Preventing Business Email Compromise in Microsoft 365

Business email compromise attacks cost organizations over $2.7 billion in reported losses last year.

In Microsoft 365, most of those compromises trace back to configuration gaps, not missing tools. 

Reducing that risk requires a layered approach. The most effective improvements start with identity, strengthen email controls, and remove common attack paths like legacy authentication, dormant accounts, and unapproved applications. 

How Attacks Gain Access to Microsoft 365 Accounts 

Microsoft 365 is a high-value target because email, files, collaboration, and identity all live in the same ecosystem. When attackers compromise a single account, they often reach far more than just email.

Common causes include:

• MFA enabled but configured with weak methods
• Conditional access not enforced consistently
• Legacy authentication still allowed
• Email authentication not fully implemented
• Inactive users and devices left enabled
• OAuth and enterprise apps approved without review

Most of these issues are configuration problems, not tooling gaps.

In this episode of the Demystifying Microsoft podcast, Nathan Taylor (SVP, Global Microsoft Practice Leader at Sourcepass MCOE) breaks down how Microsoft 365 environments get compromised and how to harden a tenant using security controls. The conversation covers identity security, email protection, and modern attacks like token theft.

Key Timestamps

• 01:52 — Why Microsoft 365 compromises are increasing
• 02:23 — Insecure tenant configuration as the root cause
• 04:30 — Identity as the new security perimeter
• 06:35 — Why some MFA deployments still fail
  
• 07:52 — Email security and domain authentication
• 10:59 — Dormant users and hidden risk
• 13:48 — Token theft and MFA bypass attacks
• 15:40 — Phishing resistant authentication methods
• 17:11 — Requiring known or compliant devices
• 19:45 — What a hardening assessment reviews
• 25:20 — Why fixing the basics reduces most risk

What is Business Email Compromise in Microsoft 365?

Business email compromise occurs when an attacker gains access to a legitimate Microsoft 365 account. From there, they can impersonate users, manipulate conversations, or move through the tenant.

Many modern BEC attacks do not rely on malware. Instead, they use valid logins, approved sessions, or stolen authentication tokens. This is why compromised accounts often appear normal in basic logs.

Identity as the First Line of Defense in Microsoft 365

In Microsoft 365, identity is the primary security boundary. Once an account is compromised, attackers inherit the permissions tied to that identity.

The most effective first step is enforcing strong authentication across all users, with additional protection for privileged roles.

That typically includes:

• Requiring MFA for all accounts
• Applying separate policies for administrative access
• Blocking legacy authentication protocols
• Ensuring privileged users are protected by multiple overlapping policies

This approach reduces the chance of accidental gaps and makes the environment harder to misconfigure. 

How MFA is Commonly Bypassed in Microsoft 365

Many tenants technically have MFA enabled but still allow authentication methods that attackers can exploit.

Common weaknesses include:

• SMS or email based verification
• Push approval without number matching
• Inconsistent conditional access coverage

Security defaults improve baseline protection. However, conditional access is needed to enforce stronger controls and apply different requirements based on risk and role.

What is Token Theft in Microsoft 365?

Token theft occurs after authentication succeeds. Instead of stealing passwords or MFA codes, attackers steal the session token that Microsoft issues after login.

That token grants access to Microsoft 365 services without prompting for credential again. In logs, the sign-in often appears legitimate and shows MFA as passed.

Token theft is commonly associated with:

• Adversary-in-the-middle phishing
• Reverse proxy login pages
• Malicious OAuth or enterprise applications

How Phishing-Resistant MFA Reduces Risk in Microsoft 365

Phishing-resistant authentication methods verify users through hardware tied to a specific device instead of browser-based prompts. 

Common examples include:

• FIDO2 security keys
• Windows Hello for Business
• Passkeys using supported authenticators

These methods work outside the browser session. That makes it far harder for attackers to intercept credentials or tokens.

They are especially effective for administrative accounts and users targeted by repeated phishing attempts.

Why Device Trust Matters in Microsoft 365 Security 

Requiring access from known or compliant devices strengthens access control beyond authentication alone. 

When device trust is enforced, Microsoft evaluates the device during sign-in and verifies factors such as:

• Device registration or join status
• Compliance posture
• Security configuration and health

Even if a token is stolen, access can be blocked if the attacker’s device does not meet trust requirements. This control typically requires Intune or hybrid device management. It provides a strong second layer of defense.

Email Authentication Gaps that Leave Microsoft 365 Tenants Exposed 

Email remains the most common entry point for compromise. Many tenants still lack proper domain authentication or leave DMARC set to monitoring only.

Effective email authentication depends on three protocols working together:

• SPF
• DKIM
• DMARC with enforcement set to quarantine or reject

Proper configuration reduces domain spoofing and improves phishing detection across Microsoft’s built-in security filters.

How Dormant Users and Devices Create Blind Spots in Microsoft 365

Inactive accounts and stale device records create blind spots in security reporting. These objects often lack MFA enrollment and are rarely monitored.

Cleaning them up:

• Improves MFA and risk reporting accuracy
• Reduces easy persistence paths for attackers
• Makes investigations faster and more reliable

Dormant objects often skew MFA coverage numbers, making security posture look stronger than it is.

Reducing Microsoft 365 Account Compromise Starts with Core Controls

Improving Microsoft 365 security does not require deploying every advanced feature at once. Most meaningful risk reduction comes from hardening identity, enforcing strong authentication, securing email, and removing overlooked attack paths.

The Sourcepass MCOE team can help review your tenant configuration, identify gaps, and prioritize security changes through a structured hardening approach.

Subscribe to the Demystifying Microsoft podcast for future discussions on Microsoft security, licensing, and cloud architecture.

Explore the Full Series: 

• How to Harden Microsoft 365 Against Business Email Compromise
• How to Deploy FIDO2 and Phishing-Resistant MFA in Microsoft 365