Microsoft 365 Holds Your Business, Who’s Testing It?

Microsoft 365 has quietly become the beating heart of most businesses. Email, documents, chat, shared drives, video calls, it all lives there, alongside financial records, customer data and years of internal correspondence that would once have filled a filing cabinet. Yet remarkably few organisations have ever had someone actually try to break into it. The assumption seems to be that because Microsoft built it, Microsoft must have secured it fully on the customer’s behalf. That’s only half true, and the half that isn’t true is usually the half that matters most.

A Single Login Now Guards Almost Everything

Modern businesses have consolidated so much around one identity system that a single compromised password can unlock email, files, Teams conversations and SharePoint libraries all at once, in one seamless motion an attacker barely needs to think about. This concentration of risk is precisely why identity has become the new perimeter. Firewalls used to be the thing standing between attackers and your data. Now it’s often just a username and password, sometimes without multi-factor authentication properly enforced across every account, including the older ones nobody remembers setting up in the first place. Businesses rarely stop to ask who still holds administrative rights over the whole tenant, or when those rights were last reviewed properly.

A thorough programme of Azure pen testing looks specifically at how identities, conditional access policies and privileged roles are configured, because that’s where the real exposure tends to sit rather than in the underlying software Microsoft itself maintains and patches.

Microsoft 365 Holds Your Business, Who's Testing It? — Aardwolf Security

SharePoint, Email Rules and the Quiet Ways In

Attackers who gain a foothold rarely smash through the front door twice. They set up forwarding rules on a compromised mailbox to quietly copy invoices and sensitive threads without anyone noticing anything has changed. They explore SharePoint sites that were shared too broadly during a project and never locked back down once that project finished. They look for old guest accounts from contractors who left months ago but were never removed from the tenant. Each of these is mundane, unglamorous, and exactly the sort of thing that gets missed without a proper external review conducted by someone who knows precisely where to look. Even something as simple as a shared calendar can quietly reveal meeting patterns and client names to someone who was never meant to see them.

William Fieldhouse has seen how quickly a single oversight can cascade through an entire tenant.

“A client once had a forwarding rule sat quietly on one mailbox for four months, sending every invoice to an outside address, and nobody noticed because the inbox looked completely normal from the inside the whole time it was happening.”

— William Fieldhouse, Director of Aardwolf Security Ltd

That’s the unsettling part, from the user’s own screen, everything appears entirely ordinary. The attacker doesn’t need to break anything visibly broken; they just need one small, quiet change that nobody thinks to look for amid the usual daily flow of email. Regular reviews of mailbox rules, sharing permissions and login activity catch exactly this sort of thing before it costs real money, sometimes a great deal of it, and long before a customer or supplier ever raises the alarm themselves.

Treat Your Tenant Like the Asset It Is

If your entire business runs through Microsoft 365 and nobody has ever stress-tested how it’s configured, pairing that review with a proper external network pen testing gives you a much clearer picture of what an outsider could actually reach, and how quickly, once they’ve found their way in.

Share:

Linda

Linda Green: Linda, a tech educator, offers resources for learning coding, app development, and other tech skills.