5 critical data security challenges in Microsoft 365

Subha Rama, Sr. Product Marketing Manager, SaaS Apps

I woke up this morning to yet another Microsoft 365-focused research report that said 85 percent of organizations using the SaaS productivity and collaboration platform suffered a data breach in the last year — this time related to a leak in email data.¹ Yet, I know for a fact that a number of customers are dumping their secure email gateway (SEG) investments to settle for the advanced native threat protection tools that come with their E5 subscriptions. 

There have been arguments from both sides of the aisle for and against settling for Microsoft’s advanced threat protection features, now named Microsoft 365 Defender. A Microsoft partner admitted that this trend is on the increase and customers are consolidating their security stack, especially for email which is responsible for about 90 percent of cybersecurity attacks organizations face today. There are really two reasons why this is happening. One, customers want to optimize costs because of the pandemic, with some cutting down personnel across key functions, including SecOps and IT. Two, they are willing to settle for a “good enough” solution — that is until they suffer a data breach.

In the first of this two-part series, we will discuss the data protection challenges using native Microsoft 365 tools, and follow up in part two with what a true cloud backup solution can deliver to mitigate the risks.

How secure is secure?

Microsoft offers a broad set of standardized security services for Microsoft 365, especially Exchange Online. However, Exchange Online Protection, which is the building block of Exchange Online’s security, is largely a legacy, rule-based system that functions like a secure email gateway (SEG). It is somewhat effective against known attack signatures, especially broad-based attacks such as spam, graymail, and bulk phishing. For detecting domain impersonations, Microsoft relies on traditional domain authentication tools like DMARC (domain-based messaging authentication, reporting, and conformance), DKIM (domain key identified mail), and SPF (sender policy framework).

But then, there is a new variety of attacks that use social engineering techniques to compromise legitimate user accounts and then subsequently use these accounts to carry out acts of financial fraud and/or gain access to sensitive data. Microsoft 365 native security controls have had little success in detecting these net new, zero-day attacks, as well as malware delivered through password-protected or encrypted files. 

Microsoft also has very little protection against insider attacks that aim to exfiltrate, alter, or destroy Microsoft 365 data. It is worthwhile to look at some of these critical security challenges to understand their implications and what can be done to protect your data. Especially, since  there has been an increase in the number of targeted campaigns.

Druva M365 security

Source: Aberdeen Research for Egress Software

More importantly, let us remember that under the shared responsibility model, Microsoft offers no guaranteed SLAs, and security is dependent on Microsoft’s own analysis and prioritization. 

1. Advanced social engineering threats

In late 2020, Microsoft issued a warning about an ongoing phishing campaign targeting its Microsoft 365 users. Microsoft provides anti-phishing and Mailbox Intelligence that focuses on three things – protect, detect, and respond. But then, the first stage is really dependent on reputation lists and policies. At the mail-flow protection stage, all emails must pass through their authentication which includes explicit and anti-spoof frameworks including SPF, DMARC, and DKIM.

However, more than 80 percent of phishing attacks bypass these authentication systems because phishers themselves use DMARC. They can create lookalike domains, or just take over a legitimate customer or supplier email to target your company. This means the phishing email is originating from a legitimate domain and will pass DMARC authentication. Also, remember that implementing DMARC/DKIM/SPF correctly is a big challenge, even for large organizations. Only 20 percent of Fortune 500 companies have implemented DMARC authentication so far. In such a scenario, what happens to your data in case of a breach from advanced social engineering campaigns?

2. Ransomware

In April this year, researchers at Cofense said that attackers were running a spear phishing campaign using a SharePoint document that contained a malicious link to a ransomware code. As the attack slipped through Microsoft’s SEG defenses, it demonstrated that ransomware attacks can easily bypass the detection mechanisms of SEGs. According to Vectra AI research, 56 percent of Microsoft 365 customers sampled exhibited suspicious activity in their environment typical of reconnaissance and data exfiltration malware.² Whether these attacks were specifically targeted at Microsoft 365 or some other system is a moot point. Even if your SQL server gets impacted, there is no guarantee that a lateral movement of the malware will not happen — especially if customers use OneDrive file sync to move data back and forth between their physical infrastructure and the cloud. Once this happens, how do you recover valuable data?

3. Brute force password attacks

To be fair, Microsoft offers multi-factor authentication to protect users and accounts in its cloud environment. Despite this, and also because many organizations do not enable this feature, attacks exploiting user credentials are a widely reported security issue with customers. Brute force and password stuffing attacks are less sophisticated than social engineering attacks such as executive spoofing but they can still be very effective. Microsoft 365 is a popular target among attackers exploiting three key features, one of them being OAuth (the other two are Power Automate and eDiscovery).

4. Insider threats

Data loss prevention (DLP) is an add-on feature to most Microsoft 365 licenses with the exception of the most expensive tier, E5. Customers can buy this as part of the Advanced Compliance Center. There are features to identify sensitive information across many locations – Exchange Online, SharePoint Online, OneDrive for Business, and Teams. DLP within Microsoft 365 is mostly based on policies and Microsoft Information Protection (MIP). These can also block the egress of sensitive data from the organization, or encrypt it before it is sent depending on rules the organization establishes. But policy enforcements and the high percentage of false positives can really hinder user experience and productivity. Also, there is no way to identify anomalous behavior (or change in employee behavior) to predict risk. If data gets altered or permanently deleted by disgruntled employees or rogue admins, there is little recourse to recovering it if you don’t have a third-party data backup solution.

5. Accidental data loss

This is probably the most under-reported data loss event across organizations globally. However, this doesn’t mean the risk does not exist. According to the Verizon Data Breach Investigations Report, 85 percent of data breaches involve a human element.³ If an employee accidentally deletes critical data or even an entire SharePoint site, how do you ensure data recovery? Outlook allows an end user to recover individual mails for a theoretically unlimited amount of time (depending on admin thresholds), and 14 days from the recoverable items folder — or you can put a litigation hold on sensitive files to prevent deletion. But for bulk deletions such as SharePoint sites, the recovery has to be admin-driven, which is a very complex process.

Key takeaways

To sum up, there are really only two ways to ensure your data is safe on Microsoft 365. The first is to settle for native data protection features and embrace complexity, suffer unlimited data sprawl (never delete anything, keep multiple versions of data), and face unpredictable costs. Or invest in a simple third-party data backup solution that not only consolidates management across multiple workloads and cloud applications, but also ensures speed, performance, low and predictable costs, and peace of mind. 

Now that we have defined the problem, let us focus on how to solve this, with:

  • Multi-layered data security that protects your data in motion and at rest
  • Immutable cloud backup to ensure that data is not tampered with or altered
  • Advanced automation to reduce the risks with manual data backup configurations
  • A single pane of glass for centralized visibility and management of all your data across multiple applications, users, and locations
  • Flexible and granular recovery
  • A simple, secure platform that future-proofs data security

Download “The Gorilla Guide to Comprehensive Microsoft 365 Backup” by ActualTechMedia, to learn more, and read part two in this blog series, “How to fill in the gaps for Microsoft 365 data protection,” to further explore the complexities of cloud data protection for Microsoft 365.


¹Egress, “Outbound email: Microsoft 365’s security blind spot,” May 11, 2021.

²Vectra, “What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts,” October 13, 2020.

³Verizon, “Verizon 2021 Data Breach Investigations Report,” May 13, 2021.