While investigating a data leakage incident a security analyst reviews access control to cloud -hosted data. The following information was presented in a security posture report:

Policy to control external application integration: Admin authorized only

-47 active integration to third-party applications

-2 applications authorized by admin

-45 applications authorized by users

-32 OAuth apps authorize to access data

Based on the report, which of the following was the MOST likely attack vector used against the company?

1. Spyware
2. Logic bomb
3. Potentially unwanted programs
4. Supply chain