惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Hacker News
The Hacker News
Martin Fowler
Martin Fowler
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
F
Full Disclosure
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
Security Archives - TechRepublic
Security Archives - TechRepublic
阮一峰的网络日志
阮一峰的网络日志
T
Threatpost
P
Privacy International News Feed
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
I
Intezer
Recent Announcements
Recent Announcements
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Privacy & Cybersecurity Law Blog
A
Arctic Wolf
博客园 - 聂微东
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
H
Help Net Security
S
Schneier on Security
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
月光博客
月光博客
NISL@THU
NISL@THU
A
About on SuperTechFans
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
D
DataBreaches.Net
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
G
Google Developers Blog
W
WeLiveSecurity
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
博客园 - 司徒正美
L
LINUX DO - 热门话题
小众软件
小众软件

Wiz Blog | RSS feed

Meet Wiz for M365: Bringing SaaS into the Security Graph Bringing Security Visibility to Vercel with Wiz Axios NPM Distribution Compromised in Supply Chain Attack Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild The Wiz Blue Agent, now Generally Available Beyond the Badge: What Achieving Microsoft’s Certified Software Designation Means for Your Cloud Security Introducing the Green Agent: AI-Powered Remediation for the Cloud Three’s a Crowd: TeamPCP trojanizes LiteLLM in Continuation of Campaign KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack Introducing the Wiz Red Agent- AI-Powered Attacker Introducing Wiz AI Application Protection Platform (AI-APP) Introducing Wiz Agents & Workflows: Security at the Speed of AI AI Runtime Threat Detection: From Input to Real-World Impact Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack It’s Official: Wiz Joins Google Understanding and Reducing AI Risk in Modern Applications Introducing Wiz Tenant Manager: Multi-Tenant Management for Federated Organizations The Agile FedRAMP Playbook, Part 4: Reactive Risk Management through Enriched Incident Response Wiz Achieves CPSTIC Certification in Spain Seeing AI Clearly: Building Visibility Across Modern AI Applications The Agile FedRAMP Playbook, Part 3: Preventative Risk Management by building Secure by Design Wiz Leads the 2026 Latio Application Security Report with awards in 4 categories Building an Agentic Cloud Security Ecosystem: A Reference Architecture with Wiz MCP and Infosys Cyber Next The Agile FedRAMP Playbook, Part 2: Proactive Risk Management with Continuous Monitoring Cloud-native Security for your Windows environment: Announcing the Wiz Runtime Sensor for Windows Wiz Named a Leader in The Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026 From Detection to Remediation: It’s Time to Rethink AppSec Around Exploitability and Root Cause Fixes The Agile FedRAMP Playbook, Part 1: Why Risk is Your Best Starting Point Introducing AI Cyber Model Arena: A Real-World Benchmark for AI Agents in Cybersecurity Wiz + Spotify Backstage: Security at the Developer’s Desk Building AI Security Together: New Ways to Partner with Wiz for AI Security in 2026 Hacking Moltbook: The AI Social Network Any Human Can Control The Year in Wiz Research: 2025 Most Read Blogs WizExtend is Here: AI and Cloud Security Insights in Your Daily Workflow From Detection to Remediation: Wiz in Your JetBrains IDE Agentic Browser Security: 2025 Year-End Review CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild A 90-Day Action Plan to Turn Resolutions into Results with Wiz Introducing the Wiz Partner Alliance: A New Chapter for Partner Success Preparing for Post-Quantum Cryptography Wiz Recognized as a 2025 Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for CNAPP Expanding the Zero Critical Club to set a new standard for AppSec and SecOps teams Snipping the Long Tail of Shai-Hulud 2.0 Protecting Against Zero-Day Vulnerabilities with SOC-Level ASM Alert MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know The Kenna Transition: Your Strategic Shift to Exposure Management From MCP to Vibe Coding: Full Endpoint Visibility in Wiz AI Security Bringing Oracle Cloud Identity to Wiz Zero‑Days in the Age of AI: Behind the Scenes of ZeroDay.cloud 2025, with a Record High of CVEs in Critical Cloud Infra Gogs 0-Day Exploited in the Wild Code to Cloud Attacks: From Github PAT to Cloud Control Plane Top AWS re:Invent Announcements for Security Teams in 2025 React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182 React2Shell (CVE-2025-55182): Everything You Need to Know About the Critical React Vulnerability Wiz Product Announcements at re:Invent 2025: Expanding Visibility from Code to Cloud Introducing Wiz SAST: Where Code Risk Meets Cloud Context Wiz Becomes Fastest Security ISV to Reach $1 Billion in AWS Marketplace Lifetime Sales It's Here! Wiz Exposure Management is Now GA Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact Service Catalog is Here: Expand Risk Visibility for Your Service and Its Dependencies, Simplify Issue Ownership WizOS: Powering Secured Image Adoption with AI 3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs Mastering Software Governance with Hosted Technologies Inventory Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets Get Certified on Wiz Defend for Threat Detection and Response Blueprint for Security: A Guide to Code, Governance, and Response Frameworks Google Unified Security Recommended Program Names Wiz Among First 3 Strategic Partners Introducing Posture Issues: Transform Security Findings into Actionable Outcomes Empower and Accelerate Your SOC with the Blue Agent Exposure Report: 65% of Leading AI Companies Found with Verified Secret Leaks Wizdom 2025 Product Announcements: Extending the Cloud Operating Model When AI Becomes the Heart of Security: Powering a Future You Can Trust AI-Powered Wiz: From Agents to Everyday Intelligence Defend Agentless Workload Detection: Bringing Visibility to Blind Spots in Threat Detection Securing AI Agents with Wiz AI-SPM Introducing Wiz ASM: Context-Driven Attack Surface Management Securing Critical Infrastructure in the Cloud Era: A Policy and Technology Blueprint How CISOs Should Plan Security Budgets for 2026 Beyond the Checkbox: How Wiz Transforms SOC 2 into a Security Powerhouse Bringing Visibility to Kubernetes: Unified Inventory and Network Insight The Foundation Modern AppSec Is Still Missing: Code to Cloud, Rebuilt the Right Way Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces Introducing HoneyBee: How We Automate Honeypot Deployment for Threat Research RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score Defending against database ransomware attacks AI Security 101: Mapping the AI Attack Surface Introducing zeroday.cloud: First-of-its-kind cloud and AI hacking competition Unifying Cloud Risk and Network Defense: Wiz and Check Point The emerging use of malware invoking AI Wiz achieves FedRAMP High authorization Wiz + HCP Terraform: Close the IaC-to-Cloud Infrastructure Security Gap IMDS Abused: Hunting Rare Behaviors to Uncover Exploits Beyond CVEs: The Exploitation of Everyday Misconfigurations Wiz Research Discovers One in Five Organizations Exposed to Systemic Risks in Vibe-Coded Applications - Here's How to Secure Them Introducing Wiz Incident Response: Your Expert Partner for Cloud Security Incidents Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware DORA Compliance in the Cloud Era: Insights from Deloitte and Wiz How Wiz Customers like Brex and FICO See AI Changing Security Wiz Recognized as a Leader in the 2025 IDC MarketScape for ASPM Widespread npm Supply Chain Attack: Breaking Down Impact & Scope Across Debug, Chalk, and Beyond
Would You Click ‘Accept’? Automatically detecting malicious Azure OAuth applications using LLMs
Shahar Dorfman, Sapir Federovsky · 2026-02-19 · via Wiz Blog | RSS feed

TL;DR

  • OAuth applications in Microsoft Entra ID are a common persistence and privilege escalation mechanism used by attackers.

  • Because OAuth apps are frequently created, modified, and forgotten, malicious applications often blend in with legitimate business integrations.

  • By analyzing known OAuth attack campaigns across multiple environments, we developed OAuth Apps Scout - a proactive detection pipeline that automatically surfaces emerging malicious OAuth applications, and has so far helped us identify many malicious apps across dozens of affected organizations.

Would you click "Accept" on this application?

This app looks like a standard Microsoft prompt, but there’s a catch: the name starts with a zero, not the letter O.

After finding this homoglyph attack in the wild, we started investigating. It quickly led to something much larger. The trail ended with over 20 companies impacted across three distinct malicious OAuth App campaigns. It highlights a common gap in how Azure service principals are managed.

What are Oauth Applications and what is Consent?

A Microsoft Entra application starts with a single application object, which lives in the tenant where the app was originally registered (its “home” tenant). That application object acts as a blueprint: whenever the app is used in another tenant, Entra creates a corresponding service principal there.

In other words, you can think of an OAuth application like a third-party contractor you hire to work on your house. You wouldn't give them your master key (your password), instead, you give them a specific badge (set of permissions) that only lets them into the kitchen and the basement.

In the world of Azure, Consent is that badge. When you see a prompt asking for permission to access your profile or files, clicking "Accept" is telling Azure: "I trust this developer enough to give them this specific set of permissions."

From Global App to Local Identity

This is where it gets interesting for security teams. Most of the apps you use, like Microsoft Teams, don’t actually "live" inside your environment. They are hosted inside the developer’s (i.e. Microsoft) Azure environment.

But for Teams to function within your specific company, your Azure tenant needs a way to recognize and manage it locally. This creates a two-part relationship:

  1. The Application Object: The global "blueprint" of the app that lives in the developer's home tenant.

  2. The Service Principal: Your local "instance" of that app.

As shown in the diagram below, while there is only one global Application ID for Teams, every company that uses it has their own unique Service Principal ID.

The Risk of Azure OAuth Applications

The danger lies in the fact that most of us have "consent fatigue". We see a pop-up, we want to get to work, and we click "Accept" before our brain even registers what we’re looking at. An attacker counts on this. They give their malicious app a legitimate-looking name and wait for an uneducated or rushed user to just open the door for them. Here is how this can be done:

1. Creating the Fake App

First, an attacker creates an application in their own Azure environment. They give it a name that looks legitimate, like "Adobe", to make it look like a trustworthy application. To reinforce the illusion of trust, the actor can configure a familiar logo and specify a homepage URL that looks legitimate.

2. Phishing for a sign-in

The attack’s success depends on a person making a choice, signing in to the app. The attacker sends out a phishing email, perhaps telling the user they need to "update their Adobe settings" or "verify their account". The goal is to get the user to click a link and land on a real Microsoft sign-in page.

3. Getting Consent

After the user signs in, they see a prompt asking for permission to access their data. Because the app name and logo look legitimate, the user often clicks "Accept". By doing this, the user is accidentally "adding" the attacker's app into their company's tenant. As you can see in the diagram, this creates a new Service Principal (a local instance) inside the victim’s tenant, even though the attacker still controls the global application.

4. Capturing Access

Once "Accept" is clicked, the sign-in process is complete. But instead of going to a normal landing page, the access token is sent to the attacker’s Redirect URL. With that token, the attacker now has access to the user's files or emails without ever needing to know their password.

5. Enabling Persistency

As mentioned above, by granting consent, the victim tenant creates a Service Principal for the attacker-controlled application. This Service Principal persists independently of the user’s session and credentials, allowing the application to continue accessing resources as long as the granted permissions remain valid. Unlike traditional credential theft, this access survives password resets, MFA enforcement, and even user offboarding, unless the OAuth grant or Service Principal is explicitly removed.

A Manual Hunt Begins

At this point, it’s clear that malicious OAuth applications represent a real and persistent risk, in part because they closely resemble legitimate SaaS integrations and are difficult to assess in isolation - it’s difficult to know at a glance if an app is malicious or not. With that in mind, we analyzed multiple real-world malicious OAuth applications to understand what distinguishes them from benign ones, and whether those differences could be leveraged to systematically identify other malicious apps. 

One illustrative example is an application that presents itself as a DocuSign integration. Although the application appeared legitimate on its own, evaluating it in a broader context revealed multiple red flags compared to the actual legitimate DocuSign app:

  • Application Name - the malicious app’s name closely mimics the well-known SaaS service and looks completely legitimate. However, the application was published by an unverified entity, providing no strong linkage to the brand it claimed to represent

  • Publisher verification - the legitimate application is publisher-verified, whereas the malicious application is not.

  • Homepage - the malicious app does not specify a homepage, while the legitimate app is configured with the official homepage.

  • Unrelated or suspicious reply URL - the redirect URI of the malicious app pointes to infrastructure unrelated to the claimed service and in this case also uses a free hosting subdomain.

  • Unusual application owner name and domain - The owning tenant and associated domains did not align with the purported service, further weakening the legitimacy of the application. In some cases, we have reason to believe that legitimate websites were hijacked by the threat actor.

  • The app prevalence - the real DocuSign app can be found in use by many organizations, whereas the malicious one could only be found in a handful of environments

From Research to Tooling: Operationalizing OAuth App Detection

After manually investigating several malicious applications, we wanted to translate those insights into an automated pipeline capable of proactively detecting future malicious activity. The result is a multi-stage analysis pipeline that incrementally enriches OAuth application data, reduces noise, and enables both newly-observed detection of suspicious applications and cross-environment pivoting to uncover attacker activity.

The pipeline consists of four main stages:

1.Extraction and Establishing the baseline
We start by ingesting OAuth applications observed across environments, focusing on third-party integrations. From this data, we establish a baseline of commonly observed application IDs and names and filter out those that appear broadly across environments, as they are more likely to represent legitimate SaaS services. This baseline is reused in later stages to identify applications that mimic or deviate from known integrations. For the remaining applications, we extract the key characteristics needed for comparative analysis.

2. Enrichment
Each discovered application’s metadata is enriched with additional context to better assess its legitimacy and risk. This enrichment process incorporates multiple signals, including:

  • Application name analysis - application names are compared against the baseline of commonly observed names identified in the discovery stage to detect potential masquerading or brand impersonation attempts

  • Homepage URL evaluation - homepage URLs are examined to identify empty, placeholder, or suspicious pages, and are cross-referenced with DNS information to assess domain legitimacy

  • Reply URL analysis - redirect URIs are analyzed to extract domain ownership and DNS characteristics, helping identify infrastructure that is unrelated to the claimed service

  • Ownership and publisher context - publisher names, tenant IDs, and associated domains are enriched to provide insight into the entity operating the application.

  • Adoption and permission usage - tenant distribution and the permissions requested by the application are included to understand how the application is used in practice and to highlight anomalous or high-risk behavior.

3. Decision and Prioritization
To prioritize OAuth applications for investigation, we apply a weighted scoring mechanism across the enriched signals. Rather than relying on a single indicator, the model combines multiple weak signals such as unusual permission usage, low tenant prevalence, name similarity to known integrations, and suspicious reply or homepage URLs - to assign a risk score to each application. This scoring approach helps surface applications that warrant closer inspection while reducing noise from benign integrations that may exhibit one anomalous trait in isolation.

4. AI-Assisted Contextual Evaluation
During our analysis, we found that some aspects of OAuth application assessment are inherently contextual. Indicators such as whether a reply URL aligns with the claimed service, or whether an owning domain makes sense for a given application name, are difficult to evaluate using strict rules alone. To address this, we incorporated an AI-assisted evaluation step that considers the application’s metadata holistically. This step helps assess the overall plausibility of the application by reasoning over relationships between signals, rather than evaluating each signal in isolation.

5. Pivoting and Campaign Discovery
Finally, the pipeline enables pivoting across shared indicators such as reply URLs, ownership domains, application metadata, and naming conventions. By correlating these signals across environments, we are able to cluster related OAuth applications and identify coordinated attacker campaigns operating across multiple organizations. This shifts the focus from isolated detections to campaign-level visibility, providing deeper insight into how attackers reuse and adapt OAuth applications in the wild.

Identifying Malicious OAuth Patterns in the Wild

As a concrete example of the malicious OAuth activity we see in the wild, our detection pipeline identified a large-scale campaign active in early 2025. The campaign involved 19 distinct OAuth applications impersonating well-known brands such as Adobe, DocuSign, and OneDrive, and targeted multiple organizations. The same campaign was independently reported by the Proofpoint research team. Across the apps, we observed clear signs of coordination, including infrastructure reuse - most notably shared reply URLs and placeholder or empty home pages.

The attack flow relied on luring users into granting OAuth consent to fake document-sharing applications, allowing attackers to obtain long-term access without triggering MFA or anomalous login alerts. Once consent was granted, the attackers were able to read user emails and files, maintain access through delegated permissions, and exfiltrate data without generating suspicious authentication activity. A list of indicators of compromise (IOCs) associated with this campaign is provided at the end of this blog.

The Evolution of Attacker Stealth: 2019 vs. 2025

While our model surfaced meaningful results from the previous year, we wanted to assess how far back this trend extends. Given that OAuth applications are known to be abused over long periods, we evaluated our model on data from earlier years.

This led us to detect seven additional malicious applications dating back to 2019. These apps utilized Cyrillic homoglyphs, replacing Latin characters with visually identical non-Latin letters, to mimic legitimate Microsoft services.

Commonly Spoofed Apps (2019):

  • ОпeDrive for Business (Uses Cyrillic "п")

  • Sharеpoiпt Cloud (Uses Cyrillic "п")

  • Мicгoѕоft. Сloud App Ѕесuгity (Uses Cyrillic "г")

These homoglyph apps were found in use across more than 50 organizations, highlighting a long-term gap in traditional detection methods.

2025: A Shift in Strategy

When we compare these legacy campaigns to our latest findings in 2025, the evolution in attacker tradecraft is clear. Attackers have moved away from spoofing Microsoft itself and are now leveraging the trust of third-party productivity tools like Adobe and DocuSign.

The modern attacker is significantly stealthier. They have traded "obvious" typosquatting for sophisticated URL structures and legitimate-looking SaaS platforms to host their redirect points.

Comparative Analysis: Tactical Evolution

Feature2019 (Homoglyph)2019 (Obvious)2025 (Modern)
App NameShaгеPoint Cloud0365 AccessDocuSign
Target BrandMicrosoftMicrosoftThird-Party (DocuSign/Adobe)
Reply URLsharepoint.microzoftonline.comofficemtr.com:8081/officeynapaletsteamworkspace.myclickfunnels.com/
Stealth LevelModerate (Visual)LowHigh (Contextual)

Key Takeaways for Defenders

Detecting malicious OAuth applications is achievable, and should therefore be a critical pillar of modern identity security. While the transition from 2019’s "Microsoft-cloning" to 2025’s "SaaS-impersonation" shows that attackers are evolving, they are not invisible. They still operate within the constraints of the OAuth protocol, which requires them to leave detectable traces.

The "Breadcrumbs" 

Even the most sophisticated attackers leave identifiable marks across these four vectors:

  • Application Metadata: Traditional strategies for detecting phishing are just as applicable to OAuth apps; look for names that imply urgency or mimic trusted tools. 

  • Reply URLs: Analyze the redirect URI.  Attackers often hide their landing pages on trusted SaaS platforms like ClickFunnels or GitHub Pages to bypass security filters. Since these platforms are used by many legitimate businesses, security tools can’t easily block them without causing major disruptions. This is a common behavior, previously documented by other security companies, including CheckPoint, Infosecurity and iZOOlogic

  • Requested Scopes (Permissions): High-risk permissions like Mail.Read or Files.ReadWrite.All should always trigger an alert, especially when requested by an external, non-verified publisher.

  • Infrastructure: Every malicious app is tied to a source tenant and a verified (or unverified) domain. Understanding the Tenant’s details and the reputation of the associated domain is vital.

Actionable Defense Strategies

We believe the detection model discussed in this post can be implemented by any resourceful blue team today. To strengthen your posture, we recommend a multi-layered approach:

  1. Restrict User Consent: Limit the ability of non-admin users to grant consent to apps from unverified publishers.

  2. Inventory & Audit: Regularly export and review a list of all OAuth grants in your environment. Look for apps that are consented by only 1 or 2 users, these "low-prevalence" apps are often the result of targeted phishing.

  3. Monitor "First-Time" Apps: Alert on any app that is seen in your tenant for the first time, especially if the reply URL doesn't match a known enterprise service.

  4. Baseline Reply URLs: Use regex or threat intelligence feeds to scan Reply URLs for suspicious strings or known malicious hosting patterns.

Attackers are counting on your trust in familiar names to go unnoticed. This model shifts the power back to the defenders, proving that even the stealthiest application leaves a trail if you know where to look.

IOCs

NameApp IDOwner tenant IDOwner tenant domainReply URLsLast seen
Adobec4d0b015-689a-4bcf-b69b-3ed5005fddb69c036328-3aba-4d35-aceb-6456f9420b31thermion.se; thermionse.mail.onmicrosoft.com; thermionse.onmicrosoft.com["https://adobe.mareanebulosasao.it.com/WOWFM"]2025
PDFa69a0f78-a77c-451c-b090-b766425caee231aca3e6-069d-4baa-89b7-6502006fe99elnsrc.org; lnsrclub.onmicrosoft.com["https://topboysteamworkspace.myclickfunnels.com/sahreddocumentfile"]2025
Adobe58427324-4e5d-4441-b029-cd2d532b47d7619849e9-5192-4c3f-b0f3-8469980c3958nceconomicresourcecouncil.onmicrosoft.com; ncerc.org["https://jaimereintsteamworkspace.myclickfunnels.com/securedfile"]2025
Adobe706e0542-2dfb-4e7f-98f0-1e17eab6d5b8d8320d6d-7982-471e-965c-d001308ed36etimes-7.com; times7research.onmicrosoft.com["https://emircoms.com/auto"]2025
Docusignfdcf7337-92bf-4c70-9888-ea234b6ffb0dbb42fc45-200e-4b7b-a63b-70bbdf1c83ecceyanos.info; ceyanos.onmicrosoft.com["https://kimharrysteamworkspace.myclickfunnels.com/securedocument"]2025
Teams Task Plannera8ca8dad-f6e6-4b01-9d6b-02e1da6c9d7f3a4f221b-5c4b-4665-9f7d-2ee498224e66wallsofttech.com; wallsofttech.onmicrosoft.com["https://emircoms.com/auto/apc.html"]2025
docsign6a77659d-dd6f-4c73-a555-aed25926a05f619849e9-5192-4c3f-b0f3-8469980c3958nceconomicresourcecouncil.onmicrosoft.com; ncerc.org["https://jaimereintsteamworkspace.myclickfunnels.com/doc"]2025
DocuSign-2025f99a0806-7650-4d78-acef-71e445dfc8443a4f221b-5c4b-4665-9f7d-2ee498224e66wallsofttech.com; wallsofttech.onmicrosoft.com["https://emircoms.com/auto/apc.html"]2025
Docusign6628b5b8-55af-42b4-9797-5cd5c148313cb25911e3-9339-4019-90ed-b263339449bclevenospenkozhotmail.onmicrosoft.com["https://embeds.beehiiv.com/2066d619-1342-40ba-893d-6d0e6eee70d5"]2025
DocuSigna3903ccd-ec81-4264-8f6a-a7d4cd395fd5e297c7b7-297d-4261-a849-e11e0f2bb10fcooltekinc.com; cooltekllc.com; cooltekllc.onmicrosoft.com["https://myworkspacefea7ffc776.myclickfunnels.com/httpsoutlookofficecom"]2025
Adobec52517b0-46eb-4d61-975a-771d9978dac0a205f03e-e6ab-412e-a1f9-360f848b3705anchorsgordon.com; anchorsgordon.onmicrosoft.com["https://kimharrysteamworkspace.myclickfunnels.com/sharedfil"]2025
adobeb0d8ea55-bc29-436c-9f8b-f8829030261d0648fcb2-de2a-4a11-bd97-872c9b1a452bdamiongosamemorialfo.onmicrosoft.com; dgm-f.org["https://workspacesteamworkspace.myclickfunnels.com/offices--af295"]2025
Users21f81c9e-475d-4c26-9308-1de74a286f7369168d16-9597-47a2-a4eb-a81900185529fpwd.com; netorgft8261298.onmicrosoft.com["https://myworksspace.myclickfunnels.com/office365com--5b652"]2025
sharedoc48cb1fac-7195-47b3-98b2-fe3562bee75c619849e9-5192-4c3f-b0f3-8469980c3958nceconomicresourcecouncil.onmicrosoft.com; ncerc.org["https://nmcunhasteamworkspace.myclickfunnels.com/secured-sharepoint-document"]2025
Adobe Drive X85da47ec-2977-40ab-af03-f3d45aaab1695fddfbb7-41a3-4bbe-b98c-29827d092e19["https://fancy-bush-61e9sydgsyi29s.jennifer-may.workers.dev/"]2025
Adobe5037c1a6-7cfc-48b5-b887-f2a0459370810648fcb2-de2a-4a11-bd97-872c9b1a452bdamiongosamemorialfo.onmicrosoft.com; dgm-f.org["https://workspacesteamworkspace.myclickfunnels.com/office365--4c3dc"]2025
Adobe Drive14b2864e-3cff-4d33-b5cd-7f14ca272ea45fddfbb7-41a3-4bbe-b98c-29827d092e19["https://li.tistateronic.ru/OqgX/"]2025
MyMail Settingsb7cb9a9b-ddc9-4444-935b-1122733c97c42c08ab0d-eed9-4034-bfb7-765c52eceef92019
0365 Accessfc5d3843-d0e8-4c3f-b0ee-6d407f6677512c08ab0d-eed9-4034-bfb7-765c52eceef92019
ОпeDrive for Business3280b1dc-4b64-4f90-a16a-b0804e6ec4caa4afdac5-f28f-4161-87c4-b5f7625bc048epsilonservices.onmicrosoft.com2019
Sharеpoiпt Cloud482fb03a-5218-43c2-8ce6-61956c7ca99b0c05c65c-d311-4821-aa22-46b8abec59d5generalimports.onmicrosoft.com2019
OneDгive for Businessc7121e86-fe4d-4dbd-b5f3-e61a62ee533aa4afdac5-f28f-4161-87c4-b5f7625bc048epsilonservices.onmicrosoft.com2019
Мicгoѕоft. Сloud App Ѕесuгity626b6813-13dc-45d7-abfe-a7fe09fd52760c05c65c-d311-4821-aa22-46b8abec59d5generalimports.onmicrosoft.com2019
ОneDгive for Business443efa1c-8a0a-47a0-bd31-7c30fe32dee40c05c65c-d311-4821-aa22-46b8abec59d5generalimports.onmicrosoft.com2019
ShaгePoint Onlinea43a3d51-c821-4b86-9a63-fbc775120fc2eac37962-c0fa-45a7-99cc-ba9d1c921e18bld.group; creiamc.com; creicapital.com; ekistruct.com; greenpole-ps.com; ieng-group.com; ieng.group; ienggroup.onmicrosoft.com; kkodd.co; noknok-inc.co; noknok.co; noknokgroceries.com; twothirtythree.co2019
ShaгеPoint Cloud0bd8e698-4298-405a-bc6b-da5647a4616ba4afdac5-f28f-4161-87c4-b5f7625bc048epsilonservices.onmicrosoft.com2019
ShaгePoint Online768a57a0-1c5e-477a-939a-63aebf2e5ecfcbe2bfff-e8d1-464d-bb32-a952e68be197aquaphalts.com; dustdevilbaseball.com; experienccolumbiasc.com; killlpack.com; ledconsultinglc.com; mediabrushmarketings.com; michaelselectrics.com; summitcountysco.com; wgarnett.com; wgarnettassociates.onmicrosoft.com2019
ShaгePoint Online4e4d64ac-4a2a-432c-b79e-65ca8213ede544383e2a-62c5-4d54-ae60-8cdbba60e3b72019