I don't understand why this issue was not communicated to Microsoft. They could've just revoked access for this oauth application until the issue was fixed.
Although there are probably thousands of similar bad implementations out there that are connected to Microsoft via oauth.
Every oauth application needs to be registered individually, togther with a client secret or certificate. In case of Microsoft via the Azure portal. That registration can (technically) be revoked by the oauth provider.
I have no idea if Microsoft would react to such a report, and what's the correct channel to submit it. But bug reports or abuse reports they usually take seriously.
Although there are probably thousands of similar bad implementations out there that are connected to Microsoft via oauth.