Image highlighting API-driven email integrations in workflows.
(Reading time: 4 - 7 minutes)
fab fa-facebook-f

Every mailbox in Microsoft 365 or Google Workspace is now a hub with dozens of API connections quietly attached to it — CRMs, marketing tools, scheduling apps, AI assistants. Each one asks for permission once and then talks to your inbox forever. That convenience is exactly why this layer has become one of the least examined parts of the modern attack surface.

Why the API layer is the weak link nobody budgeted for

Here's the uncomfortable part: most of these integrations were approved years ago, by someone who's since changed roles, for a tool the business barely uses anymore. Nobody revokes access. Nobody re-checks the scopes. The token just sits there, quietly able to read, send, and delete mail, long after anyone remembers granting it. API vulnerability image

This is where legacy application debt and email security collide. A CRM plugin built on an outdated API version, a scheduling tool that never rotated its client secret, an internal script someone wrote in 2021 and forgot about — these are the soft spots attackers go looking for, precisely because nobody is watching them. Closing that gap isn't just a security exercise; it's an architecture problem. Organizations that treat their connected app portfolio as a living system — auditing what's plugged into the mailbox, retiring what's obsolete, rebuilding what's brittle — end up with a fundamentally smaller attack surface than those still running on integrations frozen in time. That's part of why application modernization services increasingly show up in cyber-resilience conversations rather than pure cost-cutting ones: an API built on current standards is easier to scope, easier to monitor, and a lot harder to quietly abuse.

What attackers are actually doing with API access

Forget the image of someone guessing your password at 3 a.m. That's not where the interesting attacks happen anymore. The real activity is happening one layer up, in the permission structure itself.

OAuth token abuse

OAuth was supposed to solve the password-sharing problem, and mostly it did. But it introduced a new one: consent phishing. How SaaS Phishing OAuth Attacks Work

A user gets a link, clicks "Allow," and grants a malicious app read/send/full-mailbox access — no password stolen, no MFA prompt triggered, because from Microsoft's or Google's perspective, this was a legitimate authorization. The token keeps working even after a password reset. It survives until someone manually revokes it in the admin console, and most admins have no idea it's there to revoke. 

Webhook exploitation

Webhooks push data out of the mailbox in real time — new message arrives, webhook fires, downstream system reacts. Attackers target the receiving endpoint itself: intercept it, spoof it, or flood it with junk to mask a genuine exfiltration event buried in the noise. A webhook with no signature verification and no IP allowlisting is basically an open door with a "please knock first" sign taped to it that nobody enforces.

Over-permissioned third-party apps

Ask yourself honestly: how many of your connected apps request Mail.ReadWrite when they only ever read subject lines? Developers ask for broad scopes because it's easier than maintaining granular permission sets across API versions. Once that app is compromised — through its own vulnerability, not yours — the attacker inherits everything it was ever allowed to touch.

Typical entry points worth mapping in your own environment:

  • Dormant OAuth grants from decommissioned SaaS tools still holding active refresh tokens
  • Marketing or sales platforms with mailbox-wide send permissions instead of scoped folder access
  • Internal automation scripts using service accounts with no expiration policy
  • Webhook endpoints without payload signing or replay protection
  • Shadow IT integrations approved by individual users, bypassing admin consent workflows

Anyone who's read up on AI-driven email security threats has probably noticed the pattern: automation is increasingly used to enumerate which of these tokens are still live, at scale, across thousands of tenants, before a human attacker ever gets involved.

What defenders are actually testing right now

The good news is the defensive side isn't sitting still. A few approaches are moving from "interesting research" to "actually deployed."

Least-privilege API scopes

Instead of granting Mail.ReadWrite because it's the path of least resistance during setup, mature security teams are pushing vendors toward granular, resource-specific scopes — access to a single shared mailbox, a single folder, read-only where write was never needed. Microsoft's Graph API and Google's newer Workspace APIs both support this level of granularity now. The friction is organizational, not technical: someone has to actually audit what each integration needs versus what it was given.

Continuous token auditing

A one-time security review at onboarding is worthless six months later. Continuous auditing treats every OAuth grant as a living object — checking last-used timestamps, flagging tokens inactive for 90+ days, cross-referencing granted scopes against actual API call patterns. If a marketing tool that's supposed to only read calendar availability suddenly starts calling Mail.Send, that's a signal worth an automatic alert, not a quarterly report nobody reads.

Behavioral anomaly detection in email flows

This is where things get genuinely interesting. Rather than inspecting individual messages for known-bad indicators, newer detection models baseline normal API-driven mail behavior for each integration — send volume, recipient patterns, time-of-day activity — and flag deviations. An integration that normally sends 40 emails a day suddenly pushing 4,000 at 2 a.m. gets caught by behavior, not by any signature matching a known threat.

None of these approaches work in isolation, by the way. Least-privilege scoping without continuous auditing just means you granted narrow permissions once and stopped checking whether they're still appropriate.

Governance still beats tooling

Sounds logical enough, right? And yet plenty of organizations still skip the boring part. Buy the anomaly detection platform, skip the actual governance work, and you've built an expensive smoke detector in a house with no fire extinguisher. integration protection image

A workable baseline looks something like this:

  1. Inventory every app with mailbox API access — not the ones IT remembers, the ones the tenant admin center actually shows
  2. Map each integration's granted scopes against its documented business function
  3. Set expiration and re-consent cycles for every OAuth grant, no exceptions for "trusted" vendors
  4. Require signed, IP-restricted webhook endpoints for anything touching mail data
  5. Run a cyber risk assessment specifically scoped to API integrations, not just the perimeter

That last point matters more than it sounds. Most risk assessments still center on phishing simulations and endpoint hygiene — useful, but blind to a compromised token sitting quietly in the API layer. The same logic applies to strategies for identifying and defeating BEC scams: a business email compromise increasingly starts not with a spoofed sender, but with a legitimate, authorized integration that's been quietly hijacked and is now sending "legitimate" mail on the organization's own behalf.

The bottom line

API-driven integrations aren't going away — they're the plumbing modern workflows run on, and ripping them out isn't realistic for any business past a certain size. What's realistic is treating that plumbing like the attack surface it actually is: scoped tightly, audited continuously, and built on infrastructure current enough to support both. Legacy systems and legacy assumptions about "set it and forget it" access are, at this point, the same problem wearing two names.

Worth asking your own team this week: does anyone actually know every app with write access to your mailbox right now? If the honest answer is "not really," that's the starting point — not the anomaly detection platform, not yet.

Subscribe to our Behind the Shield Newsletter

For all the best internet best security trends, email threats and open source security news.

Subscribe to our Behind the Shield Newsletter