Preventing Microsoft 365 Business Email Compromise | Sourcepass MCOE

Business email compromise attacks cost organizations over $2.7 billion in reported losses last year.

In Microsoft 365, most of those compromises trace back to configuration gaps, not missing tools. 

Reducing that risk requires a layered approach. The most effective improvements start with identity, strengthen email controls, and remove common attack paths such as legacy authentication, dormant accounts, and unapproved applications. 

 

How Attacks Gain Access to Microsoft 365 Accounts 

 

Microsoft 365 is a high-value target because email, files, collaboration, and identity all live in the same ecosystem. When attackers gain access to a single account, they often gain access to far more than email.

Common causes include:

• MFA enabled but configured with weak methods
• Conditional access not enforced consistently
• Legacy authentication still allowed
• Email authentication not fully implemented
• Inactive users and devices left enabled
• OAuth and enterprise apps approved without review

Most of these issues are configuration problems, not tooling gaps.

In this episode of the Demystifying Microsoft podcast, Nathan Taylor (SVP, Global Microsoft Practice Leader at Sourcepass MCOE) explains how Microsoft 365 environments are commonly compromised and how to harden a tenant using pragmatic security controls. The conversation covers identity security, authentication and email protection, and modern attacks such as token theft.

 

Key Timestamps

• 01:52 — Why Microsoft 365 compromises are increasing
• 02:23 — Insecure tenant configuration as the root cause
• 04:30 — Identity as the new security perimeter
• 06:35 — Why some MFA deployments still fail
  
• 07:52 — Email security and domain authentication
• 10:59 — Dormant users and hidden risk
• 13:48 — Token theft and MFA bypass attacks
• 15:40 — Phishing resistant authentication methods
• 17:11 — Requiring known or compliant devices
• 19:45 — What a hardening assessment reviews
• 25:20 — Why fixing the basics reduces most risk

 

What is Business Email Compromise in Microsoft 365?

 

Business email compromise occurs when an attacker gains access to a legitimate Microsoft 365 account and uses it to impersonate users, manipulate conversations, or move laterally across the tenant.

Many modern BEC attacks do not rely on malware. Instead, they use valid logins, approved sessions, or stolen authentication tokens. This is why compromised accounts often appear normal in basic logs.

 

Identity as the First Line of Defense in Microsoft 365

 

In Microsoft 365, identity is the primary security boundary. Once an account is compromised, attackers inherit the permissions tied to that identity.

The most effective first step is enforcing strong authentication across all users, with additional protection for privileged roles.

That typically includes:

• Requiring MFA for all accounts
• Applying separate policies for administrative access
• Blocking legacy authentication protocols
• Ensuring privileged users are protected by multiple overlapping policies

This approach reduces the chance of accidental exclusions and improves resilience against misconfiguration.

 

How MFA is Commonly Bypassed in Microsoft 365

 

Many tenants technically have MFA enabled but still allow authentication methods that attackers can exploit.

Common weaknesses include:

• SMS or email based verification
• Push approval without number matching
• Inconsistent conditional access coverage

Security defaults improve baseline protection, but conditional access is needed to enforce stronger controls and apply different requirements based on risk and role.

 

 

 

What is Token Theft in Microsoft 365?

 

Token theft occurs after authentication succeeds. Instead of stealing passwords or MFA codes, attackers steal the session token issued by Microsoft after login.

That token allows access to Microsoft 365 services without triggering additional authentication challenges. In logs, the sign-in often appears legitimate and shows MFA as passed.

Token theft is commonly associated with:

• Adversary-in-the-middle phishing
• Reverse proxy login pages
• Malicious OAuth or enterprise applications

 

How Phishing-Resistant MFA Reduces Risk in Microsoft 365

 

Phishing-resistant authentication methods use cryptographic, device-bound processes instead of browser-based prompts.

Common examples include:

• FIDO2 security keys
• Windows Hello for Business
• Passkeys using supported authenticators

These methods authenticate users outside the browser session, making it far more difficult to intercept usable credentials or tokens.

They are especially effective for administrative accounts and users targeted by repeated phishing attempts.

 

 

 

Why Device Trust Matters in Microsoft 365 Security 

 

Requiring access from known or compliant devices strengthens access control beyond authentication alone. 

When device trust is enforced, Microsoft evaluates the device during sign-in and verifies factors such as:

• Device registration or join status
• Compliance posture
• Security configuration and health

Even if a token is stolen, access can be blocked if the attacker’s device does not meet trust requirements. This control usually requires Intune or hybrid device management but provides a strong second layer of defense.

 

Email Authentication Gaps that Leave Microsoft 365 Tenants Exposed 

 

Email remains the most common entry point for compromise. Many tenants still lack proper domain authentication or leave DMARC set to monitoring only.

Effective email authentication requires alignment between:

• SPF
• DKIM
• DMARC with enforcement set to quarantine or reject

Proper configuration reduces domain spoofing and improves phishing detection across Microsoft’s filtering stack.

 

How Dormant Users and Devices Create Blind Spots in Microsoft 365

 

Inactive accounts and stale device records create blind spots in security reporting. These objects often lack MFA enrollment and are rarely monitored.

Cleaning them up:

• Improves MFA and risk reporting accuracy
• Reduces easy persistence paths for attackers
• Makes investigations faster and more reliable

Dormant objects are often responsible for misleading metrics around MFA coverage.

 

Reducing Microsoft 365 Account Compromise Starts with Core Controls

 

Improving Microsoft 365 security does not require deploying every advanced feature at once. Most meaningful risk reduction comes from hardening identity, enforcing strong authentication, securing email, and removing overlooked attack paths.

If you want help reviewing tenant configuration, identifying gaps, or prioritizing security changes, the Sourcepass MCOE team can assist with a structured hardening approach.

Subscribe to the Demystifying Microsoft podcast for future discussions on Microsoft security, licensing, and cloud architecture.

 

 

Explore the Full Series: 

• How to Harden Microsoft 365 Against Business Email Compromise
• How to Deploy FIDO2 and Phishing-Resistant MFA in Microsoft 365