Not mentioned in the blog - to grant Oauth access to read all mailboxes (as happened here), you need to be the tenant admin. There's not a vuln being used here, as Microsoft would have mentioned it for sure - so somebody made a pretty big config error in production to allow a test tenant app to be used to grant *checks notes* reading of any mailbox.