Most Microsoft 365 security incidents do not start with a traditional breach. They start with a legitimate login.
An attacker gains access to a real user account, operates inside the tenant using native tools, and avoids detection by blending in with normal activity. That pattern, known as business email compromise, is now one of the most financially damaging attack categories organizations face.
The challenge is that compromise can happen even when MFA is enabled, and it often continues long after a password reset.
Nathan Taylor breaks down the full life cycle of Microsoft 365 account compromise on this episode of the Demystifying Microsoft podcast, covering real attack patterns across active environments.
Microsoft 365 is not targeted because it is insecure. It is targeted because email, identity, collaboration, and file storage all sit behind a single cloud identity. A compromised account often grants access to Outlook, Teams, SharePoint, OneDrive, and connected applications in one step.
That single-identity model, combined with a massive global user base and tenants that were deployed years ago without being revisited, creates a predictable attack surface. Default settings that favor usability over strict security give attackers consistent gaps to exploit across environments.
A compromised Microsoft 365 accounts is typically the result of business email compromise rather than an attacker breaking into Microsoft’s infrastructure.
BEC occurs when a threat actor gains access to a legitimate user account and uses that access to:
Because the attacker is operating as a real user, these incidents often bypass traditional security alerts.
The most common entry points involve phishing with adversary-in-the-middle proxy pages, token theft that bypasses MFA entirely. OAuth consent abuse that grants persistent application-level access, and MFA fatigue attacks that rely on accidental approval.
Each of these techniques allows attackers to gain access without triggering the security alerts most organizations expect. Token theft and OAuth abuse are particularly effective because they can survive password resets and basic MFA cleanup.
For a detailed breakdown of each access method and the identity gaps that make them possible, see Why Microsoft Accounts Get Comprised and How to Reduce Risk.
Once access is established, attackers focus on persistence and timing rather than immediate action.
Inbox rules are created to hide, delete, or forward specific messages. Additional authentication methods or OAuth applications are resisted to maintain access even after remediation attempts. Attackers then monitor email thread for payment approvals, vendor relationships, and payroll processes, sometimes for weeks, before acting.
Common outcomes include invoice redirection, wire fraud, payroll diversion, data exfiltration, and partner impersonation.
For more details on post-compromise activity, persistence mechanisms, and containment steps, see What Happens After a Microsoft 365 Compromise.
Several controls consistently reduce the likelihood and impact of account compromise when they are configured correctly. Individually, they help. Together, they significantly limit access, persistence, and dwell time.
Phishing-resistant MFA, number matching, and conditional access policies based on device trust, location, and sign-in risk make account takeover significantly harder to execute. These controls address the most common entry points directly.
Restricting external forwarding, auditing mailbox rules, and limiting OAuth app consent reduce persistence opportunities attackers rely on after initial access.
Microsoft Defender for Office 365 and identity protection tooling help surface risky sign‑ins, malicious rules, and abnormal behavior that often precede fraud. Security posture degrades over time if it is not reviewed. Regular assessments catch legacy settings and new attack paths before they are exploited.
If Microsoft 365 account compromise is a concern, the next step is understanding how your tenant is configured and where attackers are most likely to get in.
The Sourcepass Center of Excellence for Microsoft works with organizations to assess identity security, mailbox controls, and application access across Microsoft 365 to reduce exposure and improve detection.
You can also subscribe to the Demystifying Microsoft podcast to follow upcoming episodes that dive deeper into how to assess and harden a Microsoft 365 tenant.
Explore More on Microsoft 365 Account Compromise
Read Why Microsoft 365 Accounts Get Compromised and How to Reduce Risk: A detailed look at the most common access methods attackers use, including phishing, token theft, OAuth abuse, and MFA fatigue, along with a focused hardening strategy for identity and email.
Read What Happens After a Microsoft 365 Compromise: A breakdown of what attackers do once they have mailbox access, how persistence is established, and what it takes to fully contain an identity-based incident.
Subscribe to the Demystifying Microsoft Podcast: New episodes cover Microsoft 365 security, licensing, and infrastructure topics for IT professionals navigating real-world challenges.
Schedule a Microsoft 365 Security Assessment: The Sourcepass Center of Excellence for Microsoft works with organizations to evaluate identity security, mailbox controls, and application access across Microsoft 365.