Where Microsoft 365 Security Gaps are Hiding in SMB Tenants

Phishing volume is surging, and small and medium-sized businesses are feeling it the most.

One altered letter in an email address cost a business nearly $100,000 in a single wire transfer. That money never came back. The attack worked because of configuration gaps in a Microsoft 365 tenant that no one had caught. 

The same questions keep coming up. How do I stop phishing emails? What does Defender actually do? Is my Microsoft 365 tenant secure? These conversations are happening multiple times a week between IT teams and business owners trying to figure out where to start. 

This article covers how Microsoft Defender products are licensed and deployed, why phishing protection goes beyond turning on a license, and why a security assessment should come first. 

What are SMBs Asking about Microsoft 365 Security?

In this episode of the Demystifying Microsoft podcast, Nathan Taylor and Tracy Harper from the Sourcepass Center of Excellence for Microsoft walk through the security topics dominating client conversations right now. Tracy works directly with clients every day as a Client Success Manager, and her perspective on what SMBs are actually requesting brings a customer-first lens to the discussion.

How is Microsoft Defender Licensed for Small Businesses?

Microsoft uses the Defender brand across multiple products, and that creates confusion for SMBs trying to figure out what they actually need. There are multiple tiers across endpoint and email protection, and the right license depends on your organization's size and security requirements. 

Defender for Business is the small business product included in Microsoft 365 Business Premium. For organizations that need enterprise-grade capabilities, Defender for Endpoint Plan 1 and Plan 2 are available as standalone licenses or as part of the Defender Suite bolt-on for Business Premium and E3. 

Why is Phishing Still the Biggest Threat to Microsoft 365 Tenants?

Phishing is not slowing down. It is accelerating. There has been a noticeable spike in volume along with a shift in the types of attacks targeting Microsoft 365 tenants.

Two attack patterns stand out.

The first is self-spoofing. Attackers exploit weaknesses in a tenant's DMARC configuration to send phishing emails from the organization's own domain back to its own employees. The email looks like it came from a colleague or internal system. The trust factor is high, and the click rate follows.

The second is the exploitation of direct send. This is a legitimate Microsoft 365 feature that is enabled by default on every tenant. Threat actors use direct send to push high volumes of phishing emails to internal users, and those emails bypass several standard security controls. Disabling it requires a single PowerShell command, but most organizations have never done it because they did not know it was enabled.

These attacks are not edge cases. They are happening right now. 

There is also a human cost that gets overlooked in technical conversations. Businesses lose real money. People lose jobs. A fraudulent wire transfer does not come back. Once the money is sent, it is gone.

That reality makes accounting controls just as critical as any security tool. When a banking change or unexpected invoice comes through, someone should verify the request with another person before executing the transaction. No technology replaces that step. 

What Does Microsoft Defender for Office 365 Plan 1 Protect Against?

Defender for Office 365 Plan 1 is the email and collaboration security product that addresses phishing, spam, and malware at the tenant level. It is available as a standalone add-on for $2 per user on any Office 365 plan that includes email. It is also bundled into Business Premium. 

The five core capabilities in Plan 1 are anti-phishing, anti-spam, anti-malware, Safe Links, and Safe Attachments. Together, these provide a layered defense for inbound email and collaboration tools like SharePoint, OneDrive, and Teams.

These protections work best when the backend is configured correctly. SPF, DKIM, and DMARC need to be properly aligned before Defender for Office 365 can perform at its full potential. The DMARC gaps described above are directly tied to the spoofing attacks surging right now. Many tenants still have incomplete configurations, and that is where attackers are finding their way in.

Defender for Office 365 Plan 2 adds capabilities like phishing simulation training and automated investigation and response. That tier is included in the Defender Suite and is worth evaluating for organizations dealing with persistent or targeted attacks.

Why is MFA the Single Most Important Security Control in Microsoft 365?

Phishing protection reduces the volume of threats reaching users. MFA reduces the damage when one gets through. 

MFA is table stakes. If there is one control that should be enabled immediately on every Microsoft 365 tenant, it is multi-factor authentication for all users.

A common mistake is enabling MFA only for global admins. That leaves every other account exposed. Every user needs to be enrolled, regardless of whether they push back on the inconvenience. An unprotected account is an open door. Threat actors know which doors to check first. 

MFA enforcement in Microsoft 365 runs through Conditional Access policies in Microsoft Entra ID. Conditional Access is not a simple on/off toggle. It defines rules around sign-in behavior and device compliance. It also factors in location and risk level. That granularity is what separates a properly hardened tenant from one that checked the MFA box for a handful of accounts and move on. 

Should you Buy a New License or Run a Security Assessment First?

This is one of the most common scenarios in the SMB space right now. An organization knows they need better security, so they ask for a quote on a Defender license. The instinct is right, but the sequence matters. Buying a single product without understanding the full picture leaves gaps that the license was never designed to cover.

A Microsoft 365 security assessment looks at the tenant as a whole. It covers:

• MFA and Entra ID configuration 

• Email authentication and security settings

• SharePoint sharing and Teams policies

• Defender configuration

• Intune enrollment

• Audit logging. 

The output is a prioritized list of findings that feeds directly into a hardening engagement. Many of the most impactful improvements come from configuration changes to features already included in current licensing.  

How does Tenant Hardening Reduce Risk Across Microsoft 365?

A properly hardened Microsoft 365 tenant is not just about Defender licenses. It is about configuring the entire environment to reduce the attack surface across identity, email, endpoints, and data.

Hardening engagements cover areas that many organizations overlook:

• Disabling legacy authentication protocols
• Locking down SharePoint external sharing
• Enabling audit logging
• Configuring Intune device management
• Deploying DLP policies

Each of these controls addresses a specific gap that threat actors routinely exploit.

The approach that works best for SMBs is pragmatic. Close the low-hanging fruit first. Lock the doors that are easy to close first. Then roadmap the more complex controls that take additional planning and time. That sequenced approach delivers the fastest improvement to a tenant's security posture without disrupting day-to-day operations.

Strengthen your Microsoft 365 Security Posture

Microsoft 365 security is not a one-time configuration. It is a continuous effort that starts with understanding where your tenant stands today. Whether you need help with Defender deployment, email authentication, Conditional Access, or a full tenant hardening engagement, the Sourcepass MCOE team can help you work through it. 

Reach out to our team to schedule a Microsoft 365 security assessment or talk through your hardening options

Subscribe to the Demystifying Microsoft podcast for weekly episodes covering the Microsoft topics IT leaders are researching right now.