meadowlark-oauth-consent — rogue OAuth consent abuse

what this proves

1. all eight cloud-account-compromise primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (728/728 fleet · 8 for this scenario).
2. every output is generated 100% locally in your browser — export audit logs, never upload tenant data.
3. OAuth consent grant, overprivileged scopes, MailItemsAccessed volume, SharePoint file access, and Defender alert surface without sending evidence to a server.

primary engines locked to this fixture

1. 01office365-audit-log-analyzer→
2. 02microsoft365-audit-log-analyzer→
3. 03o365-audit-log-parser→
4. 04azure-activity-log-analyzer→
5. 05saas-overprivileged-oauth-scope-detector→
6. 06microsoft-defender-cloud-apps-alert-forensic-analyzer→
7. 07fatcousin-saas-audit-export-correlator→
8. 08microsoft-account-activity-export-forensic-analyzer→

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer — no upload.

download the synthetic evidence

MIT-licensed, fully synthetic. includes unified audit log, Entra sign-in + audit exports, OAuth grants, mailbox/sharepoint access csvs, and Defender alert json.

built deterministically from scripts/fixtures/build-meadowlark-oauth-consent.mjs. seed: meadowlark-oauth-consent:v1.

methodology

OAuth consent abuse is tenant-level ATO — pull UAL first, then Entra audit, grants, sign-ins, and defender alerts. MFA on the grantor does not protect post-consent Graph access. read the full cloud account compromise (M365 / Workspace) guide →

after the playbook

once ual, entra, grants, and defender outputs are saved locally, feed every csv/json to fatcousin-multi-tool-super-timeline-correlator. consent grant, mail access, and file exfil land on one tenant timeline — still zero upload.