M365 Misconfiguration: How Attackers Move Through Your Tenant Without Triggering a Single Alert
The organizations getting breached through M365 misconfiguration in 2025 are not running outdated software or skipping patches. They have functioning IT teams, active security subscriptions, and Microsoft 365 licenses loaded with protective features. The breach still happens – because the settings are wrong, the defaults were never hardened, and the attacker never needed a zero-day to get in. This post breaks down exactly how that attack path works, who is most exposed, what real-world incidents look like, and what a defensible Microsoft 365 environment actually requires.
Table of Contents
- The Threat Landscape: Configuration Drift as the Real Attack Surface
- Who Is Most Affected
- How Attackers Exploit M365 Misconfiguration in Tenant Settings
- Real Examples and Reported Incidents
- Why Standard Alerts Miss Lateral Movement
- Defense Posture: What a Hardened M365 Tenant Looks Like
- What to Ask Your IT Firm
The Threat Landscape: Configuration Drift as the Real Attack Surface

The security industry spent years focused on patching vulnerabilities. That instinct is correct but increasingly incomplete. In its 2024 threat intelligence reporting, Microsoft identified identity and configuration abuse as a primary escalation path across cloud environments – attackers are bypassing endpoint-level detections entirely by operating within the application layer, using legitimate credentials and legitimate tools in ways the environment was never configured to block.
CISA reinforced this in its joint advisory on cloud security, published in December 2023, which outlined specific Microsoft 365 and cloud tenant weaknesses being exploited by nation-state actors. The advisory pointed to three recurring failures: overly permissive application consent, dormant accounts with high privilege, and missing conditional access policies. These are not exotic findings. They describe the default or near-default state of a significant number of Microsoft 365 tenants in production today.
Configuration drift is what happens when an environment is set up once, hardened partially, and then allowed to evolve without ongoing governance. New users get added. Old accounts sit dormant. A third-party application requests broad permissions and an administrator approves it without reviewing the scope. A conditional access policy meant to enforce multi-factor authentication has an exception carved out for a legacy protocol that was never removed. Over 12 to 18 months, the gap between the intended security posture and the actual security posture widens significantly – and nothing in the environment tells you it happened.
Who Is Most Affected
The organizations most exposed to M365 misconfiguration attacks share a common profile: mid-sized businesses and professional services firms that adopted Microsoft 365 for productivity, not security. They may have a part-time IT resource, a generalist IT consultant, or a managed services provider that handles helpdesk tickets competently but has never conducted a formal tenant security review.
Specific verticals showing elevated exposure include:
- Legal and accounting firms that share sensitive documents externally via SharePoint or OneDrive with permissive sharing settings
- Healthcare-adjacent organizations where legacy email protocols remain enabled to support older clinical applications
- Non-profits with high staff turnover, where deprovisioning is inconsistent and former employees retain active accounts for weeks or months
- Professional services firms that have integrated third-party tools – project management platforms, e-signature providers, CRM applications – each granted OAuth access to the tenant without periodic permission audits
What these organizations share is not a lack of investment. Many pay for Microsoft 365 Business Premium, which includes strong security features. The gap is governance: whether those features are actually turned on, correctly configured, and reviewed on a recurring basis.
How Attackers Exploit M365 Misconfiguration in Tenant Settings
Understanding the specific mechanics matters because it changes the defense strategy. The most common attack patterns in 2025 do not require exploiting a software flaw. They require finding a tenant where the right guardrails were never built – or have drifted away. Each of the following scenarios represents a documented, recurring attack vector.
Conditional access policy gaps. Microsoft’s conditional access system lets administrators require specific conditions before a sign-in is approved: multi-factor authentication, a compliant device, a known location. When these policies are incomplete – covering most users but not service accounts, or excluding legacy authentication protocols – attackers use the uncovered path. Legacy authentication protocols like IMAP and SMTP do not support modern multi-factor authentication, which means a valid username and password is all an attacker needs if that protocol remains enabled.
OAuth application consent abuse. Microsoft 365 allows third-party applications to request permissions to read mail, access files, or act on behalf of a user. If the tenant allows users to grant these permissions themselves – rather than requiring administrator approval – an attacker can craft a malicious OAuth application and send a consent phishing link to a user. Once the user clicks “Accept,” the attacker has persistent, token-based access to that user’s data without ever needing the user’s password. The sign-in logs show the third-party app accessing the tenant, not a suspicious login event.
Dormant privileged accounts. Accounts belonging to former employees, former consultants, or service functions that were never deprovisioned remain active in the tenant. If those accounts held administrative or elevated permissions, they represent a standing opportunity for credential stuffing or password spray attacks. Because these accounts are not actively monitored – no one is watching for sign-in anomalies on a mailbox untouched for eight months – successful access can go undetected for an extended period.
Overly permissive external sharing. SharePoint and OneDrive sharing defaults in many tenants allow documents to be shared with anyone who has the link, with no expiration and no authentication requirement. An attacker who gains access to a single mailbox can search sent items for shared document links and immediately access the underlying files – without triggering any file-access alerts tied to that user’s account, because the access comes through the anonymous sharing link, not through authenticated access.
Audit log gaps. Microsoft 365 audit logging is not enabled by default across all licensing tiers, and even where it is available, retention periods and logged event categories vary by configuration. Organizations that have never verified their audit logging setup may be operating with significant blind spots – meaning that even if an incident is eventually discovered, the forensic trail needed to understand what data was accessed or exfiltrated may not exist.
Real Examples and Reported Incidents
The 2023 Storm-0558 incident, reported by Microsoft and covered extensively by CISA, involved nation-state actors gaining access to email accounts of senior U.S. government officials via forged authentication tokens. While the root cause involved a signing key compromise rather than pure configuration failure, the investigation revealed that audit logging configurations across affected tenants determined whether organizations could even detect that access had occurred. Tenants without higher-tier audit logging enabled had no record of the intrusion at all.
The Midnight Blizzard intrusion disclosed by Microsoft in January 2024 demonstrated a different pattern: attackers used a legacy, non-production test account with OAuth application access to escalate privileges within Microsoft’s own tenant. The account had no multi-factor authentication. The OAuth application held high-privilege permissions that were never reviewed. The attack moved laterally from a test environment to production systems – not through a zero-day, but through a configuration gap in a tenant belonging to one of the largest technology companies on earth.
FBI IC3 reporting from 2023 placed business email compromise losses at over $2.9 billion for the year, with a significant share attributed to cloud email account takeover rather than on-premise email compromise. The shift to cloud email has not reduced business email compromise risk; it has redirected the attack mechanics toward configuration and identity abuse – precisely the M365 misconfiguration patterns this post outlines.
Why Standard Alerts Miss Lateral Movement
M365 misconfiguration attacks are damaging not just because they succeed – but because they succeed quietly. Standard alerting in Microsoft 365 is oriented around anomaly detection tied to known-bad signatures: impossible travel, known malicious IP addresses, brute force thresholds. An attacker who has obtained valid credentials through phishing, credential stuffing, or OAuth consent abuse does not trigger those alerts – because from the platform’s perspective, the sign-in looks legitimate.
Lateral movement within the tenant is even harder to detect by default. Once an attacker has access to a mailbox, they can read email, access SharePoint files that mailbox has permission to view, map the directory to understand the organizational structure, and identify which other accounts hold elevated privileges. All of this activity uses native Microsoft 365 functionality. Without a configured behavioral detection layer, without alert rules tuned to the specific environment, and without someone actively reviewing the logs, the movement generates no alarm.
This is the core problem with treating Microsoft 365 as “secure by default.” The platform provides the tools to build a defensible environment. It does not build that environment for you – and it does not maintain it as the environment changes over time.
Defense Posture: What a Hardened M365 Tenant Looks Like
A defensible Microsoft 365 environment in 2025 is not a product you purchase. It is a configuration state that has to be built, validated, and maintained on a recurring basis. Addressing M365 misconfiguration requires discipline across several interconnected control areas:
- Conditional access policies that cover all users, all sign-in scenarios, and explicitly block legacy authentication protocols with no exceptions carved out for convenience
- Multi-factor authentication enforced universally – including for service accounts and break-glass emergency accounts that are monitored separately
- OAuth application permissions reviewed on a defined schedule, with a policy requiring administrator approval for any new application consent request
- External sharing configured to require authentication and set expiration dates on all shared links, with anonymous sharing disabled
- A formal account lifecycle process that deactivates accounts within 24 hours of a departure and removes all associated application permissions
- Unified audit logging verified as active, with retention configured to support the organization’s incident response requirements
- Privileged identity management applied to any account with administrative or elevated permissions – requiring approval and time-limiting elevated access rather than granting standing administrator rights
- A recurring tenant security review, conducted against the Microsoft Secure Score baseline and supplementary benchmarks, on at least a quarterly cadence
That last point is the one most organizations skip. A one-time hardening engagement addresses the configuration state at a single moment. Configuration drift resumes the day after the engagement ends – users are added, applications are integrated, exceptions are granted. A defensible posture is one that is reviewed and corrected on a rhythm, not one that was correct once.
Organizations that want a structured benchmark can reference the CIS Controls framework, specifically the controls addressing account management, access control management, and audit log management. A cybersecurity program built around these controls provides a structured foundation for ongoing tenant governance rather than ad hoc hardening. Our team at Xact IT also offers managed IT services that include recurring M365 misconfiguration reviews as part of a continuous security posture program.
If you want a direct conversation about where your tenant stands, Book a Free Cybersecurity Strategy Call. It’s 20 minutes with our team – no sales pressure, no obligation.
What to Ask Your IT Firm
If an IT firm manages your Microsoft 365 environment, the right question is not “are we secure?” The right questions are specific – and the answers should be specific too. Vague reassurances are a red flag. Ask these:
- When did you last conduct a full review of our conditional access policies, and what did you change as a result?
- Which legacy authentication protocols are currently enabled in our tenant, and what is the plan to disable them?
- What is our current process for reviewing third-party application permissions, and when was the last review completed?
- How quickly are accounts deprovisioned when an employee leaves, and who verifies that deprovisioning is complete?
- Is unified audit logging active in our tenant, and how long are logs retained? Can you show me?
- How do you track configuration drift between reviews? What changes to our tenant would trigger a notification to your team?
An IT firm that has done this work will answer those questions concisely and specifically. One that has not will give you generalities – or tell you they need to check. Both responses tell you something important about the actual security posture of your environment.
The core issue: the attack surface in 2025 is not primarily software vulnerabilities waiting on a vendor patch. It is the gap between how Microsoft 365 was configured and how it should be configured – a gap that widens every time a change is made without a governance process behind it. M365 misconfiguration is not an edge case or an advanced threat. It is the baseline condition in a large portion of production tenants today. The organizations reducing their real-world risk are building security programs around configuration management and identity hygiene – not around buying the next security product. That shift in thinking is, at this point, the most important move a business leader can make.
Frustrated With Your Current IT Provider?
If your current MSP isn’t catching the things this post describes, that’s a signal worth acting on. Book a strategy call and we’ll walk through what an honest IT partnership looks like for a business your size.