![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 20%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Hi Murali, Akshyalakshmi (ITN)
This detection generates alerts for non-Microsoft OAuth apps with metadata, such as name, URL, or publisher, which had previously been observed in apps associated with a phishing campaign. These apps might be part of the same campaign and might be involved in exfiltration of sensitive information. https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#app-metadata-associated-with-known-phishing-campaign.
This alert is not from data coming from your customer's tenant, but it is a trend that has been seen across many tenants. This alert provides a proactive notification to the customer, so they can review the application to identify any abnormal activity or determine if the app has high privileges.
Since this data is collected among many tenants, there is not too much data to share here. The recommendation is to make sure that the application does not have high privilege permissions in the Entra portal
If the application does have high permission, revaluate if the application really does need that high privilege permission. If determined that it is not needed, then remove the permissions from the application.
Refer
- App metadata associated with known phishing campaign
- Investigate app governance threat detection alerts - Microsoft Defender for Cloud Apps | Microsoft Learn
If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.