Microsoft 365 is the productivity platform for the majority of UK businesses. Email, documents, collaboration, identity management, and cloud storage all flow through it. That concentration of business-critical functionality makes it a prime target. And because M365 is complex, widely deployed, and configured by teams with varying security expertise, misconfigurations are common.
Attackers specifically study M365 defaults and configuration patterns. They know which settings are typically left at their defaults, which legacy features remain enabled in older tenants, and which attack paths require nothing more than a valid set of credentials to follow.
Credential-Based Entry
The most common initial access method in M365 attacks is compromised credentials. Phishing, credential stuffing, and password spray attacks all work against organisations where MFA is not enforced. Password spray attacks are particularly effective they try a single common password against many accounts, avoiding lockout thresholds while still succeeding against accounts with weak passwords.
Once inside a mailbox, an attacker has options. They read emails to understand business processes, identify payment workflows, and gather information for further social engineering. They look for credentials in email history shared passwords, account confirmations, and IT provisioning messages. They set up mail forwarding rules that exfiltrate ongoing email to an external address.
OAuth Application Abuse
OAuth consent phishing delivers links that prompt users to grant permissions to malicious applications registered in Azure AD. The user authenticates legitimately and consents to an application that appears to offer a useful service. The application receives a long-lived token with broad access to the user’s M365 data and the attacker controls it.
This attack bypasses MFA entirely because it occurs through a legitimate OAuth flow. The application permissions can include reading and sending email, accessing files, and reading calendar data. Detection is difficult because all the activity looks like authorised application access.
Tenant-Level Configuration Weaknesses
Many M365 security improvements require deliberate configuration. The defaults are not always secure. External forwarding enabled organisation-wide, legacy authentication not blocked, unified audit logging disabled, and anonymous sharing enabled on SharePoint are all default or near-default states that create risk.
Azure penetration testing that includes M365 tenant assessment systematically reviews these settings, maps the attack paths they enable, and provides concrete remediation guidance. A tenant that has been configured from a security perspective looks very different from one that was deployed quickly and left at defaults.
Privilege Escalation Within M365
An attacker with a standard user account does not stop there. They look for paths to higher privilege. Exchange administrator roles, SharePoint administrator access, and Global Administrator are all targets. Service accounts with delegated permissions, over-permissioned app registrations, and admin accounts without MFA are all usable stepping stones.
External network penetration testing of your M365 perimeter the login portals, API endpoints, and federated authentication systems tests what is reachable before any credentials are obtained. Understanding your external M365 exposure is a useful starting point for a broader assessment.
What Good M365 Security Looks Like
Enforce MFA across all accounts, including service accounts. Block legacy authentication. Enable unified audit logging and ship logs to a SIEM. Restrict OAuth consent to admin-approved applications. Review external sharing settings and apply sensitivity labels to classify and protect documents.
These are not exotic measures. They are well-documented Microsoft recommendations that many organisations have simply not implemented. The gap between knowing what to do and having done it is where most M365 compromise opportunities live.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“Microsoft 365 attacks are among the most common incidents we see reported. The attack paths are well-documented, which means the defences are well-documented too. The organisations that get compromised are almost always those that have not implemented the controls that Microsoft themselves recommend.”