In separate instances, the attacker created multitenant OAuth apps for persistence, adding new credentials, and reading emails or sending phishing emails via the Microsoft Graph API.

A vulnerability in the way Microsoft applications use OAuth for third-party authentication could allow an attacker to take over Azure cloud accounts.