[finaliteration]

> if the org-admins have approved the OAuth application and are able to send mail from within the organisation - then it's probably game over anyway

In my case the email came through due to a “bad” DMARC configuration so they were able to spoof our domain from an external server and the OAuth app in question had our company’s name on it.

And on a personal front, I was busy that morning and didn’t pay enough attention to the permissions being requested by the app before I clicked “allow”. So it was a failure of both systems and people controls.

My new rule is that if I get an email asking me to do any sort of action, automated or not, I’m going to sit on it for 1-24 hours before doing anything about it. If it’s actually urgent then someone will get ahold of me through some other method than email.