“When did this happen?”
“About a year ago… well, thirteen months, actually.”
Microsoft 365 products have made our lives incredibly easy. Small businesses can deploy enterprise-grade email and calendaring for a fraction of the cost of the "old days." Managed Service Providers (MSPs) can increase availability and uptime without ever patching a server.
It seems like a win-win scenario. And it is... until it isn't.
Below is a real-life example of what can happen when services like M365 are set up improperly, or when permissions become too permissive.
A new prospect reached out to Teknologize with serious concerns about the security of their infrastructure. After suffering multiple cases of ACH and wire transfer fraud, even after changing bank accounts and financial institutions.
The contractors used their own devices (BYOD), and the company had no corporate controls to require Endpoint Detection and Response (EDR) or Anti-virus (AV) protection.
It sounded simple enough until the logs told a different story.
At first, the client's theory seemed correct. Their M365 and Google Workspace tenants, which they had set up themselves, showed no obvious Indicators of Compromise (IOCs).
There were no interactive logins from high-risk countries.
MFA was enabled, required, and enforced for all users.
They had a limited number of Global Admins.
Even legacy authentication was disabled.
By all common metrics, the tenant passed the initial check. The front door was locked.
After a few minutes of looking through the logs, there it was, staring right at us. An Enterprise Application for an "email backup product" (a legitimate service) was registered and authorized on the tenant.
It had been granted admin consent by one of the two Global Admins. Looking closer, this app was granted consent just 15 minutes after another, more suspicious Enterprise Application was authorized by the exact same user.
After conversing with the user, they confirmed it.
"I did click a link about a year ago, but I added advanced security to my email, and I haven't received many phishing emails with links since, so I didn't worry about it."
They didn't worry because the phishing emails stopped. They didn't realize that was because the attacker had already won.
Once they had persistent, authorized access via the Enterprise App, they no longer needed to phish them.
They simply sat back and collected 13 months of his data, planning their wire fraud with perfect inside information. Every email that had existed in the mailbox for the last 13 months was in the bad actor's hands.
This incident perfectly illustrates a common and dangerous security gap. Products like Microsoft 365 are designed to be easy to use, but they are incredibly complex to secure correctly.
This company checked all the standard security boxes, MFA was on, legacy auth was off, and there were no suspicious logins. They appeared safe. But the threat wasn't trying to get in the front door; it had been given a key 13 months earlier.
This breach wasn't a failed login; it was a permission (an Enterprise Application consent) that was exploited.
Ease of Use Can Create a False Sense of Security
M365 makes deployment simple, leading many to believe that security is just as straightforward.
A Breach Can Be Silent
The user thought the threat was gone because the phishing emails stopped. In reality, the attacker had already won and was silently exfiltrating data.
MFA is Not a Silver Bullet
This attack method bypasses MFA entirely because the malicious application was given authorization to access the data directly.
Setup vs. Security
Setting up an M365 tenant is easy. Securing it, which involves continuous monitoring, auditing app registrations, and managing granular permissions, is hard and requires specialized expertise.
1. Why do Microsoft 365 tenants get breached even with MFA enabled?
Because attackers can trick users into granting access through a malicious Enterprise Application. Once authorized, these apps can access data directly, no password or MFA needed.
2. How can I check for malicious Enterprise Apps in my tenant?
Go to Microsoft Entra Admin Center → Enterprise Applications → Permissions → Admin Consents. Review all connected apps and remove anything you don’t recognize.
3. What are the signs that my Microsoft 365 tenant might be compromised?
Unexpected app registrations, unusual consent requests, or suspicious outbound mail rules can indicate compromise, even if login logs look normal.
4. How often should Microsoft 365 security be reviewed?
At least quarterly. Attackers often exploit permissions that were granted long ago and forgotten. A security review ensures old apps or permissions don’t become backdoors.
Protect your Microsoft 365 environment before it’s too late.
Schedule your Microsoft 365 Security Review with Teknologize today.
👉 Book a Discovery Call to see how Teknologize can support your business.
Our Offices
Tri-Cities, Washington – 509.396.6640 | Yakima, Washington – 509.396.6640
Bend, Oregon – 541.848.6072 | Seattle, Washington – 206.743.0981
Questions about your IT or Cybersecurity? Give us a call today!