This is the danger. As someone who spends a lot of time working with M365, and with clients trying to manage those environments, apps are one area that scare me a little. This is one reason, as people get so used to apps being available and pushed out by their M365 admins, they stop being suspicious.
“These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.”
Read the link from Krebs on Security below to learn more, and if you work in an organization using M365 and taking advantage of a robust app platform, consider again how you are both managing what apps users have access to, and how you are tracking that.