This article connects directly to Your Microsoft 365 Environment Is More Exposed Than You Think. That post explains why Microsoft 365 is a major attack surface. This one breaks down the specific misconfigurations attackers check first.
When an attacker targets a Microsoft 365 environment, they are not approaching it randomly. They are running through a checklist of known weaknesses — configurations that are common, easy to exploit, and frequently overlooked by organizations that set up Microsoft 365 quickly and moved on.
These are the five misconfigurations we find most often during security assessments and incident investigations.
The common theme: these are not exotic problems. They are usually basic configuration gaps that remain open because nobody reviewed the tenant from an attacker’s perspective.
1. Legacy Authentication Is Still Enabled
Legacy authentication refers to older protocols like SMTP AUTH, IMAP, and POP3 that do not support modern authentication methods, including MFA.
The problem is simple: if legacy authentication is enabled in your Microsoft 365 tenant, an attacker with a valid username and password can authenticate using these protocols and completely bypass MFA.
This is not a theoretical risk. It is one of the most commonly exploited paths into Microsoft 365 environments. An organization can have MFA enabled for every user and still be vulnerable if legacy authentication is not explicitly blocked.
The fix is a Conditional Access policy that blocks legacy authentication protocols across the tenant. It is one of the highest-value security controls available and it takes less than ten minutes to configure.
2. No Conditional Access Policies
Conditional Access is Microsoft’s framework for enforcing context-aware access controls. It allows you to require MFA when specific conditions are met, block logins from certain countries or IP ranges, restrict access to compliant devices only, and enforce additional verification for high-risk sign-ins.
Many Microsoft 365 tenants have MFA enabled through basic security defaults but have no Conditional Access policies configured beyond that.
This means that an attacker logging in from an unknown device in a foreign country with valid credentials may face no additional barriers. A well-configured set of Conditional Access policies significantly raises the cost of a successful account takeover.
3. No Mailbox Audit Logging
Microsoft 365 has the capability to log actions taken in mailboxes — emails read, rules created, messages sent, permissions changed, and other activity that becomes critical during an investigation.
This audit data is invaluable during an incident because it helps determine exactly what the attacker did and when they did it.
The problem is that mailbox audit logging is not always enabled or retained long enough to be useful. By default, audit logs are retained for 90 days for standard licenses. If an attacker was inside for 30 days before detection, that leaves only 60 days of post-compromise logs.
If audit logging was not enabled at all, you are conducting an investigation with limited evidence. Enabling mailbox audit logging and extending retention is a straightforward configuration change that can dramatically improve incident response.
4. Overly Permissive Admin Accounts
Global Administrator is the highest privilege level in Microsoft 365. An account with Global Admin rights can do almost anything in the tenant — create users, reset passwords, access all mailboxes, modify security settings, and delete accounts.
Many organizations assign Global Admin rights too broadly because it is easier than managing granular permissions or because no one ever reviewed privileged access.
When an attacker compromises a Global Admin account, the incident becomes significantly more serious. They can create new accounts, elevate existing accounts, cover their tracks by modifying audit settings, and maintain persistent access that survives password resets on other accounts.
Users should have only the permissions they need to do their jobs. Global Admin should be assigned to as few accounts as possible, and those accounts should be protected with stronger controls than standard users.
5. No Alerts for Inbox Rule Creation
Hidden inbox rules are one of the primary persistence and interception mechanisms used in Microsoft 365 attacks.
An attacker who creates an inbox rule that forwards all emails containing the word “invoice” to an external address can monitor financial communications indefinitely.
The technical capability to detect inbox rule creation exists natively in Microsoft 365. Alerts can be configured to fire any time an inbox rule is created or modified, giving security teams the ability to investigate immediately instead of discovering the rule weeks later during an incident investigation.
Many organizations have this alerting capability available but have never configured it. Setting it up takes minutes and is one of the most direct ways to catch an account compromise early.
Fast win: review legacy authentication, Conditional Access, admin roles, mailbox auditing, and inbox rule alerts. These five checks alone can remove some of the easiest paths attackers use.
The Common Thread
All five of these misconfigurations share something in common. They are not exotic or technically complex. They are the default state of a Microsoft 365 tenant that was set up without dedicated security attention.
Microsoft provides the tools to address all of them. They just require someone who knows what to look for and takes the time to configure them correctly.
A Microsoft 365 security assessment reviews all of these and more, identifying the specific gaps in your environment and providing a clear remediation plan before an attacker finds them first.
Final Thoughts
Attackers do not need your environment to be completely broken. They only need one overlooked gap that lets them log in, bypass MFA, hide in email, or elevate privileges.
The goal of a Microsoft 365 assessment is to find those gaps before they become an incident.
Need help securing your environment? Book a free 30-minute consultation. We will assess your Microsoft 365 environment and tell you where the gaps are.