I have tried both methods but I would choose batch cleaning. I usually set an hour or so per day to clean a space or organize something in the house. This helps me not to stretch too much and it also saves time for my weekends. What do you prefer and why?
Email arrives requesting app permission, user clicks through the real Microsoft consent UI, attacker gets persistent API access to the mailbox without credentials or a session token. MFA is completely irrelevant because no authentication event occurs after consent is granted.
Nothing in the email itself is malicious. The sender can be legitimate, the link goes to a real Microsoft domain, the consent screen is genuine UI. The only signal is the application name and the permissions it is requesting, neither of which most monitoring setups are alerting on in real time. Revocation requires finding the application in enterprise app registrations which is not somewhere most analysts are looking regularly.
The old framing was simple enough. Vulnerabilities caught before production, breach cost avoidance, remediation time saved. Board could follow that.
Now the org ships significantly more code with AI assistance and the AppSec program has to cover that volume at the same headcount. The board is starting to ask whether their AI productivity investment is creating risk they are not measuring and I don't have a clean answer for that yet.
Coming from a background where I inherited whatever was already deployed and never went through a real evaluation from scratch. New role means I have to run one properly and my mental model of this market is probably two years out of date.
From what I can tell the market has split between legacy SEGs like Proofpoint and Mimecast that sit in mail flow and API-native platforms like Abnormal that integrate directly with M365 without touching MX records at all. The detection approaches seem fundamentally different too but I am getting most of this from vendor materials which is obviously not the most reliable place to learn what is true.
Would appreciate knowing what well-run orgs are deploying right now and what people would do differently starting fresh today.