Top M365 Security Issues and How to Solve Them

Microsoft’s cloud apps top the popularity charts, with OneDrive alone used by more than 65% of enterprise users each month, according to Netskope. Hackers know it, too—Microsoft apps are the top phishing target, and as a result, M365 security has never been more important. Shockingly, Microsoft itself announced in January that Nobelium, the Russian state-sponsored gang behind the SolarWinds attack, had breached the M365 emails of its senior executives in a multistage attack. How can you ensure your own M365 security is solid? LMG’s expert cybersecurity testers have put together our top list of M365 security best practices recommendations, based on our analysis of hundreds of real-world environments. Read on to view our top M365 security issues and how to solve them!

Common M365 Security Issues

1. Multi-factor authentication is not enforced for all users
Identity-based attacks are the most common way that cybercriminals breach organizations. According to the Microsoft Digital Defense Report 2023, cybercriminals made an average of 4,000 attempts per second to compromise Microsoft cloud identities in password-based attacks. Luckily, it is also one of the easiest attack vectors to protect against.

Multi-factor authentication (MFA) protects against password-based attacks by requiring an additional layer of authentication before granting access to systems. “MFA is a critical piece of effective identity architecture and must be enabled for all users, especially those with administrative roles,” notes Dan Featherman, principal consultant at LMG Security. “Our penetration testing team consistently utilizes brute-force and credential stuffing techniques to compromise vulnerable systems during testing. Recently, we gained access to an email account containing ePHI through simple password-guessing. This easily could have resulted in a 7-figure health data breach, had attackers broken in first,” Featherman stated. Regular cloud security assessments can help identify M365 security gaps. Check out our tips on how to reduce web app and cloud security risks.

2. Third-party application integrations are not blocked
If we learned one thing in 2023, it’s that third-party app integrations drastically increase the risk of supply chain attacks and can devastate hundreds of organizations at once. Each integrated application requires users to accept specific permissions, altering the way data and resources are accessed. Researchers from Adaptive Shield found that a whopping 39% of apps request high-risk permissions from M365.

As part of M365 security best practices, it is imperative that organizations limit third-party applications from connecting to their services unless absolutely necessary. In the case that a third-party application must be integrated, security teams must make sure that the proper security controls are in place and that vendors are vetted properly. For more information, please see our blog on supply chain cybersecurity.

3. Lack of SharePoint data classification and external sharing policies
SharePoint in Microsoft 365 is a treasure trove of data, making these accounts an excellent (and common) target for cybercriminals. SharePoint has already made headlines this year, with CISA warning that a critical severity flaw is being actively exploited. To reduce the risk and impacts from an attack, you should create appropriate data classification policies in SharePoint for Microsoft 365. This allows organizations to categorize their data based on sensitivity and use these categories to implement appropriate policy-based protections and governance controls. Failure to inventory your SharePoint in Microsoft 365 data, set up data classification policies, and effectively implement them will leave your organization vulnerable to attack and possible data exposure. Additionally, we recommend that organizations add threat intelligence monitoring to their cybersecurity programs to stay apprised of the latest threats and remediations.

4. Mail forwarding is not blocked or disabled
Business email compromise (BEC) remains a top attack vector, with the Microsoft Digital Crimes Unit documenting an average of 156,000 BEC attempts daily from April 2022 – April 2023. Very commonly, hackers add mail forwarding rules as soon as they break into an account so they can track the victim’s communications. All too often, these forwarding rules are never discovered or removed. To harden your M365 security against these attacks, Exchange Online mail transport rules must block external forwarding while Outlook automatic forwarding rules must be disabled. Check out LMG’s video on Business Email Compromise scams to see a case where real hackers broke into an M365 account and added malicious mail forwarding rules.

5. Legacy authentication protocols are not blocked
In addition to enabling multi-factor authentication on all accounts, make sure to block legacy authentication protocols. These outdated authentication mechanisms do not support MFA and are commonly exploited by threat actors in password-based attacks, so blocking these legacy authentication protocols is an important M365 security best practice.

6. Azure AD Identity Protection user risk and sign-in policies are not enabled
It’s critical to carefully configure identity systems such as Azure Active Directory (AD), now Microsoft Entra ID, to protect against intrusions and unauthorized access of high-privilege resources. LMG’s experts strongly recommend that administrators tighten M365 security by enabling both the user risk and sign-in risk policies to detect suspicious logins and challenge them for multi-factor authentication.

7. OneDrive sync is allowed for unmanaged devices
Bring Your Own Device (BYOD) is convenient and can save money, but at the same time, unmanaged devices drastically expand your attack surface. In fact, researchers from Microsoft found that unmanaged devices accounted for 80-90% of all observed compromises in 2023. To mitigate the risks of costly data leaks and intrusions, restrict OneDrive sync for all unmanaged devices across the environment. See our blog on remote work security to learn more.

Microsoft’s cloud apps are the most popular in the world, and as a result, they are a top target for hackers. Make sure to tackle these top M365 security issues in order to reduce your risk. LMG’s expert team is here to help you and answer questions if you need support. Please contact us for assistance with M365 security and configuration reviews, penetration testing, MFA, and many other high-impact cybersecurity services.