Security breaches in Microsoft 365 environments: risks and realities

Securitybreach Featured

Explore the latest tools and best practices to safeguard your company’s digital assets and data in the ever-evolving landscape of cloud security.

Nobody understands the adage ‘you’re only as strong as your weakest link’ better than IT. You can enable all the Microsoft 365 security defaults, but one weak password or compromised device can still open you to attack. 

After the shift to remote work, organizations are more vulnerable to security breaches than ever. According to a recent study, the number of cybercrimes per hour has doubled since 2019 while their costs have tripled. 

While using Microsoft 365 has made your company more flexible and efficient, you have your hands full dealing with threats. And as the economic crisis continues, there’s the constant pressure to do more with less. 

But when the face of tech changes so rapidly, do most people actually know what a security breach looks like? Let us walk you through the different types, how you can recognize them, and their impact on your company. 

What are security breaches? 

Security breaches include unauthorized individuals accessing data, software, applications, devices, and networks. Once those individuals have bypassed your security, they can compromise, steal, or destroy files and data. They may even try to sell that information to competitors or hold it for ransom. 

When discussing this situation, you may picture some shadowy cybercriminals launching a coordinated attack on your company’s servers. However, those threats can be as mundane as an employee using ‘password1234’ as their login credentials… again. This is the kind of practice that lowers any organization’s defenses against outside threats and can lead to valuable information getting into the wrong hands. 

Believe us: this risk is real, and the costs are high. Here are some statistics that show how serious this is: 

  • The global average cost of a data breach in 2023 is USD 4.45 million, according to IBM—a 15% increase over 3 years. That doesn’t include indirect damages, like the hit to your reputation or losing employee trust. 

“Security is much more than a technology problem: it’s a people problem. You need to inform and educate users so you can protect against this at scale across your environment.”

Joanne Klein, Microsoft MVP and founder of NexNovus

Types of security breaches

The idea of security breaches might be clearer for you now, but maybe you still don’t know what it looks like when they’re actually happening. 

To help you have a better grasp on this kind of situation, we’ll walk you through the most common security breaches in a Microsoft 365 environment, what they look like, and their impact on your organization.

Account breaches 

As cloud-based platforms like Microsoft 365 have a lot of entry points, they’re vulnerable to attack. That means cybercriminals can sneak into your employee accounts via the Internet, integrations, or shared applications. 

Cybercriminals might exploit the following weak points in your system to get into accounts:  

  • Flaws in software code 
  • Configuration gaps 
  • Physical security issues 
  • Limited user verification methods 
  • Network weaknesses 
  • Inadequate encryption 

Once inside, the cybercriminals can use the employee account as a stepping stone to access more privileged and sensitive areas. They might send emails to colleagues asking for information or extra permissions.  

But luckily, this move also gives them away. The victim might notice unusual device activity, like changes to files or logins from a country they’ve never been to. Others may become suspicious when their team member stops acting like themselves and turns up in areas of Microsoft 365 that have nothing to do with their job.  

Data loss and leakage 

Aside from worrying about cybercriminals getting in, you have to worry about sensitive information getting out. If company secrets become exposed, you can give competitors an advantage. You may also lose employee and client trust if you accidentally share their private details. 

In a worst-case scenario, you may face millions of dollars worth of fines if you unwittingly share privileged employee or client information and thereby violate GPDR or HIPAA guidelines. 

According to Microsoft’s documentation, Microsoft 365 aims to inform users of a breach within 72 hours. You can’t take action if data gets out due to carelessness or oversight. By that, we’re talking about team members accidentally emailing or giving permission to the wrong people. 

Occasionally, employees can expose sensitive information through truly bizarre situations like taking selfies with their computer in the background or chucking office equipment without wiping the memory. One study even explored how cybercriminals could read confidential information reflected in glasses. 

The challenge is that data loss and leakage don’t always leave a digital trace, so companies might not discover the issue until it’s too late. 

E-mail risks: Malware, ransomware, phishing 

Many criminals trick users into handing over their login details via email or messenger. The victim receives what looks like a normal message from a colleague or client. But when they click on the attachment, it releases malware onto their computer.

Depending on the cybercriminal’s intent, the malware can:  

  • Monitor the user’s activity and keystrokes 
  • Destroy or disrupt files 
  • Spread to other accounts 
  • Redirect users to websites 
  • Collect sensitive information 

You might be surprised that anyone still falls for these scams. But as cybercriminals grow more sophisticated, the number of victims remains high. Indeed, 27% of the global population were victims of email and SMS scams in 2022. 

At least malware is often easy to spot. The classic signs of an infected device are sluggish performance, frequent crashes, and excessive pop-ups. Users may also notice new toolbars or extensions, which are the malware hiding in plain sight. 

If the email contains ransomware, the hacker will lock or decrypt the account. Then, as the name suggests, they’ll send a ransom note asking for money in exchange for reversing the damage. 

Credential theft 

Some cybercriminals prefer to get into your system the old-fashioned way. They gain access to accounts by cracking passwords, eavesdropping on conversations, and stealing company devices. Or they’ll con users into revealing their credentials in what’s usually called “social engineering.” 

One common tactic is pretending there’s a problem with the victim’s Microsoft account and that they need to take immediate action. Panicked, the user may tell the hacker how to log into the account to resolve the issue. 

Other cybercriminals use bots to launch brute-force attacks on accounts. This is where the software guesses thousands of username and password combinations until it finds a valid one. Bots can break basic seven-letter passwords in under 30 seconds, according to Nordpass

Or criminals may use the malware and phishing attacks outlined in the previous section. Often, they’ll lead the victim to a site that causes them to download the virus or input their credentials into a fake login box. 

After the attack, employees may notice they can’t access their accounts, but it’s all too easy for them to think, “Oh, I forgot my password again!”. They may change their login details, but attackers use back-door entries to help them maintain control of the account.

Then, a hacker can access your system, and nobody’s the wiser. They could send themselves payments or impersonate the user for months before anyone notices.

Privilege abuse 

Although insider threats only account for around 5% of security breaches, they’re worth taking seriously. Employees can cause a lot of damage while avoiding detection because they have an intimate knowledge of your system and, unlike cybercriminals, you expect them to be there. 

However, there are some telltale signs of privilege abuse, whether it’s malicious or accidental. Users might:  

  • Access the system outside normal working hours 
  • Copy sensitive information to an authorized device 
  • Log into areas of the system they don’t normally access 
  • Make multiple failed login attempts to unauthorized areas 
  • Apply a large number of changes to a drive or document 

With deliberate attacks, employees may cover their tracks by deleting activity logs, creating fake user accounts, or pretending to be the victim. This makes it harder to catch the perpetrator and creates a sense of unease as team members point the finger at each other.

How to avoid security breaches in Microsoft 365 

Faced with such daunting issues, the temptation is to lockdown your Microsoft 365 tenant. Nothing gets in, nothing gets out. 

But blocking IT means employees can’t immediately access the tools and resources they need. You’ll lose all the efficiency, flexibility, and cost savings you gained from adopting Microsoft 365 in the first place. The ideal solution should boost security for remote teams without slowing them down. 

Plus, employees will become frustrated with all the restrictions and turn to “hacks” like using unapproved software or sharing access to accounts. You could end up with a lose-lose situation where you have just as many security risks and less work gets done.

“We don’t take away the steering wheel. We still let them drive, we just make sure it’s safer and we teach them that the guardrails are there to help them not go over the cliff.”

Marc D. Anderson, Microsoft MVP

Never fear. With the right combination of tools and security best practices, you can find the sweet spot between protecting your company and allowing your teams to do their jobs well. Here’s what you can use:  

  • Governance: Setting up policies and creating a comprehensive governance strategy is at the heart of managing Microsoft 365 effectively. However, employees may forget your various rules if you just have them read and sign a document. You can enforce policies with sensitivity labels to documents that say whether the contents are public or confidential.  
  • Multi-factor authentication (MFA): Microsoft default security settings include MFA, so you can add a layer of account verification beyond passwords. Teams can use physical items, personal knowledge, or biometric data to prove their identity. Check you have this enabled, and then make it a requirement for every user. 
  • Managed zero-trust: Never trust, always verify. That doesn’t mean you suspect your staff but rather that you assume every user, device, and network is a threat until proven otherwise. Set user permissions, restrictions, and roles-based permission across all your Microsoft products to implement zero trust.  
  • Data loss prevention (DLP): Enable DLP policies in the Microsoft Compliance Center to analyze digital assets for sensitive information. Use pre-made rules or create them from scratch to determine which data to protect and what action to take. For instance, DLP tools can block users if they attempt to open privileged content.  
  • Microsoft Purview: As the name suggests, Purview helps you locate, classify, and manage all the digital assets across your products. You gain more oversight over potential risks and compliance issues with this overview. This is ideal for detecting inappropriate or unusual content and tracing the activity back to insider threats.  
  • Microsoft Defender: Detect and block malware across company devices using Defender. You can quickly onboard customer and partner devices quickly to prevent cybercriminals from using them to gain access to your system. Defender also searches for new endpoints and devices on your network to secure.  
  • Audit logs: Track user activity across all Microsoft products and features to understand user activity and catch potential threats before they escalate into major problems. You can use the filters to narrow down your search criteria if you suspect a breach at a specific time or feel an area of the company may be vulnerable. 
  • Reporting and monitoring: Daily checks allow you to be proactive rather than reactive. Automate reporting to keep you efficient so you have time to focus on critical areas. You can use Microsoft’s native tools to help you alongside ShareGate’s custom, automated, and pre-built reports.

“Monitoring is the single thing that gives you an edge and makes a difference for security.”

Maarten Eekels, Microsoft MVP
  • Automation: Repetitive tasks leave more room for human error, like applying overly permissive settings or moving an important file to the wrong location. They’re also time-consuming, which gives cybercriminals a long window of time while you’re setting up security to launch an attack. Automating security tasks eliminates these issues and also frees up more of your time to focus on value-add projects. 

Stay in control, not under constraint 

Now companies have gone remote, ad-hoc management solutions won’t do. Cybercriminals have an unprecedented amount of access to systems and it’s a matter of when, not if, they’ll get in.  

So, the question becomes, would your business rather deal with security threats before or after the fact? Given the high cost of breaches, we recommend a proactive approach and further investment into governance. 

But good governance isn’t a one-and-done deal. Organizations must actively keep track of it, update it, and evaluate its use. Otherwise, they’ll lose the balance between staying secure while maintaining adaptive and efficient team processes. 

This is where ShareGate comes in. With our solution, you can scale and automate your security processes to guarantee you’re making the most of your Microsoft 365 environment. From setting up IT policies and applying them in bulk to monitoring for anomalies so you can make quick course corrections, you can eliminate any gaps or inconsistencies in your management. Book a demo for a personalized walkthrough of ShareGate!

What did you think of this article?

Recommended by our team

Getting started is easy

Try ShareGate free for 15 days. No credit card required.


[Webinar] What's up ShareGate Supercharge your Microsoft 365 projects