To secure your Microsoft 365 environment, enable multi-factor authentication, disable legacy authentication protocols, use dedicated administrator accounts, block malicious email attachments, restrict third-party app access, disable email auto-forwarding, and conduct regular configuration assessments. These seven controls address the most exploited attack vectors targeting Microsoft 365 tenancies.
Microsoft 365 is trusted by organisations large and small for their day to day operations. Email, data storage, document exchange, customer and company critical information are all entrusted to 365 for safe keeping. And yet out-of-the-box, or out-of-the-cloud as is more common, Microsoft 365 security features are configured for usability, rather than maximum security.
Cyber attackers have taken notice and are shifting their focus towards this attractive target.
This guide outlines 7 simple configuration changes that significantly increase the security of your Microsoft 365 environment. Make sure you are not their next target.
How Do You Enable Multi-Factor Authentication in Microsoft 365?
Enabling Multi-Factor Authentication (MFA) is still the single most effective change you can make to protect your organisation from account take-over. According to the Microsoft Digital Defense Report 2024, Microsoft's customers face more than 600 million identity attacks every day - over 99% of which are password-based. Enabling MFA eliminates the risk from this entire category of attack. The Verizon DBIR 2024 found that stolen credentials were involved in approximately 31% of all breaches - remaining the most exploited initial access vector. Despite this, many users don't enable MFA and organisations don't enforce the policy.
To enforce MFA across your organisation, navigate to Azure Active Directory > Security > Conditional Access to create or enforce an MFA policy for all users.
The CIS Microsoft 365 Foundations Benchmark designates MFA enforcement as a Level 1 control - the baseline requirement for all organisations, regardless of size or risk tolerance. NIST SP 800-63B (Authentication and Lifecycle Management) specifies phishing-resistant MFA as required for Authentication Assurance Level 3 (AAL3), applicable to high-value and privileged accounts.
Why Should You Disable Legacy Authentication in Microsoft 365?
Familiar email protocols such as IMAP4 (Internet Message Access Protocol version 4) and POP (Post Office Protocol) have no way to support MFA and yet are enabled by default in Microsoft 365. As MFA policy cannot be enforced across these legacy methods of authentication, it is no surprise to find that they are a favourite of attackers looking to access 365 accounts. Enabling Modern Authentication for your client apps disables these Legacy Authentication protocols and ensures that remote users follow your MFA policies.
Microsoft's own Entra documentation confirms why this matters: more than 97% of credential stuffing attacks and more than 99% of password spray attacks exploit legacy authentication protocols - attacks that stop entirely when legacy auth is disabled. Disabling legacy authentication is also a Level 1 recommendation in the CIS Microsoft 365 Foundations Benchmark v6.0.1.
In the Exchange Admin Center or Azure AD Conditional Access, create a policy that blocks legacy authentication client apps to enforce this control across your tenancy.
From a Precursor Security Microsoft 365 Configuration Assessment: In a configuration assessment of a mid-sized UK professional services firm, Precursor Security identified legacy authentication enabled on 100% of user accounts despite an enforced MFA Conditional Access policy. Because IMAP4 and POP connections bypass Conditional Access entirely, the MFA policy provided no protection for those accounts. Disabling legacy authentication was the single highest-impact remediation from that engagement.
Why Should You Use Dedicated Administrator Accounts in Microsoft 365?
Using administrative accounts for day-to-day activities is an unacceptable and unnecessary risk. Daily use increases the likelihood of these highly privileged accounts being taken over as even the most experienced users can fall victim to phishing attacks or compromised passwords.
Even authorised administrators can do most of their day-to-day activity using a separate standard account. Keeping administrative accounts only for those operations that absolutely require additional authorisations also allows more stringent security controls to be applied to these critical accounts.
Attackers who gain access to an administrator account can disable security controls, exfiltrate all data, and lock out legitimate users - making these accounts the highest-value target in any Microsoft 365 environment. Using dedicated privileged accounts aligns with the principle of least privilege as defined in NIST SP 800-53 Rev 5 (AC-6) and is a Level 1 control in the CIS Microsoft 365 Foundations Benchmark v6.0.1.
How Do You Block Malicious Email Attachments in Microsoft 365?
Over 22% of successful breaches in the past year involved phishing using malicious attachments delivered via email. They are a favourite for attackers trying to gain a foothold in a target network, especially since so many businesses use email to share office documents and users are used to receiving them.
While many documents are safe, it is critical that executable file types are prevented from entering a users' inbox. According to the Microsoft Digital Defense Report 2024, Office document formats remain among the most commonly weaponised email attachments - though attackers have increasingly pivoted to archive files, ISO images, and HTML attachments following Microsoft's default macro-blocking policy introduced in 2022.
In the Microsoft 365 Defender portal, navigate to Email & Collaboration > Policies & Rules > Threat Policies > Anti-malware to configure attachment blocking via the Common Attachment Filter. For blanket extension blocking, Exchange Admin Center > Mail Flow > Rules provides additional granular control.
The table below covers the most common malicious attachment types and the recommended blocking approach for each:
Common Malicious Attachment Types in Microsoft 365
| File Type / Extension | What It Is | Why Attackers Use It | Block in Microsoft 365 |
|---|---|---|---|
| .exe | Windows executable binary | Directly executes a malware payload (ransomware, RAT, loader) | Yes - block by default |
| .dll | Dynamic Link Library (executable code module) | Loaded by legitimate Windows processes (DLL sideloading) to execute malicious code without a standalone executable | Yes - treated as executable content |
| .hta | HTML Application - executable via Windows Script Host (mshta.exe) | Bypasses browser sandboxing; executes as a trusted Windows application with full system access | Yes - flagged as executable |
| .doc / .docm | Word document (.docm = macro-enabled) | Macro-enabled formats deliver payloads via VBA macros; .doc also exploits legacy parser vulnerabilities | With exceptions - .docm should be blocked; Microsoft blocks downloaded macros by default since 2022, but email delivery can bypass some controls |
| .xls / .xlsm / .xlk / .xll | Excel formats (.xlsm = macro-enabled; .xll = Excel add-in DLL) | .xlsm delivers macro payloads; .xll (Excel add-ins) surged as a delivery vector in 2021-2023 after increased macro controls | With exceptions - .xlsm and .xll should be blocked |
| .iso / .img | Disc image files | Used to deliver executable payloads in a container that bypasses Mark-of-the-Web restrictions; no MOTW means files can execute without SmartScreen warnings | Yes - no legitimate reason to receive ISO/IMG files via email |
| .lnk | Windows Shortcut file | Executes arbitrary commands when double-clicked; used as a dropper to download and run remote payloads | Yes - no legitimate reason to email LNK files |
| .html / .htm | HTML email attachment | Used for HTML smuggling - malicious JavaScript is embedded and assembled in the browser at opening, bypassing gateway-level scanning | With exceptions - Defender for Office 365 Safe Attachments detonates HTML attachments; consider blocking from external senders if not operationally required |
| .zip / .rar / .7z | Archive container formats | Package malicious files (EXE, LNK, DOCM) inside compressed archives that bypass simple extension filters; password-protected archives defeat automated scanning entirely | With exceptions - widely used in business; consider blocking password-protected archives from external senders |
| Portable Document Format | Malicious PDFs exploit reader vulnerabilities or embed links and QR codes pointing to phishing pages | With exceptions - PDF is ubiquitous; Safe Attachments provides sandboxed detonation |
There are, of course, business cases where some of these file types are required so it is impossible to simply block all delivery. This highlights the need for strong controls and "defence in depth", supplemented with regular user awareness training.
Why Should You Restrict Third-Party App Access in Microsoft 365?
Third-party applications are an increasingly popular avenue of attack for adversaries looking to compromise your Microsoft 365 environment. While users see them as increasing productivity and providing new features, these applications often use very powerful REST APIs (web-based application programming interfaces). Users may grant applications access to their Microsoft 365 data, such as emails, calendars, contacts, users, groups, files, and folders, inadvertently giving full control of their Microsoft 365 account to an attacker.
We advise that the ability to load new applications is limited only to authorised and protected staff, with each application undergoing a rigorous review process before being released to general users. Restrict OAuth app consent via Azure Active Directory > Enterprise Applications > User Settings, and disable user consent to applications accessing company data.
How Do You Disable Email Auto-Forwarding in Microsoft 365?
Email auto-forwarding is a common technique used by attackers looking to stealthily exfiltrate data from a users' inbox. By configuring malicious forwarding rules on compromised 365 accounts an attacker can choose to relay all emails to another third-party inbox that they control. In a more targeted approach, an adversary can choose to only forward emails containing specific keywords depending on their objectives, for example: "Password", "Invoice", "VPN", "Account Number" etc.
Ideally, email auto-forwarding to external domains should be disabled. However, legitimate business cases do exist for auto-forwarding email. A review should be conducted and the functionality restricted to the absolute minimum required to operate. Auto Forwarding should be closely monitored.
To block auto-forwarding, create a transport rule in the Exchange Admin Center under Mail Flow > Rules (action: Block the message, condition: if the message is set to auto-forward to an external domain).
How Do You Maintain a Secure Microsoft 365 Configuration Over Time?
Changes to your Microsoft 365 configuration are an unavoidable component of normal day-to-day operations. Administrator turnover, new feature rollouts, third-party integrations, and evolving licence tiers all contribute to configuration drift - where individual settings quietly shift away from your intended secure baseline over time, introducing vulnerabilities that may go unnoticed for months.
To counter this, a regular configuration review should be conducted at least quarterly. The review should cover the eight core security categories most commonly affected by drift: authentication controls, audit logging, data storage permissions, email security settings, external sharing policies, Conditional Access policies, application consent grants, and external collaboration settings.
Microsoft Secure Score in the Microsoft 365 Defender portal provides a continuous baseline measurement against Microsoft's recommended controls - use it as an ongoing indicator between formal reviews, not as a substitute for them.
How Precursor Security Can Help
Our Microsoft 365 Configuration Assessment reviews your tenancy against best practice configuration settings across the eight core categories above, ranging from Authentication and Auditing to Data Storage and Email Security.
Precursor Security are a UK based Cyber Security Consultancy specialising in Cloud Security for Microsoft 365, Microsoft Azure and AWS Cloud Computing environments. We use a mixture of Continuous Security Testing and Offensive Security and Penetration Testing techniques to ensure that your business stays safe in the cloud.
Implementing all seven steps will materially strengthen your Microsoft 365 security posture - but maintaining that posture requires ongoing vigilance. If you would like an independent assessment of your current configuration, contact Precursor Security to discuss a Microsoft 365 Configuration Assessment.
Where to Find These Settings in Microsoft 365
| Step | Setting | Admin Centre Location |
|---|---|---|
| 1. Enable MFA | Conditional Access - MFA policy | Azure Active Directory (Entra ID) > Security > Conditional Access |
| 2. Disable Legacy Authentication | Block legacy auth Conditional Access policy | Azure Active Directory > Security > Conditional Access > New policy > Client apps condition |
| 3. Dedicated Admin Accounts | Role assignments | Microsoft 365 Admin Center > Users > Active users > Manage roles |
| 4. Block Malicious Attachments | Anti-malware Common Attachment Filter + mail flow rules | Microsoft 365 Defender > Email & Collaboration > Policies & Rules > Threat Policies > Anti-malware; Exchange Admin Center > Mail Flow > Rules |
| 5. Restrict Third-Party Apps | User consent settings | Azure Active Directory > Enterprise Applications > User Settings |
| 6. Disable Auto-Forwarding | Transport rule blocking external forwarding | Exchange Admin Center > Mail Flow > Rules |
| 7. Configuration Reviews | Microsoft Secure Score | Microsoft 365 Defender portal > Secure Score |
Frequently Asked Questions
What is the most important step to secure a Microsoft 365 environment? Enabling multi-factor authentication is the single highest-impact control. Microsoft's data shows that over 99% of daily identity attacks are password-based - MFA prevents this entire category of attack from succeeding. If you can only implement one change, enable MFA via a Conditional Access policy in Azure Active Directory.
Why does disabling legacy authentication matter if MFA is already enabled? Legacy protocols like IMAP4 and POP bypass Conditional Access entirely. An organisation can have a fully enforced MFA policy and still be vulnerable if legacy authentication is enabled - because connections over those protocols never trigger the MFA check. Microsoft's own Entra documentation confirms that more than 97% of credential stuffing attacks and more than 99% of password spray attacks exploit legacy authentication protocols.
How often should we review our Microsoft 365 security configuration? A formal configuration review against a secure baseline should be conducted at least quarterly. Between reviews, Microsoft Secure Score in the Microsoft 365 Defender portal provides a continuous measurement of your posture against recommended controls. Configuration drift - caused by admin changes, new feature rollouts, and third-party integrations - is a persistent risk that makes regular review essential rather than optional.
What is configuration drift and why does it matter for Microsoft 365? Configuration drift occurs when individual security settings shift away from your intended baseline over time, often without anyone explicitly making a security decision. In Microsoft 365, this happens through routine admin activity, new feature defaults, licence upgrades, and third-party app permissions accumulating. Left unchecked, it introduces vulnerabilities that may not be detected until a breach occurs.
Which Microsoft 365 security framework should we align to? The CIS Microsoft 365 Foundations Benchmark v6.0.1 is the most widely adopted baseline for Microsoft 365 hardening. It classifies controls as Level 1 (essential for all organisations) and Level 2 (additional controls for high-security environments). For organisations in regulated sectors, NIST SP 800-53 Rev 5 provides a broader information security control framework that maps well to Microsoft 365 controls, particularly AC-6 (Least Privilege) and IA-2 (Identification and Authentication).