Microsoft 365 Identity
Status: Final
Microsoft 365 is the most targeted cloud platform for identity attacks. Its combination of email (Exchange Online), collaboration (Teams, SharePoint), and identity (Entra ID) makes it the primary target for BEC, phishing, and cloud identity compromise.
M365 Identity Architecture
Entra ID (identity plane)
↓
Microsoft 365 Apps (service plane):
├── Exchange Online (email)
├── Teams (messaging/video)
├── SharePoint Online (documents)
├── OneDrive (personal files)
├── Power Platform (automation)
└── Microsoft 365 Defender (security)
Authentication for all M365 services flows through Entra ID. The identity security posture is determined by Entra ID configuration.
Authentication Flows
| Scenario | Protocol | MFA Required |
|---|---|---|
| Browser sign-in | OpenID Connect / OAuth 2.0 | If CA policy requires |
| Mobile app (modern auth) | MSAL / OAuth 2.0 | If CA policy requires |
| Legacy mail client | Basic Auth over IMAP/POP3/SMTP | Never — CA bypass |
| Outlook (legacy profile) | EWS / Autodiscover | Varies |
| Windows device (SSO) | Kerberos + PRT | Device-based |
| Application-to-M365 | Client credentials flow | No MFA (app auth) |
High-Value Attack Targets in M365
| Target | What the Attacker Gets |
|---|---|
| Global Administrator | Complete Entra ID and M365 tenant control |
| Exchange Administrator | All email access, mail forwarding rules, eDiscovery |
| SharePoint Administrator | All SharePoint sites and OneDrive content |
| Exchange mailboxes | Email content, calendar, contacts, BEC enablement |
| Teams channels | Sensitive conversations, shared files, meeting recordings |
| Power Automate flows | Can be weaponized to exfiltrate data or pivot |
| Privileged Entra ID roles | See Entra ID PIM |
Common Attack Techniques in M365
| Attack | Description |
|---|---|
| AiTM phishing | Steal session cookies post-MFA via reverse proxy |
| Legacy auth bypass | IMAP/SMTP authentication skips MFA and CA |
| Illicit consent grant | Malicious OAuth app phishing for inbox access |
| BEC inbox rules | Forward emails, hide notifications to enable fraud |
| eDiscovery abuse | Exchange Admin or eDiscovery Manager can export all email |
| Power Automate exfil | Create flows to automatically copy files to external services |
| Teams phishing | Send malicious links/files through Teams to internal users |
| Teams external access abuse | M365 tenants allow external Teams messages by default |
Exchange-Specific Attacks
Malicious Inbox Rules (Post-Compromise)
After account compromise, attackers create inbox rules to:
- Forward all email to external address
- Delete security alerts
- Hide sent emails from sent folder
- Mark fraud-related emails as read/delete
# Detection — find inbox rules with external forwarding
Get-MgUserMailFolderMessageRule -UserId user@domain.com |
Where-Object { $_.Actions.ForwardTo -or $_.Actions.RedirectTo }
eDiscovery for Mass Email Export
# An Exchange Admin or eDiscovery Manager can export ALL mailbox content
# No user notification; no MFA challenge for eDiscovery role actions
New-ComplianceSearch -Name "Exfil" -ContentMatchQuery '*' -ExchangeLocation All
Start-ComplianceSearch -Identity "Exfil"
# → Export results from Microsoft Purview Compliance portal
Detection
Entra Sign-In Logs
// Legacy auth sign-ins (IMAP/POP3/SMTP/EWS)
SigninLogs
| where ClientAppUsed in ("IMAP4", "POP3", "SMTP", "Exchange ActiveSync", "Exchange Web Services")
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, ClientAppUsed, IPAddress, LocationDetails
Exchange Online Audit
// Malicious inbox rules
OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule", "Set-Mailbox")
| where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardAsAttachmentTo", "DeleteMessage")
| project TimeGenerated, UserId, Operation, Parameters, ClientIP
// Unusual eDiscovery or mailbox export
OfficeActivity
| where Operation in ("New-ComplianceSearch", "Start-ComplianceSearch", "New-eDiscoveryHoldPolicy")
| where UserId !in ("<known-ediscovery-admins>")
| project TimeGenerated, UserId, Operation, Parameters
Teams Security
// External users messaging internal users via Teams
OfficeActivity
| where RecordType == "MicrosoftTeams"
| where Operation == "MessageCreatedHasLink"
| where UserId endswith "#EXT#"
| project TimeGenerated, UserId, ChatName, MessageURLs
Key Mitigations
| Control | Priority |
|---|---|
| Block legacy authentication (CA policy) | Critical |
| Require MFA for all users via CA | Critical |
| Require compliant device for M365 access | High |
| Entra ID Identity Protection → Risk-based CA | High |
| Disable external email forwarding (anti-spam policy) | High |
| Disable external Teams guest access if not needed | Medium |
| Enable Microsoft Defender for Office 365 | High |
| Monitor eDiscovery role assignments | High |
Cross-Links
| Topic | Link |
|---|---|
| AiTM Phishing | aitm-phishing |
| Illicit Consent Grant | illicit-consent-grant |
| Conditional Access | conditional-access |
| Entra PIM | pim |
| ITDR Vendors | itdr-vendor-landscape |