Canadian SMBs keep losing to “phishing” because we keep defining the attack wrong. It’s not just a fake login page anymore. It’s an app, a token, and a permission grant that looks official – until it drains your inbox, your SharePoint, and your bank account.
Here’s our blunt opinion at 010grp: if you can’t answer “which apps can read mail in our Microsoft 365 tenant?” you don’t have cloud security. You have wishful thinking. Attackers love wishful thinking.
The hidden breach surface: OAuth and app permissions
Microsoft 365 and most modern SaaS tools run on a shared-responsibility model. Microsoft secures the platform. You control identity, configuration, and what third-party apps can do with your data. When a user clicks “Accept” on a consent prompt, they may be handing an attacker long-lived access that bypasses the moment your MFA “worked.” If you want the scary real-world version, read One “Allow” Click and Your Microsoft 365 Is Owned.
Most consent attacks succeed because cloud comfort is real. Leaders hear “we’re in Microsoft 365” and assume Microsoft handles security. That’s the same myth we dismantle in Your Cloud Isn’t Secure by Default (And Attackers Know It). Attackers don’t need a zero-day when they can get an employee to authorize Mail.Read and Files.Read. Your tenant stays “healthy” while your data quietly walks out and you won’t notice.
Myth-buster: “We have MFA, so we’re safe”
MFA is necessary. It is not a forcefield. Push fatigue, adversary-in-the-middle kits, and token theft are why CISA keeps pushing phishing-resistant MFA. In practice, the companies that survive aren’t the ones with the most tools – they’re the ones with the tightest identity controls and the fastest containment.
The Canadian app-permissions lockdown: 9 steps you can run this month
- Inventory every app with access. Export your Enterprise Applications and App Registrations. Flag anything you don’t recognize, anything with broad scopes, and anything requesting offline access.
- Turn down user consent. In Microsoft Entra ID, restrict when users can grant permissions and require admin approval for risky access. Microsoft documents the settings in Configure how users consent to applications.
- Enable an admin consent workflow. Blocking everything breaks the business. Routing requests to a reviewer protects the business. Do this before you “tighten the screws.”
- Make privileged accounts boring. Separate admin accounts, reduce admin sprawl, and use privileged access management for just-in-time elevation and auditability.
- Upgrade authentication where it matters. Finance, executives, and admins should move to passkeys or hardware-backed sign-in. Use Stop Using Passwords: Your 30-Day Passkey Plan as your rollout blueprint.
- Kill legacy sign-in paths. Legacy authentication and app passwords are a gift to automated attackers. Turn them off, then prove they’re off.
- Watch for the “quiet persistence” moves. Alert on new consent grants, new service principals, permission changes, mailbox forwarding, and suspicious inbox rules. This is where most SMBs are blind.
- Practice the breach drill. When a malicious app is discovered, your first move is not “reset passwords.” It’s revoke sessions, remove the app, investigate what it touched, and preserve evidence. For the first 72 hours, follow Breached? Do This in 72 Hours or Pay Twice.
- Back up cloud data like it’s your job. Email and SharePoint are business records. Independent backups and tested restores reduce ransom leverage. Start with Your Backups Alone Won’t Save You From Ransomware.
Canada-specific reality: response and reporting are part of security
If personal information is involved, your incident response isn’t just technical – it’s legal and reputational. The Office of the Privacy Commissioner explains when organizations must report under PIPEDA and how to document breaches (mandatory breach reporting guidance). Québec organizations also need to consider Law 25 requirements. This is why the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls for SMBs and the National Cyber Threat Assessment 2025-2026 keep emphasizing preparedness, not panic.
Where 010grp fits
If this sounds like a lot, good. Attackers are organized, automated, and patient. Our job is to make your environment boring to them. 010grp builds the identity-first stack – identity and access management, MFA hardening, consent governance, and security awareness training that teaches the exact consent trick, not generic “don’t click.” We also align the program to your business continuity and recovery objectives so a bad day doesn’t become a bankruptcy event.
Want a straight answer on your app-permissions exposure? Start with our cyber protection services overview, then reach out via contact us. We’ll tell you what’s urgent, what’s noise, and what to fix first.
