{
	"id": "5444ca9e-f6fc-48f5-b417-7dbf6737bffd",
	"created_at": "2026-04-06T00:21:59.233221Z",
	"updated_at": "2026-04-10T03:21:07.364087Z",
	"deleted_at": null,
	"sha1_hash": "21835f83174325de107a46f53750a40434a72a17",
	"title": "Malicious Azure Application PERFECTDATA SOFTWARE and Microsoft 365 Business Email Compromise - Syne's Cyber Corner",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1120532,
	"plain_text": "Malicious Azure Application PERFECTDATA SOFTWARE and\r\nMicrosoft 365 Business Email Compromise - Syne's Cyber Corner\r\nBy syne0\r\nPublished: 2023-07-10 · Archived: 2026-04-02 10:36:27 UTC\r\nEdit 04/13/25: The newest version of the software behind this application has changed. Now, the application’s\r\nname within a tenant will be Mail_Backup. The app id is now 2ef68ccc-8a4d-42ff-ae88-2d7bb89ad139. Most of\r\nthe information contained in this article is still accurate. Please view this post for up-to-date IOCs and permissions\r\nfor this app.\r\nIf you have found your way to this page, you likely discovered a suspicious application consent within your Azure\r\nAD tenant for an app called PERFECTDATA SOFTWARE. Concerned, you googled the application (and perhaps\r\neven its Application ID ff8d92dc-3d82-41d6-bcbd-b9174d163620) looking for information. As of the time of\r\nwriting, two other results on Google involve this software and BEC. If you haven’t, I encourage you to read this\r\ndarktrace.com article which goes further in-depth into a Microsoft 365 business email compromise (BEC).\r\nUnfortunately, Darktrace was unable to conclusively determine the purpose of the application consent. Luckily I\r\nhave been able to find the application and examine its behavior.\r\nThe TL;DR\r\nFirst, if you are seeing this application in your tenant and it’s not approved, I have some bad news. This\r\napplication is used to take a backup of the entire mailbox from the cloud and export it to PST. Assume that\r\neverything within the mailbox is lost, and any useful information will be used for future fraud or sold on the dark\r\nnet. Oh, and if it was an administrative user compromised? It could potentially be every mailbox within the\r\norganization.\r\nI’m sorry if I just ruined your day.\r\nApplications Within Azure\r\nhttps://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nPage 1 of 7\n\nAn application can integrate with Microsoft 365 and Azure to do many things. The majority of applications that\r\nintegrate with Azure do so for OAuth purposes so that you can sign into them with your Microsoft 365 credentials.\r\nOther applications integrate with Azure to provide you with a service, such as adding appointments created in a\r\nthird-party app to your Microsoft 365 calendar. For those applications to access your Microsoft 365 account and\r\nits data, it must be granted the necessary permissions.\r\nPerfectdata Software is an application that integrates with Microsoft 365/Azure to provide a service, as detailed\r\nbelow.\r\nThe Hunt\r\nTo begin, I will show you how I went from seeing this application within a tenant to learning what it does.\r\nThis is what you will see when viewing the application. Now, going to the website listed as the homepage URL\r\ntakes you to a company that does data recovery and email conversion.\r\nhttps://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nPage 2 of 7\n\nHmm… not quite what I’m looking for.\r\nNext, I decided to use one of my favorite OSINT tools- Google. I searched for site:perfectdatasoftware[.]com and\r\noh boy, I got a lot of results. I’ll eventually do a deep dive into this company, but to keep on track I found that\r\nperfectdatasoftware[.]com has many subdomains that redirect to other companies. This is the one that caught my\r\neye, and it ended up being my lucky break.\r\nhttps://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nPage 3 of 7\n\nLet’s try this. I downloaded and installed the application, and upon opening it, was prompted to choose my cloud\r\nemail provider and enter my credentials.\r\nAfter entering my email, I am provided with the modern Microsoft 365 login. I enter my password, click sign in,\r\nand am presented with an application permission request.\r\nhttps://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nPage 4 of 7\n\nJackpot. After clicking accept, I am told to wait while it analyses my account. Finally, I am shown my Microsoft\r\n365 folder, and the option to export it to PST. Since it’s a PST, it grabs calendar events and contacts on top of\r\nemails and attachments.\r\nAnd just like that, I can exfiltrate the mailbox offsite.\r\nAfter testing, I was able to confirm that the application ID inside my test tenant matched the application ID I had\r\nseen in the BECs utilizing this application.\r\nA Deeper Dive\r\nAs I have shown, when you see this application within your Microsoft 365 environment you should assume that\r\nthe entire contents of the mailbox have been exfiltrated. Quite the privacy breach, no? Now, there’s still some\r\ngood news. My testing has shown me that this tool cannot be used to back up mailboxes that the user has\r\nhttps://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nPage 5 of 7\n\ndelegated access to. Some tools do that (so you should run access reports on delegated mailboxes that the\r\ncompromised user has access to) but this is not one of them\r\nNow, remember what I said about administrative users? Well, this tool will allow an administrative account to\r\nback up as many mailboxes as a person wants.\r\nThe provided documentation says that MFA must be disabled, the account must have application impersonation\r\nrights, and it needs delegate access to all mailboxes it wants to back up. I was able to get an admin account with\r\nMFA to back up mailboxes, as well as an administrative account that only had application impersonation rights.\r\nIf your tenant has access to the MailItemsAccessed record for the account in question, you may see that record\r\nwith the service principal ID of the application. This isn’t always the case, and since that record is less than\r\nhelpful you should always assume all the email has been stolen.\r\nWhat Now?\r\nWhat you do now depends on your experience, the data involved, the scope of the issue, and any legal or\r\ncompliance requirements/legislation that you must comply with.\r\nFirst, do not delete this application from your tenant. You can go to the application within Azure, go to it’s\r\npermissions, and click review permissions. If you designate the application as malicious, Microsoft will provide\r\nsome handy PowerShell scripts for dealing with the application. It’s important to disable the application but leave\r\nit in the tenant, as that will prevent anyone from being able to use it in the future.\r\nIf you believe that an administrative account was compromised, it’s important to search through audit logs for any\r\nactivity. Microsoft offers some guidance on dealing with an email compromise, which includes limited details\r\nabout administrative account compromises. I personally use either the HAWK forensics tool or my own\r\nPowerShell module Osprey when investigating BEC, and it gathers helpful information about the tenant as part of\r\nit’s initial tenant investigation. Unfortunately, those two options might not be enough. If you are a SMB dealing\r\nwith this problem, then you should consider contracting third-party forensics.\r\nYou should also understand your requirements around compliance legislation. In Canada, any suspected privacy\r\nbreach needs to be reported to the Privacy Commissioner. If there is a risk of harm related to any stolen personal\r\nhttps://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nPage 6 of 7\n\ndata, those affected must be notified of the breach. Other countries have similar legislation, but it’s up to C-suite\r\nand Legal to determine next steps for those matters.\r\nFinally, this is your sign to make some security improvements to your tenant. Azure AD/Entra ID Premium P1 or\r\nP2 are great, so choose licensing that includes one of those. You should also turn on administrator consent requests\r\nfor risky applications. This prevents end users from granting an app access to more than it should have and allows\r\nyou to review applications that have been added.\r\nNo matter the technical controls you put in place, alerting is very important. The most recent time I responded to a\r\nBEC including this application, was because I received an alert for it. There are plenty of tools for both SMB and\r\nEnterprise that have alerting for cloud email systems.\r\nThe Actual TL;DR\r\nHaving this application within your tenant is not a good sign. It allows a threat actor to exfiltrate the entire\r\nmailbox as a PST. If the threat actor has access to an administrative account, they can exfiltrate every single\r\nmailbox within the organization. This data includes all emails, attachments, calendar events, and contacts. The\r\nimpact of this activity depends on the scope, what data was in the mailbox, and your compliance requirements.\r\nLimiting end user consent to applications can help prevent malicious application consents from affecting your\r\ntenant in the future.\r\nNeed Help?\r\nIf you read this article and have now come to the conclusion that you are experiencing an email compromise, it’s\r\nnormal to feel scared or uncertain, especially if you’ve never dealt with something as serious as this before. I have\r\nprovided a guide for investigating an email compromise, so give it a look if you need. I can also be reached via\r\nLinkedIn, Email, or Discord to answer questions.\r\nUnrelated Final Notes\r\nIf you like what I do and found this post helpful, please consider buying me a coffee on Ko-fi so I can continue to\r\ndo more things like this.\r\nThis is the first blog entry/article I have written, so if you have any feedback I would appreciate it. I will update\r\nthis article whenever I discover new information.\r\nThank you for reading my post!\r\nSource: https://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nhttps://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/"
	],
	"report_names": [
		"malicious-azure-application-perfectdata-software-and-office365-business-email-compromise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434919,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21835f83174325de107a46f53750a40434a72a17.pdf",
		"text": "https://archive.orkl.eu/21835f83174325de107a46f53750a40434a72a17.txt",
		"img": "https://archive.orkl.eu/21835f83174325de107a46f53750a40434a72a17.jpg"
	}
}