How Business Email Compromise Works in Microsoft 365

Most Microsoft 365 security incidents do not start with a traditional breach. They start with a legitimate login. 

An attacker gains access to a real user account and operates inside the tenant using native tools. Because the activity looks normal, it avoids detection. That pattern is known as business email compromise. It is now one of the most costly attack types organizations face. 

The challenge is that compromise can happen even when MFA is enabled. It often continues long after a password reset. 

Why are Microsoft 365 Accounts Being Compromised More Often?

Nathan Taylor breaks down the full life cycle of Microsoft 365 account compromise on this episode of the Demystifying Microsoft podcast, covering real attack patterns across active environments. 

Microsoft 365 is not targeted because it is insecure. It is targeted because email, identity, collaboration, and file storage all sit behind a single cloud identity. A compromised account can grant access to: 

• Outlook 

• Teams 

• SharePoint 

• OneDrive

• Connected third-party applications

That single-identity model sits on top of a massive global user base. Many tenants were deployed years ago and never revisited. Default settings often favor usability over strict security, which leaves consistent gaps for attackers to find. 

Key Moments from the Episode

• 00:47 — Introduction and scope of the problem
• 02:04 — What “hacked” actually means in Microsoft 365
• 04:05 — Common entry points including phishing and token theft
• 06:45 — MFA fatigue and OAuth abuse explained
• 08:25 — What attackers do after mailbox access
• 10:15 — Financial and operational impact of compromise
• 10:57 — Why Microsoft 365 is a high‑value target
• 12:33 — Security controls that materially reduce risk
• Outro — Next episode and how to learn more

What Does “Hacked” Mean in Microsoft 365?

A compromised Microsoft 365 accounts is typically the result of business email compromise. It does not involve an attacker breaking into Microsoft’s platform.

BEC occurs when a threat actor gains access to a legitimate user account and uses that access to:

• Monitor email conversations
• Manipulate invoices or payment instructions
• Impersonate executives or vendors
• Spread phishing from trusted internal addresses
• Steal or monetize sensitive data

Because the attacker is operating as a real user, these incidents often bypass traditional security alerts.

How do Attackers Get Access to Microsoft 365 Accounts?

The most common entry points include: 

• Phishing with adversary-in-the-middle proxy pages
• Token theft that bypasses MFA entirely
• OAuth consent abuse that grants persistent application-level access
• MFA fatigue attacks that rely on accidental approval

Each of these techniques allows attackers to gain access without triggering standard alerts. Token theft and OAuth abuse are particularly effective. Both can survive password resets and basic MFA cleanup. 

For a detailed breakdown of each access method and the identity gaps that make them possible, see Why Microsoft Accounts Get Comprised and How to Reduce Risk. 

What Happens After a Microsoft 365 Mailbox is Compromised?

Once access is established, attackers focus on persistence and timing rather than immediate action. They create inbox rules to hide, delete, or forward specific messages. They register additional authentication methods or OAuth applications to maintain access after remediation attempts. Then they monitor email threads for payment approvals, vendor relationships, and payroll processes. Some wait weeks before acting. 

Common outcomes include: 

• Invoice redirection 

• Wire fraud 

• Payroll diversion 

• Data exfiltration

• Partner impersonation

For more details on post-compromise activity, persistence mechanisms, and containment steps, see What Happens After a Microsoft 365 Compromise. 

Which Microsoft 365 Security Controls Actually Reduce Risk?

Several controls consistently reduce the likelihood and impact of account compromise when they are configured correctly. Individually, they help. Together, they significantly limit access, persistence, and dwell time. 

Identity and Access Controls

These controls address the most common entry points directly: 

• Phishing-resistant MFA and number matching block credential interception

• Conditional access policies based on device trust, location, and sign-in risk limit where and how users can authenticate 

Together, they make account takeover significantly harder. 

Mailbox and App Governance

These controls reduce the persistence methods attackers rely on after initial access: 

• Restrict external forwarding to prevent silent data redirection

• Audit mailbox rules to catch hidden rules that delete or move messages

• Limit OAuth app consent to block unauthorized application-level access

Defender and Continuous Monitoring

Microsoft Defender for Office 365 and identity protection tools help surface:

• Risky sign-ins
• Malicious inbox rules
• Abnormal user behavior 

These patterns often precede fraud. Security posture degrades over time without regular review. Periodic assessments catch legacy settings and new attack paths before they are exploited. 

Understanding Microsoft 365 Account Compromise

If Microsoft 365 account compromise is a concern, the next step is understanding how your tenant is configured and where attackers are most likely to get in.

The Sourcepass Center of Excellence for Microsoft works with organizations to assess identity security, mailbox controls, and application access across Microsoft 365. The goal is to reduce exposure and improve detection.

You can contact the Sourcepass MCOE team to learn more about Microsoft 365 security assessments and remediation strategies.

You can also subscribe to the Demystifying Microsoft podcast to follow upcoming episodes that dive deeper into how to assess and harden a Microsoft 365 tenant.