Microsoft 365: a prime target, but not a lost cause

Robert Johnston at Adlumin, an N-able company, argues that Microsoft 365 is only attacked so frequently because many organisations fail to configure it properly

 

Microsoft 365 is the backbone of countless organisations around the globe, powering everything from email to document sharing to calendar invites. It’s integrated into how we work, collaborate, and communicate. Despite Microsoft’s robust security infrastructure, Microsoft 365 has become one of the most targeted platforms in the world. 

 

Let’s be clear, Microsoft 365 is not insecure. Microsoft offers a broad and effective suite of security tools. The challenge lies in how it’s implemented, especially in the case of smaller organisations with limited resources or experience. Many simply lack the time, expertise, or awareness to properly secure the platform, leaving it vulnerable to cyber-attacks that exploit misconfiguration and complacency rather than product flaws.

 

Why Microsoft 365 is so frequently attacked

Microsoft 365’s popularity and market dominance make it a magnet for attackers. It’s cloud-based, device-agnostic, and designed for accessibility, which makes it a popular target for probing, testing and, in some cases, exploiting from anywhere in the world.

 

Many small and mid-sized organisations assume that Microsoft’s built-in protections will handle everything by default. But that’s not how the platform works. Microsoft 365 is a powerful suite with sophisticated security capabilities—but only if they’re turned on, configured correctly, and monitored.

 

Two-thirds of cyber-attacks today begin with compromised credentials. But 95% of attacks that involve Microsoft 365 begin in the cloud using compromised credentials, according to the 2025 State of the SOC report released by N-able. Simply using just an email address and password is no longer enough to protect your information.

 

While multi-factor authentication (MFA) is one of the most effective deterrents against using compromised passwords, its adoption remains surprisingly low. It is thought that only 34% of medium-sized businesses are using a form of MFA, and Microsoft says that over 99.9% of compromised accounts didn’t have multifactor authentication turned on.

 

Microsoft 365 has the tools, you just need to use them

Microsoft offers a wide range of powerful security features designed to protect against the very threats that plague its user base. Some of the most important include: 

• Conditional access policies: Dynamic access control based on user risk, location, device, or behaviour. Should a user be accessing their account in the middle of the night, from across the globe, using a previously unseen device?
• Microsoft Defender for Office 365: Advanced threat detection and phishing prevention to help stop users from giving away their passwords in the first place.
• Privileged Identity Management (PIM): Just-in-time privileged access to reduce attack surfaces—not every user needs access to every document and resource.
• Audit logs and sign-in logs: Tools for visibility and incident tracing.
• Session control and token management: Crucial for containing post-authentication attacks. 

These are highly effective solutions, but they can’t help if organisations don’t know they exist or don’t understand how to deploy them correctly.

 

The real-world risk that we see daily

With thousands of customers globally, every day we detect and halt at least one breach attempt involving Microsoft 365.

 

A typical attack begins when a user reuses their work credentials on a third-party site; those credentials are then stolen and then leaked or sold. An attacker can use these credentials to log into Microsoft 365 via the web portal where, in the absence of MFA or detection, they can move laterally or deploy additional payloads undetected.

 

Often, this compromise can go unnoticed for weeks or months. We’ve traced incidents back to single email-password reuse cases from six months earlier. Once inside, attackers exploit the cloud-based accessibility to quietly escalate privileges, siphon data, or deploy ransomware.

 

What organisations can do today

To secure M365, organisations don’t need to rip and replace. They need to optimise. Here’s where to start: 

• Look into MFA: Basic MFA is a good start, but best practices involve using number matching instead of simple push approvals, limiting retry attempts to prevent fatigue attacks, and blocking legacy protocols that can bypass MFA altogether.
• Use Microsoft’s native telemetry: Many organisations have the signals to detect issues, they just aren’t looking at them. Identity Protection and Sign-in logs are powerful tools for spotting unusual behaviour early.
• Leverage automation and AI where you can: Solutions now exist with the capability to detect anomalies, such as a user suddenly logging in at midnight from a new device and downloading 100GB of data.
• Partner with experts: Smaller teams often don’t have the capacity to learn every nuance of Microsoft 365’s security model. Partnering with Managed Detection and Response (MDR) providers who understand the platform deeply can close that gap without requiring a massive in-house investment. 

 

Microsoft 365 doesn’t have to be your weak link

Microsoft 365 is a secure platform when configured and monitored properly. The tools are there. The logs are there. The controls are there. What’s missing is often the time, guidance, and operational muscle to implement them.

 

Attackers will continue to exploit the path of least resistance. For many, that’s an unsecured Microsoft 365 account, but that doesn’t have to be your story.

 

Put simply, if you’re using Microsoft 365, you’re already holding a powerful set of security keys. It’s time to use them.

 

---

 

Robert Johnston is GM at Adlumin, an N-able company

 

Main image courtesy of iStockPhoto.com and hapabapa