@CyberDefenders Process trees do lie.
Beware of parent process spoofing.
If the process tree is anomalous, good. If it is not, you should not rely solely on the process tree, especially if you have other indicators that led you to investigate the occurrence in the first place.
@cyb3rops SSO + hardened conditional access policy for those apps + MFA local to the security solutions if it is supported .. + local break glass account
Then completely fine and very likely more secure
@TimMedin Quite similar as the one who abuse Adobe pdf online, onedrive and tons of other legit service etc. Almost always pass through the email gateway without issue.. This +evil proxy like mitm is very efficient.