Almost 80% of businesses rely on Microsoft 365 (M365) for business productivity, but its widespread adoption makes it a primary target for cyber threats such as Account Takeover (ATO) and Business Email Compromise (BEC). These attacks can result in data breaches, financial losses, and operational disruptions (read more in our blog, here.)
Many organisations mistakenly believe M365 is secure by default. However, insecure default settings, misconfigurations, and unmonitored access leave businesses vulnerable to cyber criminals. This guide outlines best practices, highlights key security gaps, and explains how to use Microsoft Secure Score to bolster defences.
Common M365 Security Misconfigurations
According to assessments of M365 environments, organisations frequently leave their tenancies exposed due to misconfiguration. Some of the most critical security gaps include:
1. Assumed Default Security
Many businesses assume M365 is secure “out of the box”, but default settings often prioritise usability over security.
Unsecured configurations allow attackers to exploit users with weak authentication policies.
2. Weak Access Controls
Global Admin Overuse: Too many privileged accounts increase the impact of a breach.
Uncontrolled Group & Team Creation: Any user can create Teams and Groups, leading to unregulated external access.
3. Legacy Authentication Still Enabled
Basic authentication allows attackers to bypass Multi-Factor Authentication (MFA).
Legacy authentication should be disabled and replaced with Conditional Access policies.
4. Unrestricted Third-Party Application Access
By default, users can register and consent to enterprise applications, allowing attackers to install malicious OAuth apps that exfiltrate email and sensitive data.
5. Lack of Audit Logging & Retention
Insufficient logging and retention policies hinder forensic investigations.
ICO regulatory fines often depend on an organisation’s ability to prove the scope of an attack.
6. Inadequate Phishing & Email Security
Business Email Compromise (BEC) is rising by 20% year-on-year.
Attackers set up malicious inbox rules to forward emails and exfiltrate sensitive data undetected.
Best Practice Security Settings for M365
Strengthen Identity & Access Management
- Enforce Multi-Factor Authentication (MFA)
- Require phishing-resistant MFA (e.g., FIDO2 security keys, certificate-based authentication).
- Block legacy authentication to prevent MFA bypass attacks.
Implement Privileged Identity Management (PIM)
- Use Just-in-Time (JIT) access to grant temporary admin privileges when needed.
- Require approval & justification for privilege escalation.
Apply Conditional Access Policies
- Block risky sign-ins from untrusted locations & VPNs.
- Require device compliance checks for access.
Secure Collaboration in SharePoint & Teams
1. Restrict Guest & External Sharing
Disable anonymous links; only allow sharing with trusted domains.
Enforce sensitivity labels & encryption on critical files.
2. Monitor Teams Activity
Prevent external impersonation threats by enforcing strong authentication.
Audit file access & message deletions to detect insider threats.
Lock Down Email Security to Prevent BEC
1. Configure Microsoft Defender for Office 365
Enable Advanced Threat Protection (ATP) for email filtering.
Monitor & block automatic email forwarding to external domains.
2. Detect Malicious Inbox Rules
Attackers use rules to auto-delete phishing emails or hide exfiltrated messages.
Regularly review user mailbox rules for anomalies.
Audit and Retain Security Logs
1. Enable Unified Audit Logging (UAL)
Track sign-ins, file access, and admin actions.
2. Increase log retention policies
Retain logs for at least 90-180 days for forensic investigations.
You can find more examples of ways to secure your environment within our blog, 10 Top Tips for Securing M365.
In Summary…
Securing Microsoft 365 against Account Takeover and Business Email Compromise is not just about implementing security tools—it requires proactive configuration, continuous monitoring, and enforcing best practices.
You can learn more about how e2e-assure can help evaluate your current M365 set-up here. Alternatively, if you’d like to explore our service offerings you may be interested in Modern Workplace Protection here.
