cazadora is a hunting script for detecting suspicious Microsoft 365 OAuth applications in a tenant. It enumerates all registered apps and service principals via the Microsoft Graph API and runs a set of hunting rules derived from real-world OAuth attack tradecraft observed by the Huntress team. It flags applications that match known suspicious patterns for human review.

• Hunts for suspicious OAuth apps registered in an M365 tenant
• Detects apps matching common attack patterns: odd names, identity-matching names, test apps, suspicious reply URLs
• Uses device code or Azure SDK authentication (no stored credentials required)
• Outputs colour-coded results by confidence level
• Based on threat intel from observed OAuth TTPs in production tenants

Note: cazadora cannot definitively determine whether an app is malicious. Results should be treated as leads for further human investigation, not conclusive findings.

cazadora runs in a Python virtual environment.

cd /opt/cazadora/
. cazadora.sh          # activates the venv environment

python3 main.py --auth-mode device_code

Navigate to https://microsoft.com/devicelogin, enter the code shown, and authenticate with an account that has Graph API query permissions. When prompted "Are you trying to sign into Microsoft Office?" select Continue.

Warning: Never enter a device code from an untrusted source.

python3 main.py --auth-mode azure_sdk

python3 main.py --auth-mode device_code --output /output/cazadora-results.json

• Apps with only non-alphanumeric characters in the name (e.g. ...)
• Apps named after a tenant identity, especially where the identity is also the assigned user
• Apps named test, test app, or similar
• Apps with a reply URL matching http://localhost:<port>/access

TBC

• GitHub Repo