Why Hackers Love Microsoft 365
- Patrick Albert
- Sep 20
- 3 min read
Updated: Sep 22
And what every MSP should know before their clients get hit
Microsoft 365 is the crown jewel for attackers
Microsoft 365 has become the backbone of modern business. For small and mid-sized organizations, it powers everything from email and file storage to authentication, collaboration, and business continuity.
That also makes it one of the most targeted platforms on the internet. Compromising a Microsoft 365 account can mean access to sensitive data, client communications, financial records, and administrative controls. It is a one-stop shop for attackers.
Did you know? Over 345 million people use Microsoft 365 globally, and nearly 90 percent of cyberattacks begin with email or identity compromise. (Source: Microsoft Security Blog)
Most tenants are still exposed
Despite Microsoft 365’s importance, many environments are dangerously undersecured. Default settings are often left unchanged, and critical protections are either misconfigured or completely missing.
Here are just a few of the most common exposures we still see in the field:
Legacy authentication is still enabled, allowing attackers to bypass MFA entirely
Admin accounts lack MFA, even when those accounts can reset passwords, change permissions, or access sensitive data
Audit logging is turned off, which means no trail to follow after an incident
External sharing is unrestricted, making it easy for data to leak out without anyone noticing
Auto-forwarding rules silently send emails to attacker-controlled mailboxes, often used in BEC scams
These risks are rarely intentional. They happen because M365 tenants are complex and constantly evolving. But when something goes wrong, your clients won’t care if it was a default setting or a missed checkbox. They will care that a breach occurred and that it could have been prevented.
Now’s the time to ask: Do your clients still allow basic auth? Do they have MFA on every privileged account? Are audit logs are turned on in case you need to look into something?
This is hard to scale
For MSPs, auditing Microsoft 365 environments is time-consuming and inconsistent. Each tenant is unique, tools are fragmented, and recommendations often vary by license level or personal opinion.
Microsoft Secure Score offers some visibility, but it blends security advice with usability and sales priorities. Many MSPs are left guessing what "good enough" really looks like.
What defines secure?
This is the core challenge. What do you measure your clients against? What configuration is good, what is risky, and what is overkill?
Secure Score gives you a number, but not always a clear standard and often feels like an upsell to another license. CIS Benchmarks are helpful, but often feel abstract or too generic.
MSPs need something actionable. Something credible. Something that is based on how real attacks happen, not just what licenses are available.
A real baseline has finally arrived
The Cybersecurity and Infrastructure Security Agency (CISA) released something MSPs have needed for years: a tactical, credible security baseline for Microsoft 365.
It is called ScubaGear. And it is not a whitepaper.
ScubaGear is a set of tactical, specific configuration checks built to help public and private organizations secure their Microsoft 365 tenants against real-world threats. It includes:
A detailed configuration checklist
A scoring system from 0 to 100
A free PowerShell script to run assessments
JSON output you can integrate or report on
This isn’t theoretical guidance - it’s field-tested, operational, and aligned with national cloud security expectations. CISA doesn’t sell software. They build frameworks based on how attackers work, not what vendors want to sell.
For MSPs, ScubaGear is the clearest standard yet to assess risk, align with regulators, and drive remediation efforts with real authority.
Up next: breaking down the ScubaGear baseline
In our next post, we will walk through what ScubaGear actually checks, how to run it yourself, and how you can use those findings to protect your clients.
We will also show how ThreatMate helps MSPs take this from a one-time assessment to an ongoing service that runs across all tenants, tracks drift, and keeps configurations aligned with CISA’s guidance.
If you manage Microsoft 365 tenants, this is something worth your time. Schedule a a free Security Baseline for your Microsoft 365 tenants.
