< Back to Blog
Microsoft 365

Five Microsoft 365 Misconfigurations Attackers Look for First

April 14, 2026

When an attacker targets a Microsoft 365 environment they are not approaching it randomly. They are running through a checklist of known weaknesses — configurations that are common, easy to exploit, and frequently overlooked by organizations that set up Microsoft 365 quickly and moved on. These are the five misconfigurations we find most often during security assessments and incident investigations.

1. Legacy Authentication Is Still Enabled

Legacy authentication refers to older protocols like SMTP AUTH, IMAP, and POP3 that do not support modern authentication methods including MFA. The problem is that if legacy authentication is enabled in your Microsoft 365 tenant, an attacker with a valid username and password can authenticate using these protocols and completely bypass MFA.

This is not a theoretical risk. It is one of the most commonly exploited paths into Microsoft 365 environments. An organization can have MFA enabled for every user and still be vulnerable if legacy authentication is not explicitly blocked. The fix is a Conditional Access policy that blocks legacy authentication protocols across the tenant. It is one of the highest-value security controls available and it takes less than ten minutes to configure.

2. No Conditional Access Policies

Conditional Access is Microsoft's framework for enforcing context-aware access controls. It allows you to require MFA only when specific conditions are met, block logins from certain countries or IP ranges, restrict access to compliant devices only, and enforce additional verification for high-risk sign-ins.

Many Microsoft 365 tenants have MFA enabled through the basic security defaults but have no Conditional Access policies configured beyond that. This means that an attacker logging in from an unknown device in a foreign country with valid credentials faces no additional barriers. A well-configured set of Conditional Access policies significantly raises the cost of a successful account takeover.

3. No Mailbox Audit Logging

Microsoft 365 has the capability to log every action taken in every mailbox — emails read, rules created, messages sent, permissions changed. This audit data is invaluable during an incident investigation because it tells you exactly what the attacker did and when they did it.

The problem is that mailbox audit logging is not always enabled or retained for long enough to be useful. By default, audit logs are retained for 90 days for standard licenses. If an attacker was inside for 30 days before detection, that leaves only 60 days of post-compromise logs. If audit logging was not enabled at all, you are conducting an investigation with no evidence. Enabling mailbox audit logging and extending retention is a straightforward configuration change.

4. Overly Permissive Admin Accounts

Global Administrator is the highest privilege level in Microsoft 365. An account with Global Admin rights can do almost anything in the tenant — create users, reset passwords, access all mailboxes, modify security settings, delete accounts. Many organizations assign Global Admin rights liberally, either because it is easier than managing granular permissions or because no one ever thought carefully about it.

When an attacker compromises a Global Admin account the situation becomes significantly more serious. They can create new accounts, elevate existing accounts, cover their tracks by modifying audit settings, and maintain persistent access that survives password resets on other accounts. Users should have only the permissions they need to do their jobs. Global Admin should be assigned to as few accounts as possible.

5. No Alerts for Inbox Rule Creation

Hidden inbox rules are one of the primary persistence and interception mechanisms used in Microsoft 365 attacks. An attacker who creates an inbox rule that forwards all emails containing the word "invoice" to an external address can monitor financial communications indefinitely.

The technical capability to detect inbox rule creation exists natively in Microsoft 365. Alerts can be configured to fire any time an inbox rule is created or modified, giving security teams the ability to investigate immediately rather than discovering the rule weeks later during an incident investigation. Many organizations have this alerting capability available but have never configured it. Setting it up takes minutes and is one of the most direct ways to catch an account compromise early.

The Common Thread

All five of these misconfigurations share something in common. They are not exotic or technically complex. They are the default state of a Microsoft 365 tenant that was set up without dedicated security attention. Microsoft provides the tools to address all of them. They just require someone who knows what to look for and takes the time to configure them correctly.

A Microsoft 365 security assessment reviews all of these and more, identifying the specific gaps in your environment and providing a clear remediation plan before an attacker finds them first.

Need help securing your environment?

Book a free 30-minute consultation. We will assess your Microsoft 365 environment and tell you where the gaps are.

Book Free Consultation