Growing numbers of organizations are making the move to Microsoft 365, a very popular suite of productivity solutions including Outlook, OneDrive, and SharePoint. Enabling collaboration for home, business, and enterprise environments, Microsoft 365 is one of the most widely used suites housed in the public cloud today.

While Microsoft has taken measures to protect their cloud services, users should still be aware of its vulnerable areas and work to secure them. Read on to learn the top four security concerns and how you can secure each one.

1 – Compromised of Global administrator accounts

Microsoft 365’s centralized administration model is designed to give Global administrators the highest level of administrator privileges at the tenant level. These Global accounts are the first ones created in a new environment and used to configure the tenant. Global administrators are also responsible for migrating and granting access to future users. Often, threat actors target these administrator accounts to gain the same level of high privileges.

After compromising a Global admin account, they are free to:

  • Alter critical settings,
  • Remove safeguard settings,
  • Leave backdoors open, and
  • Access valuable data.

Action: Enable MFA for administrator accounts immediately
These admin accounts are based in the cloud and, therefore, exposed to internet access. Multi-factor authentication (MFA) is the best method to mitigate account compromise. In Microsoft 365, the Global admin must manually enable MFA to ensure that threat actors cannot exploit their administrator privileges. If not secured immediately, cloud-based accounts can become a quick avenue for attack.

2 – Abuse of user privileges

Though it is convenient to give blanket access to all your account users, it is very poor cybersecurity hygiene and makes way for security concerns abound. Giving users more permissions than they need to perform their role increases the risk of data breaches. Users may expose sensitive data by accident through malicious tactics like phishing and social engineering, or deliberately (insider threats).

Further, enabling over-privileged users means you are creating more opportunities for threat actors. Let’s say that a Global admin account is out of reach or protected via MFA. Coming across a regular user account with no MFA enabled and more permissions than needed would be just as good to the attacker.

Action: Assign permissions using role-based access control (RBAC)
Minimizing privileges and implementing a principle of least privilege is a significant way to thwart threat actors from exploiting your regular user accounts. Using Microsoft’s built-in administrator roles can also help you identify and organize who needs what permissions. Always assign users the minimum level of permissions they need to complete their tasks. Also, review your roster of accounts often to revoke excessive permissions or deactivate accounts or roles no longer in use.

3 – Disabled mailbox auditing

Prior to January 2019, Microsoft did not enable mailbox auditing by default in their 365 environment. So, users who procured their 365 accounts before January 2019 are required to manually enable this auditing capability. Keep in mind that after it is enabled, you will only see events going forward. There is no visibility available for past events. Remember, where there is email communication, there is room for vulnerability.

Threat actors who have infiltrated your system can hideout for months while extracting valuable intel from emails, including:

  • Financial data/invoices,
  • Credentials,
  • Names and contact information of prominent staff and executives,
  • Work plans/schedules, and more.

Action: Enable mailbox auditing in Exchange Admin Center
Protecting your email system should be a number one priority once a Global administrator has configured MFA on all accounts. In Exchange Online, admin should enable mailbox auditing to track and identify suspicious behavior. This may include tracking deleted/missing items or when a sent email threshold has been exceeded. Admins can also turn on alerts for all questionable behavior, allowing them to identify and mitigate malicious activity faster.

4 – Business Email Compromise (BEC)

Phishing, whaling, and social engineering are all common tactics used by threat actors to exploit users through email. Emails are a simple vehicle for attackers to deploy malware, viruses, ransomware, and more to a system. Though Microsoft’s 365 environment includes some protection against these attacks, it only takes one wrong move from an unsuspecting user to let the threat in.

Action: Enable mail flow rules in Exchange Admin Center
Use mail flow rules, also known as transport rules, to identify and manage email messages that flow through your organization. These rules allow admins to act on email messages while they are still in transit from the sender to the receiver; not after it’s been delivered. Mail flow rules provide admins with the ability to implement a variety of messaging policies for the larger organization such as those warning against ransomware.

Action: Protect against malware and phishing
In the Security & Compliance Center, administrators can edit and manage the default anti-malware policy. They can also configure the list of common attachment types to limit sendable and receivable file types.

Action: Turn off auto-forwarding
Threat actors that have successfully gained a foothold in a victim’s mailbox can exfiltrate email by configuring it to automatically forward email. Global admins should set up a mail flow rule to reject auto-forwarding emails to external domains.

Action: Use Office Message Encryption
An encryption service is included in your Microsoft 365 environment. It allows users within your organization to send and receive encrypted email with one another and with external users. Encryption helps ensure that only the intended recipient can view the original content.


Potential vulnerabilities exist in all technology solutions including robust, business-critical ones like Microsoft 365. Looking at these four top security concerns within their powerful suite of products shows why it is so important to be proactive and take security seriously. Organizations moving to cloud-powered platforms should be aware of any gaps in their security coverage and consider partnering with third-party providers to ensure a strong end-to-end security posture.

More Information

When an attack occurs, detection and response times often determine whether the actors succeed in their efforts. With attackers acting faster than ever, investing in an around-the-clock true Managed Detection and Response (MDR) service means that you can fight back within minutes and hours, not days and weeks.

Combine both prevention and advanced tradecraft detection technologies to monitor your account activity and behavior in real-time. 24/7 active threat hunting and response service provided by experienced security analysts can detect reconnaissance activities at their earliest stages. Learn more about such capabilities at Blackpoint Cyber.

Want something new to listen to?

Check out our podcast, The Unfair Fight, where you can hear industry insights from Blackpoint Cyber leadership and our special guests firsthand.