Microsoft 365 has become the most consequential single attack surface in the modern enterprise. When a threat actor compromises your M365 tenant — whether through phishing, credential stuffing, OAuth token theft, or a misconfigured Exchange connector — they gain access to email archives, SharePoint document libraries, Teams conversation history, OneDrive files, and potentially administrative access to the entire Microsoft cloud environment. The breadth of access a single compromised account can yield in a misconfigured M365 tenant makes tenant hardening a top security priority for every organization using the platform.
The M365 Attack Surface
Understanding where attacks succeed requires mapping the actual attack vectors incident responders encounter repeatedly:
- Exchange Online phishing: Email remains the highest-volume initial access vector. Business Email Compromise (BEC) operations specifically target M365 tenants because a compromised email account enables invoice fraud, wire redirect scams, and credential harvesting of downstream victims. Adversary-in-the-middle (AiTM) phishing toolkits (Evilginx, Modlishka, Muraena) proxy the legitimate Microsoft login page and capture session tokens, bypassing MFA. These attacks succeed against organizations using push-notification MFA without number matching.
- Teams malware delivery: Microsoft Teams allows external organizations to initiate chats with your employees by default. Threat actors create Microsoft tenant accounts mimicking vendors or IT helpdesk, then deliver malicious files through Teams chat to internal users who trust the platform more than email. The DarkGate and Midnight Blizzard campaigns specifically leveraged Teams external access for malware delivery.
- SharePoint/OneDrive oversharing: Sensitive documents shared via 'Anyone with the link can view' links remain accessible indefinitely, including after the sharer leaves the organization. Guest access proliferates without governance. DLP incidents frequently originate from documents shared externally months earlier being accessed by unauthorized parties.
- Legacy authentication protocols: Basic authentication against Exchange Online (IMAP, POP3, SMTP AUTH, Exchange ActiveSync without Modern Auth) does not support MFA. Attackers obtain credentials through phishing or credential stuffing and authenticate directly via IMAP, bypassing Conditional Access policies entirely. Microsoft turned off Basic authentication for affected Exchange Online protocols (EAS, POP, IMAP, EWS, Remote PowerShell, OAB, Autodiscover) on October 1, 2022, and permanently blocked re-enablement after December 31, 2022 — SMTP AUTH for Client Submission is the remaining exception, so tenants still relying on it should audit and migrate to OAuth.
Microsoft Secure Score as a Baseline
The Microsoft Secure Score portal (security.microsoft.com) provides a quantified assessment of tenant security posture across Identity, Data, Devices, Apps, and Infrastructure categories. Use Secure Score as an initial benchmark, but understand its limitations: it measures configuration against Microsoft's recommended settings, not against the full threat landscape. A Secure Score of 75% does not mean 75% security coverage — it means you have implemented 75% of Microsoft's recommended controls, some of which have much higher risk impact than others.
Prioritize Secure Score recommendations by attack impact rather than point value. The highest-impact recommendations are typically: block legacy authentication (high impact, often 10+ Secure Score points), require MFA for all users (very high impact), enable Microsoft Defender for Office 365 Plan 2 (substantial capability improvement), and disable mailbox forwarding to external addresses (critical for BEC prevention).
Exchange Online Protection and Defender for Office 365
Every M365 tenant includes Exchange Online Protection (EOP) for baseline anti-spam and malware filtering. Microsoft Defender for Office 365 (MDO) Plan 1 and Plan 2 add substantial threat protection that should be considered mandatory for any business use case:
- Safe Attachments: Detonates email attachments in a sandbox environment before delivery. Quarantines malicious files. Enable the 'Block' action (not just 'Monitor') and apply the policy to all internal and external recipients. Safe Attachments dynamic delivery shows users a placeholder while detonation completes, minimizing email delivery delay.
- Safe Links: Rewrites URLs in email and Teams messages to route through Microsoft's URL detonation service. Provides time-of-click protection — if a URL is benign at delivery time but later begins serving malware, Safe Links blocks access at click time. Enable 'Real-time URL scanning' and 'Apply Safe Links to email messages sent within the organization' — internal phishing chains are increasingly common in BEC operations.
- Anti-phishing policies: Configure impersonation protection for your C-suite and key executives by name. Enable mailbox intelligence (uses Microsoft Graph data about the user's email habits to identify impersonation). Set the phishing threshold to 3 (most aggressive) for high-risk user groups. Enable spoof intelligence and DMARC policy enforcement.
- Zero-Hour Auto Purge (ZAP): Retroactively removes messages from mailboxes after they were delivered if they are subsequently identified as malicious. ZAP is enabled by default but must not be disabled. It is one of Microsoft's most effective post-delivery threat remediation capabilities.
Teams External Access Controls
By default, Teams allows external users from any Microsoft tenant to initiate chats and calls with your users. This is the configuration that enabled the Midnight Blizzard social engineering campaign. Recommended configuration:
- Restrict external access to specific approved partner tenant domains rather than allowing all external tenants
- Disable unmanaged external account (personal Microsoft accounts) access completely
- Require users to explicitly accept chat requests from unknown external parties rather than allowing direct message delivery
- Enable Microsoft Defender for Office 365 Safe Links for Teams messages
M365 Incident Response: BEC Investigation
When a BEC incident is suspected in an M365 environment, the Microsoft 365 Compliance portal provides the primary investigation toolset. Use Content Search (now eDiscovery Standard) to search mailbox contents for specific date ranges, sender/recipient patterns, and keywords. The Unified Audit Log (UAL) provides tenant-wide activity records — mailbox access, file downloads, Teams messages, admin operations — retained for 180 days by default (raised from 90 days on October 17, 2023), extendable to 1 year with Microsoft 365 E5 or the E5 eDiscovery and Audit add-on. The Message Trace feature in Exchange admin center provides per-message delivery tracking.
For comprehensive M365 hardening assessments and incident response retainer services, Fortress MSSP maintains an incident response retainer program with M365-specialized practitioners. The Fortress managed security practice implements M365 Defender configurations that meet CIS Microsoft 365 Foundations Benchmark requirements. Contact us to schedule an M365 security configuration review.