Managed Services

The Day an MCP Server Tripped Our EDR

Every AI assistant your team plugs into Microsoft 365 is an OAuth consent decision. Here's what that looks like from the SOC chair, and why "is this a breach or just AI?" is the new normal.

Josh Gilbert

The Day an MCP Server Tripped Our EDR
The Day an MCP Server Tripped Our EDR

It was 10:15 on a Monday when the Blackpoint alert hit my screen.

Blackpoint Cloud Response for Microsoft 365 has detected that an Administrator with the username [redacted]@[customer].com has granted the Unverified Application, cxx-mcp, access to the following information in Microsoft 365: openid, profile, email, offline_access

My first thought was the same one any SOC analyst's would be: we're getting hit. Unverified app. Admin consent. Tokens that don't expire (offline_access). That's the exact pattern we drill for.

So I did what we do. I dropped the screenshot in our team chat and said "Gonna have to nuke this 'mike.ga' guy."

About sixty seconds later, I figured out what was actually going on. The customer wasn't compromised. One of their admins had connected an AI assistant, specifically an MCP server, to their Microsoft 365 tenant. cxx-mcp wasn't malware. It was an AI tool doing exactly what AI tools do in 2026: asking for OAuth consent so a model could read calendar, email, or files on the user's behalf.

Legit. No incident. Move on.

Except that's not actually the end of the story. That's the beginning of a much bigger one.

OAuth consent is the new attack surface

For years, the security conversation has been about endpoints, then identity, then phishing-resistant MFA. We got better at all three. Attackers got better at the next thing.

That next thing is illicit consent grants: getting a user (or, even better, an admin) to approve an OAuth application that then has legitimate API access to their data. No malware. No password to steal. No MFA prompt to bypass, because the app is just asking nicely and the user is clicking Accept. Microsoft's threat intel team has been writing about this pattern for years. Storm-0558, Midnight Blizzard, and a parade of less-famous campaigns have all leaned on it.

Here's what makes it nasty:

  • The app gets a refresh token. Password resets and MFA changes don't kick it out.
  • The traffic looks like normal Graph API calls because it is normal Graph API calls.
  • Most tenants don't have admin consent workflows turned on, so any user can grant scopes to anything.

That was a problem when the universe of OAuth apps was a few hundred SaaS tools. It's a different problem now that every employee has access to a dozen AI assistants, each one wanting to be plugged into Microsoft 365.

MCP made the curve steeper

Model Context Protocol is the standard that lets AI assistants talk to your tools: calendars, mailboxes, ticketing systems, file shares, all of it. It's a good standard. It's how this stuff is supposed to work.

It's also a registration explosion waiting to happen. Every MCP server is, from Azure AD's perspective, an enterprise application asking for consent. Multiply that by every AI product on the market, every internal experiment a developer runs, every "let me just connect Claude to my Outlook real quick" moment, and you have a tenant where the app registration list grows faster than anyone can review it.

If you don't have visibility into who is registering what, you don't have visibility into your tenant.

What "good" looked like in this case

Two things saved us sixty seconds of confusion instead of sixty hours of incident response:

  1. Cloud-aware EDR. Blackpoint Cloud Response sees the Azure event the moment the consent is granted. Not the next day in a log review. Not after the breach. Right then.
  2. A human in the loop who knew what to look for. The alert told me what was registered, who registered it, and what scopes were granted. I could rule it in or rule it out in under a minute.

That's it. That's the whole control. Detect the registration. Read the scopes. Decide.

The customer was fine because we saw it. Visibility was the win. Blocking the app would have been optional.

What you should do this week

If you run a Microsoft 365 tenant (yours or your customers'), three things to put on the list:

  • Turn on the admin consent workflow. Force user-initiated consent requests through an approver. Microsoft has a walkthrough; it takes about ten minutes.
  • Audit your enterprise applications list. You will be surprised. We always are. Look for unverified publishers, broad scopes, and apps nobody remembers approving.
  • Get cloud telemetry into your monitoring stack. EDR that stops at the endpoint isn't enough anymore. The attack surface moved.

Need a second set of eyes on your tenant?

We help customers turn on admin consent workflows, audit enterprise applications, and get cloud telemetry into their monitoring stack. If you got an alert this morning that made your stomach drop, we're around.

Talk to us about managed services arrow_forward

Josh Gilbert is on the managed services team at Springthrough, where he spends his mornings deciding whether things are on fire or not.

Share this post