3fe3-4be9-b32b-b542fc27f02e | |
| M365 Lighthouse API | 4eaa7769-3cf1-458c-a693-e9827e39cc95 | |
| M365 Lighthouse Service | d9d5c99e-b0b4-4bad-92cc-5a6eb5421985 | |
| make.powerapps.com | a8f7a65c-f5ba-4859-b2d6-df772c264e9d | |
| Managed Service | 66c6d0d1-f2e7-4a18-97a9-ed10f3347016 | |
| MAPG | cc46c2aa-d508-409b-aeb7-df7cd1e07aaa | |
| Marketplace Api | f738ef14-47dc-4564-b53b-45069484ccc7 | |
| Marketplace SaaS v2 | 5b712e99-51a3-41ce-86ff-046e0081c5c0 | |
| MarketplaceAPI ISV | 20e940b3-4c77-4b0b-9a53-9e16a1b010a7 | |
| MCAPI Authorization Prod | d73f4b35-55c9-48c7-8b10-651f6f2acb2e | |
| Medeina Service | bb3d68c2-d09e-4455-94a0-e323996dbaa3 | |
| Medeina Service Dev | 826870f9-9fbb-4f23-81b8-3a957080dfa2 | |
| Medeina Service PPE | c4de86e3-e322-4889-a781-968c76b6b325 | |
| Media Analysis and Transformation Service | 944f0bd1-117b-4b1c-af26-804ed95e767e | |
| Media Analysis and Transformation Service | 0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e | |
| Media Recording for Dynamics 365 Sales | f448d7e5-e313-4f90-a3eb-5dbb3277e4b3 | |
| Meeting Migration Service | 82f45fb0-18b4-4d68-8bed-9e44909e3890 | |
| Membership View Service | f7a2a81e-ab33-4560-a3dd-6ddca3c5ec6d | |
| Message Header Analyzer | 62916641-fc48-44ae-a2a3-163811f1c945 | |
| Message Recall | 0e90d0b8-039a-4936-a6f4-d25dd510be5d | |
| Messaging Bot API Application for GCC | c9475445-9789-4fef-9ec5-cde4a9bcd446 | |
| Microsfot Intune Company Portal | 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 | |
| Microsoft 365 Security and Compliance Center | 80ccca67-54bd-44ab-8625-4b79c4dc7775 | |
| Microsoft 365 Support Service | ee272b19-4411-433f-8f28-5c13cb6fd407 | |
| Microsoft 365 Ticketing | 510a5356-1745-4855-93a5-113ea589fb26 | |
| Microsoft Account Controls V2 | 7eadcef8-456d-4611-9480-4fff72b8b9e2 | |
| Microsoft Activity Feed Service | d32c68ad-72d2-4acb-a0c7-46bb2cf93873 | |
| Microsoft Alchemy Service | 91ad134d-5284-4adc-a896-d7fd24e9fa15 | |
| Microsoft App Access Panel | 0000000c-0000-0000-c000-000000000000 | |
| Microsoft Application Command Service | 6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3 | |
| Microsoft Approval Management | 65d91a3d-ab74-42e6-8a2f-0add61688c74 | |
| Microsoft Approval Management | 38049638-cc2c-4cde-abe4-4479d721ed44 | |
| Microsoft Authentication Broker | 29d9ed98-a469-4536-ade2-f981bc1d605e | |
| Microsoft Authenticator App | 4813382a-8fa7-425e-ab75-3b753aab3abb | |
| Microsoft Authenticator App | 4813382a-8fa7-425e-ab75-3b753aab3abb | |
| Microsoft Azure Active Directory Connect | cb1056e2-e479-49de-ae31-7812af012ed8 | |
| Microsoft Azure Authorization Private Link Provider | de926fbf-e23b-41f9-ae15-c943a9cfa630 | |
| Microsoft Azure Authorization Resource Provider | 1dcb1bc7-c721-498e-b2fa-bcddcea44171 | |
| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 | |
| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 | |
| Microsoft Bing Default Search Engine | 1786c5ed-9644-47b2-8aa0-7201292175b6 | |
| Microsoft Bing Search | cf36b471-5b44-428c-9ce7-313bf84528de | |
| Microsoft Bing Search for Microsoft Edge | 2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8 | |
| Microsoft Command Service | 19686ca6-5324-4571-a231-77e026b0e06f | |
| Microsoft Community v2 | a81d90ac-aa75-4cf8-b14c-58bf348528fe | |
| Microsoft Defender for Cloud Apps | 3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7 | |
| Microsoft Defender for Cloud Apps – Session Controls | 8a0c2593-9cbc-4f86-a247-beb7aab00d83 | |
| Microsoft Defender for Identity (formerly Radius Aad Syncer) | 60ca1954-583c-4d1f-86de-39d835f3e452 | |
| Microsoft Docs | 18fbca16-2224-45f6-85b0-f7bf2b39b3f3 | |
| Microsoft Dynamics 365 Supply Chain Visibility | d6037e40-282c-493d-8f63-f255e36c6ef4 | |
| Microsoft Dynamics ERP | 00000015-0000-0000-c000-000000000000 | |
| Microsoft Dynamics ERP Microservices CDS | 703e2651-d3fc-48f5-942c-74274233dba8 | |
| Microsoft Edge Enterprise New Tab Page | d7b530a4-7680-4c23-a8bf-c52c121d2e87 | |
| Microsoft Edge Insider Addons Prod | 6253bca8-faf2-4587-8f2f-b056d80998a7 | |
| Microsoft Entra AD Synchronization Service | 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016 | |
| Microsoft Exchange ForwardSync | 99b904fd-a1fe-455c-b86c-2f9fb1da7687 | |
| Microsoft Exchange Online Protection | 00000007-0000-0ff1-ce00-000000000000 | |
| Microsoft Exchange Online Remote PowerShell | a0c73c16-a7e3-4564-9a95-2bdf47383716 | |
| Microsoft Exchange ProtectedServiceHost | 51be292c-a17e-4f17-9a7e-4b661fb16dd2 | |
| Microsoft Exchange REST API Based Powershell | fb78d390-0c51-40cd-8e17-fdbfab77341b | |
| Microsoft Exchange Web Services | 47629505-c2b6-4a80-adb1-9b3a3d233b7b | |
| Microsoft Flow Mobile PROD-GCCH-CN | 57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0 | |
| Microsoft Forms | c9a559d2-7aab-4f13-a6ed-e7e9c52aec87 | |
| Microsoft Graph | 00000003-0000-0000-c000-000000000000 | |
| Microsoft Intune Company Portal | 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 | |
| Microsoft Intune Web Company Portal | 74bcdadc-2fdc-4bb3-8459-76d06952a0e9 | |
| Microsoft Intune Windows Agent | fc0f3af4-6835-4174-b806-f7db311fd2f3 | |
| Microsoft Office | d3590ed6-52b3-4102-aeff-aad2292ab01c | |
| Microsoft Office 365 Portal | 00000006-0000-0ff1-ce00-000000000000 | |
| Microsoft Office Web Apps Service | 67e3df25-268a-4324-a550-0de1c7f97287 | |
| Microsoft Online Syndication Partner Portal | d176f6e7-38e5-40c9-8a78-3998aab820e7 | |
| Microsoft password reset service | 93625bc8-bfe2-437a-97e0-3d0060024faa | |
| Microsoft Planner | 66375f6b-983f-4c2c-9701-d680650f588f | |
| Microsoft Power BI | 871c010f-5e61-4fb1-83ac-98610a7e9110 | |
| Microsoft Power BI | c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12 | |
| Microsoft Power Query for Excel | a672d62c-fc7b-4e81-a576-e60dc46e951d | |
| Microsoft Purview Platform | fd642066-7bfc-4b65-9463-6a08841c12f0 | |
| Microsoft SharePoint Online Management Shell | 9bc3ab49-b65d-410a-85ad-de819febfddc | |
| Microsoft Storefronts | 28b567f6-162c-4f54-99a0-6887f387bbcc | |
| Microsoft Stream Mobile Native | 844cca35-0656-46ce-b636-13f48b0eecbd | |
| Microsoft Stream Portal | cf53fce8-def6-4aeb-8d30-b158e7b1cf83 | |
| Microsoft Substrate Management | 98db8bd6-0cc0-4e67-9de5-f187f1cd1b41 | |
| Microsoft Support | fdf9885b-dd37-42bf-82e5-c3129ef5a302 | |
| Microsoft Support Diagnostics | 5b534afd-fdc0-4b38-a77f-af25442e3149 | |
| Microsoft Teams | 1fec8e78-bce4-4aaf-ab1b-5451cc387264 | Assume attacker has access to all teams messages |
| Microsoft Teams – Device Admin Agent | 87749df4-7ccf-48f8-aa87-704bad0e0e16 | |
| Microsoft Teams Admin Gateway Service | 78462efa-e271-409c-a90b-ce3fbd93538a | |
| Microsoft Teams Admin Portal Service | 2ddfbe71-ed12-4123-b99b-d5fc8a062a79 | |
| Microsoft Teams Copilot Bot | 8e55a7b1-6766-4f0a-8610-ecacfe3d569a | |
| Microsoft Teams IP Policy Service | 1303f293-64bd-48ba-89b0-6bf538bc67f3 | |
| Microsoft Teams Services | cc15fd57-2c6c-4117-a88c-83b1d56b4bbe | |
| Microsoft Teams Web Client | 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 | |
| Microsoft To-Do client | 22098786-6e16-43cc-a27d-191a01a1e3b5 | |
| Microsoft Tunnel | eb539595-3fe1-474e-9c1d-feb3625d1be5 | |
| Microsoft Whiteboard Client | 57336123-6e14-4acc-8dcf-287b6088aa28 | |
| Microsoft Whiteboard Services | 95de633a-083e-42f5-b444-a4295d8e9314 | |
| Microsoft.Azure.DomainRegistration | ea2f600a-4980-45b7-89bf-d34da487bda1 | |
| Microsoft.ConnectedVMwarevSphere Resource Provider | ac9dc5fe-b644-4832-9d03-d9f1ab70c5f7 | |
| Microsoft.EventGrid | 4962773b-9cdb-44cf-a8bf-237846a00ab7 | |
| Microsoft.EventHubs | 80369ed6-5f11-4dd9-bef3-692475845e77 | |
| Microsoft.HybridCompute Agent Service | eec53b1f-b9a4-4479-acf5-6b247c6a49f2 | |
| MicrosoftAzureActiveAuthn | 0000001a-0000-0000-c000-000000000000 | |
| Mimir | aaf3f152-fe17-487b-b671-44d3f7bad293 | |
| MIP Exchange Solutions – ODB | 8adc51cc-7477-49a4-be4e-263946b4d561 | |
| MIP Exchange Solutions – SPO | 192644fe-6aac-4786-8d93-775a056aa1de | |
| MIP Exchange Solutions – Teams | 2c220739-d44d-4bf7-ba5f-95cf9fb7f10c | |
| MM_Reactions_PME_PROD | e8e8fc40-94d5-4ed6-89f2-9e5ec6c1e11e | |
| Modern Support Connector | 75861f5e-a448-49d7-9c99-6b59bc88c6dc | |
| Modern Workplace Customer APIs | c9d36ed4-91b3-4c87-b8d7-68d92826c96c | |
| MS-CE-CXG-MAC-AadShadowRoleWriter | 2f5afa01-cdcb-4707-a62a-0803cc994c60 | |
| MTS | 6682cfa5-2710-44c9-adb8-5ac9d76e394a | |
| O365 SkypeSpaces Ingestion Service | dfe74da8-9279-44ec-8fb2-2aed9e1c73d0 | |
| O365 Suite UX | 4345a7b9-9a63-4910-a426-35363201d503 | |
| Office 365 | 72782ba9-4490-4f03-8d82-562370ea3566 | |
| Office 365 Client Insights Substrate Services Prod | c94526fa-9f4b-4d30-99f5-849636e4552f | |
| Office 365 Exchange Online | 00000002-0000-0ff1-ce00-000000000000 | |
| Office 365 Management | 00b41c95-dab0-4487-9791-b9d2c32c80f2 | |
| Office 365 Search Service | 66a88757-258c-4c72-893c-3e8bed4d6899 | |
| Office 365 SharePoint Online | 00000003-0000-0ff1-ce00-000000000000 | |
| Office Delve | 94c63fef-13a3-47bc-8074-75af8c65887a | |
| Office Online Add-in SSO | 93d53678-613d-4013-afc1-62e9e444a0a5 | |
| Office Online Augmentation Loop SSO | 2abdc806-e091-4495-9b10-b04d93c3f040 | |
| Office Online Client Microsoft Entra ID- Augmentation Loop | 2abdc806-e091-4495-9b10-b04d93c3f040 | |
| Office Online Client Microsoft Entra ID- Loki | b23dd4db-9142-4734-867f-3577f640ad0c | |
| Office Online Client Microsoft Entra ID- Maker | 17d5e35f-655b-4fb0-8ae6-86356e9a49f5 | |
| Office Online Client MSA- Loki | b6e69c34-5f1f-4c34-8cdf-7fea120b8670 | |
| Office Online Core SSO | 243c63a3-247d-41c5-9d83-7788c43f1c43 | |
| Office Online Loki SSO | b23dd4db-9142-4734-867f-3577f640ad0c | |
| Office Online Maker SSO | 17d5e35f-655b-4fb0-8ae6-86356e9a49f5 | |
| Office Online OWLNest | d7d7af51-cdcd-4a4c-9467-86e7dc5d2b90 | |
| Office Online Print SSO | 3ce44149-e365-40e4-9bb4-8c0ecb710fe6 | |
| Office Online Search | a9b49b65-0a12-430b-9540-c80b3332c127 | |
| Office Online Search SSO | 5a4eed13-c4c4-4b4c-9506-334ab200bf31 | |
| Office UWP PWA | 0ec893e0-5785-4de6-99da-4ed124e5296c | |
| Office.com | 4b233688-031c-404b-9a80-a4f3f2351f90 | |
| Office365 Shell WCSS-Client | 89bee1f7-5e6e-4d8a-9f3d-ecd601259da7 | |
| Office365 Shell WCSS-Server | 5f09333a-842c-47da-a157-57da27fcbca5 | |
| OfficeClientService | 0f698dd4-f011-4d23-a33e-b36416dcb1e6 | |
| OfficeHome | 4765445b-32c6-49b0-83e6-1d93765276ca | Usually the application the proxy of a MiTM Phishing Campaign will sign into. However, many legitimate use-cases. |
| OfficeShredderWacClient | 4d5c2d63-cf83-4365-853c-925fd1a64357 | |
| Olympus | bb893c22-978d-4cd4-a6f7-bb6cc0d6e6ce | |
| OMSOctopiPROD | 62256cef-54c0-4cb4-bcac-4c67989bdc40 | |
| One Outlook Web | 9199bf20-a13f-4107-85dc-02114787ef48 | |
| OneDrive | b26aadf8-566f-4478-926f-589f601d9c74 | |
| OneDrive iOS App | af124e86-4e96-495a-b70a-90f90ab96707 | |
| OneDrive Sync Engine | ab9b8c07-8f02-4f72-87fa-80105867a763 | |
| OneDrive SyncEngine | ab9b8c07-8f02-4f72-87fa-80105867a763 | |
| OneDriveLTI | 4f547b5f-c3f7-4d2c-a14f-0f8f1286d7d5 | |
| OneLTI | d3ee6f25-becc-4659-9bc6-bbe6af7d18e6 | |
| OneNote | 2d4d3d8e-2be3-4bef-9f87-7875a61c29de | |
| Outlook Web App Widgets | 87223343-80b1-4097-be13-2332ffa1d666 | |
| Partner Customer Delegated Admin Migration | b39d63e7-7fa3-4b2b-94ea-ee256fdb8c2f | |
| Partner Customer Delegated Admin Offline Processor | a3475900-ccec-4a69-98f5-a65cd5dc5306 | |
| Partner Customer Delegated Administration | 2832473f-ec63-45fb-976f-5d45a7d4bb91 | |
| PartnerCenterCustomerServiceAppProd | 34cabb34-90ae-4aca-b8c3-c457dbedf145 | |
| Password Breach Authenticator | bdd48c81-3a58-4ea9-849c-ebea7f6b6360 | |
| PeoplePredictions | 35d54a08-36c9-4847-9018-93934c62740c | |
| Policy Processor | 1b489150-9b00-413a-83fd-6ef8f05b6e28 | |
| Power BI Desktop | 7f67af8a-fedc-4b08-8b4e-37c4d127b6cf | |
| Power BI Service | 00000009-0000-0000-c000-000000000000 | |
| Power Platform Admin Center | 065d9450-1e87-434e-ac2f-69af271549ed | |
| Power Platform Governance Services – TIRPS | 2b5e68f0-bdc2-45b0-920a-217d5cbbd505 | |
| Power Platform Insights and Recommendations Prod | 6b650392-d446-472e-a422-e47047790237 | |
| Power Virtual Agents Service | 9d8f559b-5984-46a4-902a-ad4271e83efa | |
| PowerApps | 4e291c71-d680-4d0e-9640-0a3358e31177 | |
| PowerApps – apps.powerapps.com | 3e62f81e-590b-425b-9531-cad6683656cf | |
| ProductsLifecycleApp | c09dc6d6-3bff-482b-8e40-68b3ad65f3fa | |
| PTSS | 9f6c88b7-0272-4581-a75a-ec0340824ed1 | |
| Purview Ecosystem | 9ec59623-ce40-4dc8-a635-ed0275b5d58a | |
| Reading Assignments | 22d27567-b3f0-4dc2-9ec2-46ed368ba538 | |
| Report Message | 6046742c-3aee-485e-a4ac-92ab7199db2e | |
| Scheduling | ae8e128e-080f-4086-b0e3-4c19301ada69 | |
| SEAL All credentials | 38df11dd-582e-4207-be6f-b214675f44a1 | |
| SEAL SNI | c10f411a-874c-485c-9d66-6e0b34202c41 | |
| SharedWithMe | ffcb16e8-f789-467c-8ce9-f826a080d987 | |
| SharePoint | d326c1ce-6cc6-4de2-bebc-4591e5e13ef0 | |
| SharePoint Android | f05ff7c9-f75a-4acd-a3b5-f4b6a870245d | |
| SharePoint Online Client Extensibility | c58637bb-e2e1-4312-8a00-04b5ffcd3403 | |
| SharePoint Online Web Client Extensibility | 08e18876-6177-487e-b8b5-cf950c1e598c | |
| Signup | b4bddae8-ab25-483e-8670-df09b9f1d0ea | |
| Skype Core Calling Service | 66c23536-2118-49d3-bc66-54730b057680 | |
| Skype For Business Entitlement | ef4c7f67-65bd-4506-8179-5ddcc5509aeb | |
| Skype for Business Online | 00000004-0000-0ff1-ce00-000000000000 | |
| SpoolsProvisioning | 61109738-7d2b-4a0b-9fe3-660b1ff83505 | |
| SSO Extension Intune | 163b648b-025e-455b-9937-a7f39a65d171 | |
| Sticky Notes API | 91ca2ca5-3b3e-41dd-ab65-809fa3dffffa | |
| Substrate Context Service | 13937bba-652e-4c46-b222-3003f4d1ff97 | |
| Substrate Search Settings Management Service | a970bac6-63fe-4ec5-8884-8536862c42d4 | |
| SubstrateDirectoryEventProcessor | 26abc9a8-24f0-4b11-8234-e86ede698878 | |
| Sway | 905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba | |
| Teams CMD Services Artifacts | 6bc3b958-689b-49f5-9006-36d165f30e00 | |
| Teams NRT DLP Ingestion Service | 0ef94e72-e4fc-4aa0-a8f4-ff27deb3e6eb | |
| Teams NRT DLP Service | 7a274595-3618-4e6f-b54e-05bb353e0153 | |
| TeamsChatServiceApp | 4cba1704-a0c1-45ee-9d41-fe75b4ef9190 | |
| TeamsLinkedInLiveApp | 31ba6d5c-2e14-40fb-bbcb-27dc8a1bfaf5 | |
| teamsupgradeorchestrator-app | 3cf798a6-b0c5-4d5c-9645-b5273d471fc5 | |
| Transcript Ingestion | 97cb1f73-50df-47d1-8fb0-0271f2728514 | |
| TrustedPublishersProxyService | 2b61b865-d0bd-4c60-9efa-6fa934eefaac | |
| Universal Print | da9b70f6-5323-4ce6-ae5c-88dcc5082966 | |
| Universal Print Connector | 80331ee5-4436-4815-883e-93bc833a9a15 | |
| Universal Print Enabled Printer | 417ae6eb-aac8-42c8-900c-0e50debba688 | |
| Universal Print Native Client | dae89220-69ba-4957-a77a-47b78695e883 | |
| Universal Print PS Module | aad98258-6bb0-44ed-a095-21506dfb68fe | |
| Universal Store Entitlements Service | bf7b96b3-68e4-4fd9-b697-637f0f1e778c | |
| Universal Store Native Client | 268761a2-03f3-40df-8a8b-c3db24145b6b | |
| ViewPoint | 8338dec2-e1b3-48f7-8438-20c30a534458 | |
| Virtual Connector Provider | 1762e607-063e-431a-a25a-f0f782acb73b | |
| Virtual Visits App | 2b479c68-8d9b-4e27-9d85-5d74803de734 | |
| Visual Studio – Legacy | 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 | |
| Viva Engage (formerly Yammer) | 00000005-0000-0ff1-ce00-000000000000 | |
| WeveEngine | 3c896ded-22c5-450f-91f6-3d1ef0848f6e | |
| Windows 365 | 0af06dc6-e4b5-4f28-818e-e78e62d137a5 | |
| Windows Azure Active Directory | 00000002-0000-0000-c000-000000000000 | |
| Windows Azure Security Resource Provider | 8edd93e1-2103-40b4-bd70-6e34e586362d | |
| Windows Azure Service Management API | 797f4846-ba00-4fd7-ba43-dac1f8f63013 | |
| Windows Notification Service | 04436913-cf0d-4d2a-9cc6-2ffe7f1d3d1c | |
| Windows Search | 26a7ee05-5602-4d76-a7ba-eae8b7b67941 | |
| Windows Sign In | 38aa3b87-a06d-4817-b275-7a316988d93b | |
| Windows Spotlight | 1b3c667f-cde3-4090-b60b-3d2abd0117f0 | |
| Windows Store for Business | 45a330b1-b1ec-4cc1-9161-9f03992aa49f | |
| Windows Update for Business Cloud Extensions PowerShell | d5097d05-956f-4ae2-b6a2-eff25f5689b3 | |
| Windows Update for Business Deployment Service | 61ae9cd9-7bca-458c-affc-861e2f24ba3b | |
| WindowsDefenderATP Portal | a3b79187-70b2-4139-83f9-6016c58cd27b | |
| Yammer iPhone | a569458c-7f2b-45cb-bab9-b7dee514d112 | |
| Yammer Web | c1c74fed-04c9-4704-80dc-9f79a2e515cb | |
| Yammer Web Embed | e1ef36fd-b883-4dbf-97f0-9ece4b576fc6 | |
| ZTNA Data Acquisition – PROD | 7dd7250c-c317-4bc6-8528-8d27b02707ef | |
| ZTNA Policy Service Graph Client | 3b80cd3f-61ca-49b0-8d0f-7b6760e08705 |
Sources
- https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in
- https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json
- https://github.com/merill/microsoft-info/blob/main/customdata/OtherMicrosoftApps.csv
- https://gist.github.com/dafthack/2c0bbcac72b10c1ee205d1dd2fed3fe7
This is great, you should push them to the Rogue apps project
https://github.com/huntresslabs/rogueapps
Realising now that all of the bad ones are in my JSON and I should push them to Rogue apps…
Great idea, appreciate the comment Phill!