How Business Email Compromise Works in Microsoft 365

Most Microsoft 365 security incidents do not start with a traditional breach. They start with a legitimate login. 

An attacker gains access to a real user account, operates inside the tenant using native tools, and avoids detection by blending in with normal activity. That pattern, known as business email compromise, is now one of the most financially damaging attack categories organizations face. 

The challenge is that compromise can happen even when MFA is enabled, and it often continues long after a password reset. 

Why are Microsoft 365 Accounts Being Compromised More Often?

Nathan Taylor breaks down the full life cycle of Microsoft 365 account compromise on this episode of the Demystifying Microsoft podcast, covering real attack patterns across active environments. 

Microsoft 365 is not targeted because it is insecure. It is targeted because email, identity, collaboration, and file storage all sit behind a single cloud identity. A compromised account often grants access to Outlook, Teams, SharePoint, OneDrive, and connected applications in one step. 

That single-identity model, combined with a massive global user base and tenants that were deployed years ago without being revisited, creates a predictable attack surface. Default settings that favor usability over strict security give attackers consistent gaps to exploit across environments. 

Timestamped Key Moments

• 00:47 — Introduction and scope of the problem
• 02:04 — What “hacked” actually means in Microsoft 365
• 04:05 — Common entry points including phishing and token theft
• 06:45 — MFA fatigue and OAuth abuse explained
• 08:25 — What attackers do after mailbox access
• 10:15 — Financial and operational impact of compromise
• 10:57 — Why Microsoft 365 is a high‑value target
• 12:33 — Security controls that materially reduce risk
• Outro — Next episode and how to learn more

What Does “Hacked” Actually Mean in Microsoft 365?

A compromised Microsoft 365 accounts is typically the result of business email compromise rather than an attacker breaking into Microsoft’s infrastructure.

BEC occurs when a threat actor gains access to a legitimate user account and uses that access to:

• Monitor email conversations
• Manipulate invoices or payment instructions
• Impersonate executives or vendors
• Spread phishing from trusted internal addresses
• Steal or monetize sensitive data

Because the attacker is operating as a real user, these incidents often bypass traditional security alerts.

How do Attackers Get Access to Microsoft 365 Accounts?

The most common entry points involve phishing with adversary-in-the-middle proxy pages, token theft that bypasses MFA entirely. OAuth consent abuse that grants persistent application-level access, and MFA fatigue attacks that rely on accidental approval. 

Each of these techniques allows attackers to gain access without triggering the security alerts most organizations expect. Token theft and OAuth abuse are particularly effective because they can survive password resets and basic MFA cleanup. 

For a detailed breakdown of each access method and the identity gaps that make them possible, see Why Microsoft Accounts Get Comprised and How to Reduce Risk. 

What Happens After a Microsoft 365 Mailbox is Compromised?

Once access is established, attackers focus on persistence and timing rather than immediate action. 

Inbox rules are created to hide, delete, or forward specific messages. Additional authentication methods or OAuth applications are resisted to maintain access even after remediation attempts. Attackers then monitor email thread for payment approvals, vendor relationships, and payroll processes, sometimes for weeks, before acting. 

Common outcomes include invoice redirection, wire fraud, payroll diversion, data exfiltration, and partner impersonation. 

For more details on post-compromise activity, persistence mechanisms, and containment steps, see What Happens After a Microsoft 365 Compromise. 

Which Microsoft 365 Security Controls Actually Reduce Risk?

Several controls consistently reduce the likelihood and impact of account compromise when they are configured correctly. Individually, they help. Together, they significantly limit access, persistence, and dwell time. 

Identity and Access Controls

Phishing-resistant MFA, number matching, and conditional access policies based on device trust, location, and sign-in risk make account takeover significantly harder to execute. These controls address the most common entry points directly. 

Mailbox and App Governance

Restricting external forwarding, auditing mailbox rules, and limiting OAuth app consent reduce persistence opportunities attackers rely on after initial access. 

Defender and Continuous Monitoring

Microsoft Defender for Office 365 and identity protection tooling help surface risky sign‑ins, malicious rules, and abnormal behavior that often precede fraud. Security posture degrades over time if it is not reviewed. Regular assessments catch legacy settings and new attack paths before they are exploited. 

Understanding Microsoft 365 Account Compromise

If Microsoft 365 account compromise is a concern, the next step is understanding how your tenant is configured and where attackers are most likely to get in.

The Sourcepass Center of Excellence for Microsoft works with organizations to assess identity security, mailbox controls, and application access across Microsoft 365 to reduce exposure and improve detection.

You can contact the Sourcepass MCOE team to learn more about Microsoft 365 security assessments and remediation strategies.

You can also subscribe to the Demystifying Microsoft podcast to follow upcoming episodes that dive deeper into how to assess and harden a Microsoft 365 tenant.