So truthfully now ...
... who didn't see this one coming when still several parsecs out?
Miscreants using malicious OAuth applications abused Microsoft's "verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with Proofpoint, which uncovered the campaign in early December, hijacking the " …
Yup. Trusting Microsoft with your authentication isn't asking for problems, it's actively begging for it on your knees with your exposed rear up ready for .. well, I leave the rest to your no doubt fertile imagination.
Nobody realised that when Microsoft started to use the term "Trusted computing" they were being sarcastic..
No, they did well in Trusted Computing for a while. But as usual they probably went "oh that's that problem solved, let's reduce the team to three people who don't actually care about the issue and move onto adding more buttons that nobody wants to justify the next round of upgrades for Office"
In truth, I don't think breaching Microsoft's latest assurance scheme * is that big a deal. Any organisation with an open policy (which I believe is still the default even though Microsoft themselves recommend otherwise) is going to see lots of quite well-known, respectable apps washing up on that ole' Enterprise Apps blade with minimal details. The list rapidly becomes a sty in which malevolent actors can hide amongst the clutter.
* Still grateful to El Reg for highlighting this old one from 2019:
what's mine is yours and what's yours is mine.
As complex as they can make it (security though obscurity ~~) all it takes is a Cert, Key, Token, and anything goes. How many businesses will fail if MS fails for a week?
Their entire system is so dependent on itself, it should be called a house of cards or Jenga.
If their products were separated completly, I would have more confidance in them.