A report by the Microsoft 365 Defender Research Team analyzed how attackers penetrated a Microsoft 365 tenant to compromise an unprotected admin account. They then created an Azure AD registered app, assigned it some permissions, and used the app to run Exchange Online PowerShell to create an inbound connector and some mail flow rules. The attackers then used the compromised tenant to send spam email and lure unwitting victims into disclosing their credit card details. You don't need expensive add-on software to stop these attacks. Use MFA, run PowerShell to check app permission assignments, and use the Office 365 audit log to check for surprising events. All basic management, and all explained here: 

https://practical365.com/oauth-app-security-incident/