Business email compromise attacks cost organizations over $2.7 billion in reported losses last year.
In Microsoft 365, most of those compromises trace back to configuration gaps, not missing tools.
Reducing that risk requires a layered approach. The most effective improvements start with identity, strengthen email controls, and remove common attack paths like legacy authentication, dormant accounts, and unapproved applications.
Microsoft 365 is a high-value target because email, files, collaboration, and identity all live in the same ecosystem. When attackers compromise a single account, they often reach far more than just email.
Common causes include:
Most of these issues are configuration problems, not tooling gaps.
In this episode of the Demystifying Microsoft podcast, Nathan Taylor (SVP, Global Microsoft Practice Leader at Sourcepass MCOE) breaks down how Microsoft 365 environments get compromised and how to harden a tenant using security controls. The conversation covers identity security, email protection, and modern attacks like token theft.
Business email compromise occurs when an attacker gains access to a legitimate Microsoft 365 account. From there, they can impersonate users, manipulate conversations, or move through the tenant.
Many modern BEC attacks do not rely on malware. Instead, they use valid logins, approved sessions, or stolen authentication tokens. This is why compromised accounts often appear normal in basic logs.
In Microsoft 365, identity is the primary security boundary. Once an account is compromised, attackers inherit the permissions tied to that identity.
The most effective first step is enforcing strong authentication across all users, with additional protection for privileged roles.
That typically includes:
This approach reduces the chance of accidental gaps and makes the environment harder to misconfigure.
Many tenants technically have MFA enabled but still allow authentication methods that attackers can exploit.
Common weaknesses include:
Security defaults improve baseline protection. However, conditional access is needed to enforce stronger controls and apply different requirements based on risk and role.
Token theft occurs after authentication succeeds. Instead of stealing passwords or MFA codes, attackers steal the session token that Microsoft issues after login.
That token grants access to Microsoft 365 services without prompting for credential again. In logs, the sign-in often appears legitimate and shows MFA as passed.
Token theft is commonly associated with:
Phishing-resistant authentication methods verify users through hardware tied to a specific device instead of browser-based prompts.
Common examples include:
These methods work outside the browser session. That makes it far harder for attackers to intercept credentials or tokens.
They are especially effective for administrative accounts and users targeted by repeated phishing attempts.
Requiring access from known or compliant devices strengthens access control beyond authentication alone.
When device trust is enforced, Microsoft evaluates the device during sign-in and verifies factors such as:
Even if a token is stolen, access can be blocked if the attacker’s device does not meet trust requirements. This control typically requires Intune or hybrid device management. It provides a strong second layer of defense.
Email remains the most common entry point for compromise. Many tenants still lack proper domain authentication or leave DMARC set to monitoring only.
Effective email authentication depends on three protocols working together:
Proper configuration reduces domain spoofing and improves phishing detection across Microsoft’s built-in security filters.
Inactive accounts and stale device records create blind spots in security reporting. These objects often lack MFA enrollment and are rarely monitored.
Cleaning them up:
Dormant objects often skew MFA coverage numbers, making security posture look stronger than it is.
Improving Microsoft 365 security does not require deploying every advanced feature at once. Most meaningful risk reduction comes from hardening identity, enforcing strong authentication, securing email, and removing overlooked attack paths.
Subscribe to the Demystifying Microsoft podcast for future discussions on Microsoft security, licensing, and cloud architecture.
Explore the Full Series: