The well-known abused Entra ID/Azure AD OAuth application PERFECTDATA SOFTWARE has now been renamed to Mail_Backup. The app ID and associated permissions have also changed. The prior article I wrote about PDS, it’s malicious uses, and other important information is still relevant, and if you are currently dealing with an incident involving this application, I suggest you read it.
I was emulating some malicious activity for my job and decided to do a fresh consent to the application behind this service principal, Email Backup Wizard. Imagine my surprise when I realized that the name of the application changed!
Logging into my tenant after consenting showed that the app name had indeed changed, as well as the app ID.
Old AppID: ff8d92dc-3d82-41d6-bcbd-b9174d163620
New AppID: 2ef68ccc-8a4d-42ff-ae88-2d7bb89ad139
It seems like the permissions have changed as well. The older PDS used Exchange Web Services (EWS), which will be deprecated in 2026. The new version of the application has the following permissions:
User.Read – Sign in and read user profile
Mail.Read – Read user mail
MailboxFilder.Read – Read a user’s mailbox folders
Contacts.Read – Read user contacts
Calendars.Read – Read user calendars
MailboxSettings.Read – Read user mailbox settings
Mail.ReadWrite – Read and write access to user mail
MailboxFolder.ReadWrite – Read and write a user’s mailbox folders
openid – Sign users in
profile – View users’ basic profile
offline_access – Maintain access to data you have given it access to
Other than that, everything else about the application seems to have stayed the same.
The same conclusion from the original article still stands. If you see this application, assume all data within the mailbox has been exfiltrated, and act according to your legal responsibilities. Do not delete this application from the tenant, block user sign in to the app, and remove any assigned users or permissions. Consider enabling the setting to require administrator consent to applications.