Skip to main content
Back to Blog
Security Guide

Microsoft 365 Attack Surface Guide: Where Attackers Target Your M365 Tenant

May 19, 2026By Matt Johnson18 min read

Microsoft 365 is where most organizations do their work. It is also where most attackers focus their effort. Email, identity, file storage, collaboration, automation, and admin access are all consolidated in a single cloud platform - which makes it extraordinarily productive and extraordinarily attractive to threat actors.

Most M365 breaches are not the result of sophisticated zero-day exploits. They are the result of misconfigured defaults, over-privileged accounts, and security controls that were never turned on. This guide covers the seven primary attack surfaces in a Microsoft 365 tenant, the techniques attackers use against each, and the specific hardening steps that close the gaps.

The Core Problem With M365 Security

Microsoft ships M365 with defaults optimized for usability, not security. Many organizations activate licenses, migrate mailboxes, and start using the platform without ever touching the security configuration. The result is a production environment with legacy authentication enabled, no Conditional Access policies, MFA not enforced, and admin accounts with no just-in-time controls. The license does not protect you - the configuration does.

01

Email: Still the Primary Entry Point

Exchange Online processes hundreds of billions of messages per month. Phishing, business email compromise (BEC), and malware delivery through email remain the top initial access vector in incidents SOClogix responds to. The attacks have evolved well beyond obvious Nigerian prince scams - modern phishing campaigns are highly targeted, use AI-generated copy indistinguishable from legitimate correspondence, and leverage compromised legitimate domains to bypass reputation filters.

Adversary-in-the-middle (AiTM) phishing captures session tokens post-MFA, bypassing multi-factor authentication entirely

BEC actors compromise an internal account first, then use it to redirect wire transfers or harvest credentials from colleagues

Malicious OAuth app consent phishing tricks users into granting third-party apps full mailbox read/send access

Legacy authentication protocols (IMAP, POP, SMTP AUTH, basic auth) bypass Conditional Access and MFA policies

Email Hardening Steps

  • Enable Microsoft Defender for Office 365 Plan 1 minimum - safe links and safe attachments on all users
  • Configure DMARC with p=reject, SPF, and DKIM on all sending domains - not just your primary domain
  • Block legacy authentication protocols in Entra ID Conditional Access - create a named location and block all legacy auth clients
  • Enable impersonation protection in anti-phishing policies for all C-suite and finance personnel
  • Configure mailbox auditing on all mailboxes and alert on forwarding rule creation and inbox rule changes
  • Restrict external email forwarding - block auto-forward to external domains in the outbound spam filter
  • Enable attack simulation training and run quarterly phishing simulations with remediation training
02

Identity and Entra ID: The Keys to the Kingdom

Entra ID (formerly Azure AD) is the authentication and authorization backbone for all of M365. Compromise a privileged identity and you have the keys to email, SharePoint, Teams, Azure subscriptions, and any application federated through Entra ID. Password spray, credential stuffing, and phished credentials are the top identity attack vectors - and many tenants still have no Conditional Access policies to stop them.

Password spray attacks target thousands of accounts with common passwords - no lockout triggered, no single account shows suspicious behavior

Entra ID token theft allows attackers to persist in a tenant for weeks without the user's password after initial compromise

Global Admin accounts without PIM just-in-time access are permanently over-privileged - one compromise means full tenant control

Guest accounts accumulate over time with no lifecycle management - ex-partners and contractors retain access indefinitely

Identity Hardening Steps

  • Enforce MFA for all users with a Conditional Access policy - Security Defaults are a starting point, not a destination
  • Enable Entra ID Identity Protection and configure risk-based Conditional Access (sign-in risk and user risk policies)
  • Protect privileged roles with Microsoft Entra Privileged Identity Management (PIM) - no standing Global Admin access
  • Block legacy authentication with a dedicated Conditional Access policy targeting all legacy auth clients
  • Require phishing-resistant MFA (FIDO2 or Windows Hello) for all admin accounts
  • Configure named locations and restrict admin portal access to trusted networks only
  • Implement a guest account review process - remove stale guests quarterly
  • Enable Entra ID sign-in log streaming to your SIEM for anomaly detection across all authentication events
03

SharePoint and OneDrive: Data Exfiltration and Ransomware

SharePoint Online and OneDrive for Business are where your organization's intellectual property lives. Once an attacker has a valid session token or compromised credentials, they can enumerate shared drives, download bulk files, and in ransomware scenarios, encrypt or mass-delete files using the Microsoft Graph API without touching endpoint storage that a traditional EDR would see.

Cloud ransomware actors use Graph API calls to enumerate and delete/encrypt SharePoint content, bypassing endpoint EDR entirely

Anonymous sharing links created by users expose sensitive documents publicly without any authentication requirement

External sharing settings often default to permissive - anyone with a link can access content without signing in

Overly broad site permissions and SharePoint groups with 'everyone except external users' membership create unintended internal exposure

SharePoint and OneDrive Hardening Steps

  • Set SharePoint tenant external sharing to 'Existing guests only' or 'Only people in your organization' unless external collaboration is a business requirement
  • Disable 'Anyone' link creation - require authenticated sharing at minimum
  • Enable SharePoint access reviews and remove stale external users
  • Enable Microsoft Purview sensitivity labels and apply automatic labeling to content containing PII or financial data
  • Enable SharePoint and OneDrive audit logging and alert on bulk download events (100+ files in a short window)
  • Configure versioning and recycle bin retention to provide recovery capability in a ransomware event
  • Restrict syncing to domain-joined or Intune-managed devices only
04

Microsoft Teams: The Overlooked Delivery Channel

Microsoft Teams is increasingly used as a malware delivery channel. External message delivery is enabled by default in most tenants, allowing anyone to send a Teams message to your employees without being in your tenant. Threat actors send malicious files or phishing links through Teams chats, often with the Teams sender appearing highly credible because the message arrives in a work context rather than email.

DarkGate, Cobalt Strike, and other malware families have been delivered via Teams external messages targeting employees directly

Teams channel webhooks can be abused to exfiltrate data out of a compromised tenant without triggering DLP policies

Federated communication with other tenants can be exploited by attackers who have compromised a partner or vendor's tenant

Teams Hardening Steps

  • Restrict external access - only allow communication with specific trusted domains rather than all external tenants
  • Disable or tightly restrict anonymous meeting join and external participants starting meetings
  • Enable Microsoft Defender for Office 365 safe attachments and safe links policies to apply to Teams content
  • Audit and inventory all Teams channels, tabs, and connected apps - remove unused integrations
  • Configure Teams DLP policies to detect and block CUI or sensitive data in messages and file shares
  • Review and restrict outgoing webhook creation to administrators only
05

OAuth App Consent: The Silent Backdoor

OAuth consent phishing is one of the most underrated attack vectors in M365. An attacker registers a malicious OAuth application and sends a phishing link prompting a user to grant the app permissions. When the user clicks "Accept," the attacker receives an access token with all the permissions the user granted - often full mailbox read, mail send, and contacts access - without ever needing the user's password and without triggering MFA.

Illicit consent grant attacks have been used in multiple APT campaigns to establish persistent mailbox access that survives password resets

Third-party SaaS integrations often request far more permissions than they need - many have access to all mailboxes in a tenant

Users cannot revoke enterprise application permissions themselves - security teams are often unaware of what apps are consented

OAuth App Hardening Steps

  • Disable user consent to applications - require admin approval for all OAuth app grants via the app consent workflow
  • Audit all currently consented enterprise applications in Entra ID - remove any app without a legitimate business justification
  • Enable the Microsoft Defender for Cloud Apps app governance module to monitor OAuth app activity
  • Configure alerts for new OAuth app consents and apps requesting high-privilege permissions (Mail.ReadWrite, Files.ReadWrite.All)
  • Review and restrict permissions for all service principals - remove unused Graph API permissions
  • Implement a formal process for evaluating and approving new SaaS tool integrations before users connect them
06

Power Platform: Automation as an Attack Vector

Power Automate, Power Apps, and Power BI are included in most M365 licenses and enabled by default. They are powerful - and they are almost universally unmonitored. An attacker with a compromised user account can create Power Automate flows that forward all incoming email to an external address, exfiltrate SharePoint files to an external storage endpoint, or trigger actions across connected services without any change to the compromised account's mailbox rules that security tools typically monitor.

Power Automate flows run with the creating user's credentials and can persist after a password reset

Power Platform environments can be created by any licensed user by default, creating shadow IT with no governance

Connectors to external services (Dropbox, personal Gmail, Slack) can be used as data exfiltration channels

Power Platform Hardening Steps

  • Restrict environment creation - only allow admins to create Power Platform environments
  • Implement data loss prevention (DLP) policies in the Power Platform admin center restricting connectors to business-approved services
  • Audit all active Power Automate flows across your tenant and review flows with external connector usage
  • Enable Power Platform activity logging to your SIEM - flow creation, deletion, and connector additions
  • Restrict sharing of Power Apps and flows to prevent unauthorized distribution within the organization
07

Admin Portals and Privileged Access: The Crown Jewels

Global Administrator access in an M365 tenant is the equivalent of domain admin in an on-premises environment - except it also controls email, all cloud storage, all identities, and all connected Azure subscriptions. Most small organizations have multiple accounts with standing Global Admin access, no privileged access workstations, and admins performing daily tasks from the same endpoint they browse the internet on.

Admin portals (Entra, M365 Admin Center, Azure) are accessible from any internet browser - no VPN or network restriction by default

Break-glass emergency admin accounts are often left unmonitored - attackers who find these credentials have persistent, undetected access

Service accounts with admin privileges and no MFA requirement are a common target for automated credential stuffing

Admin Portal Hardening Steps

  • Remove Global Admin from all day-to-day user accounts - use least-privilege role assignments (Exchange Admin, SharePoint Admin, etc.)
  • Require phishing-resistant MFA for all admin portals via Conditional Access - block all non-phishing-resistant MFA methods for admins
  • Enable PIM for all privileged roles - require activation with justification and time-limited access
  • Restrict admin portal access to named locations (trusted IP ranges or Intune-enrolled devices)
  • Create a dedicated break-glass emergency account, store credentials in a physical safe, and set up an alert that fires immediately if it is used
  • Conduct quarterly access reviews of all privileged role assignments in Entra ID
  • Enable Microsoft Secure Score and treat it as a living remediation backlog, not a vanity metric

M365 Hardening Checklist

The following 20 controls address the highest-impact gaps across all seven attack surfaces. If your team completes this checklist, you will have eliminated the majority of the techniques that show up in actual M365 incidents.

  • 01Enforce MFA for all users via Conditional Access
  • 02Block legacy authentication protocols
  • 03Enable Entra ID Identity Protection risk policies
  • 04Enable PIM for all privileged roles
  • 05Deploy Defender for Office 365 Plan 1 (safe links, safe attachments)
  • 06Configure DMARC/DKIM/SPF on all domains
  • 07Block external email auto-forwarding
  • 08Enable mailbox audit logging on all mailboxes
  • 09Restrict SharePoint external sharing to authenticated users
  • 10Audit and restrict OAuth app consents
  • 11Disable user app consent - require admin approval
  • 12Restrict Teams external access to trusted domains only
  • 13Implement Power Platform DLP policies
  • 14Restrict Power Platform environment creation to admins
  • 15Enable Purview sensitivity labels on all content workloads
  • 16Restrict OneDrive sync to managed devices only
  • 17Review all guest accounts quarterly
  • 18Configure named locations and restrict admin portal access
  • 19Create and monitor a break-glass emergency admin account
  • 20Stream all Entra ID and M365 audit logs to a SIEM

What SOClogix Monitors in Your M365 Tenant

Configuration hardening reduces your attack surface, but it does not eliminate it. Threat actors adapt quickly, and new attack techniques emerge constantly. SOClogix monitors your M365 tenant in real time, streaming audit logs into our SIEM and applying detection rules built specifically for cloud identity and SaaS attack techniques.

Impossible travel and anomalous sign-in detection
New inbox rules and forwarding rule creation
Bulk mail deletion and folder access patterns
New OAuth app consent and permission grants
Admin role assignment changes
Power Automate flow creation with external connectors
SharePoint and OneDrive bulk download events
Legacy authentication sign-in attempts
Conditional Access policy bypass attempts
Break-glass account usage alerts
Matt Johnson

Matt Johnson

CEO & Founder, SOClogix

Full bio →

M365 Security Assessment

Find Out What Your M365 Tenant Is Exposing

SOClogix conducts M365 security assessments that check your configuration against the hardening steps in this guide. We review your Secure Score, Conditional Access policies, audit settings, and app consents - and deliver a prioritized remediation report.