A new phishing campaign uses a Coinbase-themed email to install an Office 365 consent app that gives attackers access to a victim’s email. The consent app’s permissions do not allow the attackers to send an email on the victim’s behalf, but the Mail.ReadWrite permission does allow an attacker to update a draft message created by the user. This ability would allow them to search for email drafts and change their contents to perform BEC attacks or further phishing attacks. Microsoft Office 365 administrators can also check their organization for users who have OAuth ‘Consent’ addons.
Source: https://www.bleepingcomputer.com/news/microsoft/coinbase-phishing-hijacks-microsoft-365-accounts-via-oauth-app/