A statement we make a lot in front of credit union boards and manufacturing leadership: the most likely way your business gets breached is through Microsoft 365, and your tenant probably isn't configured to stop it.
Microsoft 365 is genuinely well-engineered. Its security capabilities are excellent. But Microsoft has to ship a product that works for everyone — from a sole proprietor running a coffee shop to a Fortune 100 with a hundred-person security team. So the default configuration is permissive. It assumes you'll harden it from there.
Most businesses don't. Their IT admin set it up years ago, MFA got turned on at some point (maybe), and then the tenant sat there. Meanwhile attackers got better. Here's what we find when we do a tenant assessment for a new client.
1. Inbox rules and auto-forwarding
This is the single most common attacker behavior in business email compromise, and most tenants don't monitor for it.
When an attacker gets a user's password (usually through phishing), the first thing they do is set up an inbox rule. It moves all incoming mail from "billing," "wire," "vendor," "accounting," or specific contacts directly to RSS Subscriptions, Archive, or a fake folder where the user won't see it. Then the attacker can read and reply to invoices, wire instructions, and contract negotiations without the legitimate user ever knowing their email is being intercepted.
Even worse: auto-forwarding to external addresses. Many tenants allow users to set up rules that forward email to an outside address. Attackers love this — they don't even have to log in to read your mail. Just set up a forward and walk away.
What hardening looks like:
- Block auto-forwarding to external recipients at the tenant level. This requires an explicit Exchange Online policy; it's not the default.
- Alert on the creation of new inbox rules, especially rules that move messages to obscure folders or that filter by financial keywords.
- Review existing rules quarterly. Look for rules created by users that don't match the user's job function.
The Microsoft documentation for blocking external auto-forwarding is straightforward, but you have to know to look for it. A vast majority of the tenants we assess have this wide open.
2. Conditional access and MFA enforcement
Multi-factor authentication is the table-stakes control. Almost every business has it turned on for some users. Almost no business has it correctly configured.
Common gaps we find:
- MFA enabled but not enforced. Users can register for MFA but aren't required to use it on every sign-in. Attackers exploit this by registering their own MFA method on a compromised account, then signing in normally.
- Legacy authentication still allowed. Older protocols like IMAP, POP, and SMTP AUTH bypass MFA entirely. If you haven't explicitly blocked them, you have a back door.
- No conditional access policies based on location, device, or risk. A sign-in from Belarus at 3 AM should not be treated the same as a sign-in from the user's office. Conditional access can require additional verification — or block the sign-in entirely — based on signals about how the sign-in is happening.
- Privileged accounts protected the same way as regular users. Your global administrator account should have its own, much stricter rules.
What hardening looks like:
- Enforce MFA for every account, with no exceptions for service accounts (use managed identities or app passwords instead).
- Block all legacy authentication protocols. If a vendor application still requires legacy auth, replace it.
- Configure conditional access policies that consider device compliance, location, and sign-in risk. At minimum, require MFA for every external sign-in and block sign-ins from countries you don't do business in.
- Use phishing-resistant MFA (FIDO2 security keys or Microsoft Authenticator number matching) instead of SMS codes. SMS-based MFA can be defeated by SIM swapping.
3. Privileged account hygiene
Most tenants we look at have too many global administrators, and the ones they have are configured wrong.
Common gaps:
- Three to five global administrators where one or two would do. Each one is a target.
- Global admin accounts that are also used as everyday user accounts (the same person reads email, opens attachments, browses the web with their admin account).
- No emergency "break glass" account that's exempt from conditional access and protected with maximum security — meaning a misconfiguration of conditional access could lock you out of your own tenant permanently.
- Admin accounts without their own dedicated MFA methods.
What hardening looks like:
- Limit global admins to the minimum number you can operate with — typically two.
- Each admin should have a separate admin account that is not their email account. The admin account is used only for administrative tasks.
- Establish one break-glass account with very long randomized password, phishing-resistant MFA, monitored sign-ins, and explicit exemption from conditional access policies that could lock it out.
- Use Privileged Identity Management (PIM) to require just-in-time elevation rather than persistent admin rights. Available with Microsoft Entra ID P2.
4. Audit logging
When something does go wrong, you need to know what happened. In most tenants, that visibility doesn't exist by default.
Common gaps:
- Unified audit log not enabled. It's enabled by default for new tenants, but older tenants often have it off, and we still find this in 2026.
- Mailbox auditing inconsistent. Microsoft enabled it by default for new tenants, but specific mailbox actions (like message reads) need to be explicitly turned on.
- Logs retained for 90 days only. The default retention period is short. Sophisticated attackers often dwell in environments for months before the encryption or extortion phase — by the time you find evidence, the logs are gone.
What hardening looks like:
- Confirm the unified audit log is on. Test by searching it.
- Enable mailbox audit logging for all critical mailboxes and verify the actions you care about are being captured.
- Extend log retention. With appropriate licensing, you can retain audit logs for a year or longer.
- Stream the audit log to a SIEM if you have one. Logs in a SIEM are searchable, correlatable, and harder for an attacker to wipe than logs sitting only in the Microsoft 365 admin console.
5. SharePoint, OneDrive, and Teams external sharing
By default, users in most tenants can share files with anyone on the internet, including people who don't even need to authenticate. They can grant view or edit access through a link that requires nothing more than knowing the URL.
This is great for collaboration. It's not great for data control.
Common gaps:
- Anonymous "anyone with the link" sharing enabled.
- No expiration on shared links.
- Sharing to external users not logged in a way the security team can review.
- Sensitive site libraries (HR, finance, executive) configured with the same sharing defaults as general team sites.
What hardening looks like:
- Disable anonymous link sharing at the tenant level. Sharing should require the recipient to authenticate.
- Require expiration on external sharing links — 30 to 90 days is a reasonable default.
- Set sensitive sites and libraries to internal-only sharing, with no override.
- Periodically review who has access to what. Microsoft Purview can help; even manual reviews are better than nothing.
6. Email phishing defense beyond the default
The phish defense that ships with Microsoft 365 catches a lot. It doesn't catch enough.
The gap is most visible with business email compromise — attackers who don't send malware, just well-crafted messages that look like internal mail, vendor mail, or executive mail. They're targeting employees in finance or HR, asking for wire transfers, password resets, or W-2 information. Microsoft's standard filters often miss these because the messages don't carry payloads — they just lie.
What hardening looks like:
- Layer in a third-party phishing-defense product that uses machine learning on email behavior, sender reputation, and the kinds of social-engineering patterns Microsoft's default filters under-weight.
- Configure DMARC, DKIM, and SPF correctly for your sending domains so attackers can't easily impersonate you to your own employees.
- Train users continuously, not annually. Phishing simulations that get harder over time work better than one-shot training videos.
How to know where you stand
You don't have to take our word for any of this. You can find out exactly what your tenant looks like by running Microsoft's free Secure Score in the admin center. It scores your configuration against Microsoft's recommended baselines and tells you which controls are missing.
In our experience, most credit unions and manufacturers we assess start somewhere between 35% and 55% Secure Score. Getting to 70-80% is achievable in a quarter. Getting to 90%+ takes ongoing work but it's doable with discipline.
If that number isn't where you'd want it to be when an examiner or auditor asks, that's a manageable problem — but only if you start looking at it before someone else does.
If you'd like a no-pressure look at how your Microsoft 365 tenant is configured today, that's the work DC Plus does as part of a free assessment. We'll show you your Secure Score, walk through the gaps that matter most, and leave you with a punch list — whether you hire us to close them or not.