A vulnerability within Microsoft’s OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit.