PERFECTDATA SOFTWARE Rebrands to Mail_Backup
The well-known abused Entra ID/Azure AD OAuth application PERFECTDATA SOFTWARE has now been renamed to Mail_Backup. The app ID and associated permissions have also changed. The prior article I wrote…
Common Oauth Apps Used in Business Email Compromise
This article serves as another place to document some common (and not so common) Oauth applications that are abused for malicious purposes during a BEC. Some are well documented, while…
Malicious Usage of eM Client In Business Email Compromise
If you've found your way to this article, it's likely because you have found a suspicious application content for eM Client. This is an application that is similar in it's…
The Million Dollar CEO Fraud: Anatomy of a Business Email Compromise
This is the article version of my talk from BSides Edmonton & Calgary 2023. While the actual presentation is probably better, this one can serve as a decent overview. Some…
Gripes About Microsoft Expanding Audit Premium Availability
The last few blog posts I've made have been more informative or educational, but this is my cybercorner so I will post what I want. I mentioned in my last…
Syne’s Declassified O365 Email Compromise Investigation Guide
AKA newb's guide to investigating an email compromise. (Yes, I did spend 3x the amount of time making that image then I did writing the article, what about it??) Disclaimer…
Malicious Azure Application PERFECTDATA SOFTWARE and Microsoft 365 Business Email Compromise
Edit 04/13/25: The newest version of the software behind this application has changed. Now, the application's name within a tenant will be Mail_Backup. The app id is now 2ef68ccc-8a4d-42ff-ae88-2d7bb89ad139. Most…