The compromised account allowed Storm-1283 to sign in via virtual private network (VPN), create a new single-tenant OAuth application in Microsoft Entra ID named similarly as the Microsoft Entra ID tenant domain name, and add a set of secrets to the application.
Like almost any software, it can be abused for nefarious purposes. OAuth is an especially appealing target for criminals in cases where compromised accounts don't have strong authentication in place, and user permissions allow them to create or modify OAuth applications.
One of the ways Microsoft suggests that organizations can look for this type of illicit mining in their cloud instances is to "monitor VM creation...
[
add
]
[
|
|
...
]