Microsoft’s Azure applications could be weaponized to break into Microsoft 365 accounts. An attacker could trick someone into granting them access to resources within the cloud. This tactic is ideal for reconnaissance, launching employee-to-employee spearphishing attacks and stealing files and emails from Office 365. Microsoft built the Azure App Service so that developers could create custom cloud applications to call and consume Azure resources. Researchers say this technique is difficult to detect and block because it doesn’t require Microsoft approval or code execution on a victim’s machine.”]
Source: https://www.darkreading.com/cloud/how-attackers-could-use-azure-apps-to-sneak-into-microsoft-365