The past few years have seen the rise of consent phishing attacks—that is, those email attacks that implore a recipient to grant OAuth access to a malicious application.
To combat this, Email Security Posture Management will now surface when a new application has been granted access permissions, when a new user has been added to a mail tenant, and when users are assigned to an application.
While all of these events can appear legitimate, when coupled with suspicions of account compromise, internal threat, or in the wake of a phishing campaign, being able to detect these changes can help uncover malicious activity that may have otherwise gone unnoticed.