A user accidentally grants OAuth consent to a malicious app
An OAuth token can read and send mail without a password or MFA. Changing the password doesn't help, you must revoke the token.
Try this first
- 1Entra > Enterprise applications > find the suspicious app
- 2Remove app consent and revoke all tokens
- 3Force sign-out of all sessions for that user
- 4Audit sent mail for the relevant period via Compliance
When to bring us in
Roll out an org-wide OAuth app review: whitelist known apps, block the rest via app-consent policy.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.