How to Secure Microsoft 365 Against Modern Attacks (2026) background
Back to Journal
Cloud Security

How to Secure Microsoft 365 Against Modern Attacks (2026)

Peyush Baranwal
May 18, 2026
11 min read

How to secure Microsoft 365 against modern attacks — AiTM phishing, token theft, OAuth abuse — with technical controls, KQL detections and a 2026 baseline.

TL;DR Key Takeaways
  • Standard MFA is bypassed by AiTM kits in 2026 — upgrade to FIDO2 / passkeys for admins
  • Build a 10-policy Conditional Access baseline, not single policies
  • Enable Continuous Access Evaluation + Token Protection to kill token-replay attacks
  • No standing admin permissions — PIM with JIT activation is non-negotiable
  • Monitor with KQL; five detections in this guide cover 80% of M365 attack patterns

Microsoft 365 is the single highest-value attack surface in most enterprises. Identity, mail, files, Teams chats, OneDrive, SharePoint and the Graph API that ties them together all live behind one Entra ID tenant. Compromise the tenant and the attacker compromises the company. In 2026, modern attackers steal post-authentication tokens, abuse OAuth consent, and bypass MFA wholesale with Adversary-in-the-Middle kits sold as a service.

This is the technical playbook for hardening Microsoft 365. Every control ties to a real Microsoft feature, a real Conditional Access policy, or a real KQL detection. The order matters: identity first, email second, data third, monitoring fourth.

12+
AiTM kits active in 2026
7
Control domains in this guide
FIDO2
Phishing-resistant MFA
1 yr
Audit log retention target

The Modern Microsoft 365 Attack Chain

Modern M365 intrusions follow a recognisable pattern. Map the chain to place controls at the right stage.

1
Initial Access
AiTM phishing email or QR-code phishing pointing at a reverse-proxy kit — Evilginx, Tycoon 2FA, EvilProxy, or Storm-1167.
2
Token Theft
The kit relays credentials AND captures the session cookie / Primary Refresh Token, fully bypassing standard MFA.
3
Persistence
Attacker registers a new authenticator, adds a service-principal credential, or creates a hidden mailbox rule.
4
Discovery
Graph API calls enumerate the directory, dump distribution lists, inbox-search for "invoice", "RBI", "wire".
5
⬆ Privilege Escalation
Illicit consent grant via malicious OAuth app, abuse of overprivileged service principals, or delegated permission impersonation.
6
Action on Objective
BEC payment redirect, mass exfiltration to OneDrive personal, ransomware staging via SharePoint sync, or downstream SaaS attack.

Top Attack Patterns in 2025–2026

Mapping each pattern to its primary defence closes the gap between threat intelligence and engineering action.

Attack Pattern How It Works Primary Defence
AiTM phishingReverse-proxy kit relays creds + steals session cookieFIDO2 MFA + Token Protection
Token replayStolen token reused from attacker infra to access mail/filesContinuous Access Evaluation + risk policies
Illicit consent grantUser tricked into approving malicious OAuth appDisable user consent; admin-consent workflow
Device-code phishingAttacker sends valid device-code URL out-of-bandBlock device code flow via Conditional Access
SP credential abuseAttacker adds new client secret to a privileged SPCA for workload identities + PIM for SPs
Mailbox forwarding ruleHidden rule auto-forwards mail externallyAnti-phishing policy + mailbox audit alert
MFA fatigueAttacker spams MFA approvals until user acceptsAuthenticator number matching + context
Legacy auth abuseIMAP/POP/SMTP basic auth bypasses CABlock legacy auth tenant-wide via CA
Password sprayLow-and-slow attempts across many accountsSmart Lockout + sign-in risk + CA policy
OAuth app data exfilGranted app uses Graph permissions to pull mail/filesApp governance + Defender for Cloud Apps
LAYER 1

Identity Hardening — Highest Leverage

More than 80% of M365 incidents Adayptus investigates start at the identity layer. Fix this layer first.

1.1 Phishing-Resistant MFA
Standard MFA (SMS, push, TOTP) is defeated by AiTM kits in seconds. Move admins and high-risk users to FIDO2 keys, Windows Hello for Business, or device-bound passkeys. Require authentication strength Phishing-resistant MFA in Conditional Access for admin roles.
1.3 Continuous Access Evaluation
CAE shortens the window between a token-theft event and the attacker losing access. When a session is revoked or a device falls out of compliance, CAE-enabled apps re-evaluate within minutes instead of an hour. Verify tenant-wide enablement.
1.4 Lock Down Access with PIM
No standing admin permissions. Every Global Admin, Exchange Admin, and CA Admin should be eligible via Entra PIM with approval workflow, MFA on activation, and a 1–4 hour cap. Apply the same to PIM-for-Groups.
1.5 Tame OAuth Consent
Disable user consent for unverified publisher apps. Enable the admin consent request workflow. Roll out Microsoft 365 app governance in Defender for Cloud Apps to monitor OAuth app behaviour and auto-revoke risky grants.

1.2 The 10-Policy Conditional Access Baseline

Adayptus recommends this 10-policy set as a starting point for all tenants:

CA001Block legacy authentication for all users
CA002Require MFA for all users (number matching enforced)
CA003Require phishing-resistant MFA for privileged roles
CA004Require compliant or hybrid-joined device for cloud apps
CA005Block sign-in from unsupported device platforms
CA006High sign-in risk → block or require password change
CA007High user risk → require password change
CA008Block device code flow where business need is absent
CA009Restrict workload identities (SPs) to known locations
CA010Token Protection — require token binding for Exchange & SharePoint
LAYER 2

Email & Collaboration Hardening

Defender for O365
  • Safe Links for Office apps + Teams
  • Safe Attachments with dynamic delivery
  • Impersonation protection for top 50 VIPs
  • Block external auto-forwarding
  • User-reported phish to submission portal
SPF · DKIM · DMARC

Publish DMARC at p=reject for production domains. Sign with DKIM on all sending domains. Add ARC trusted senders if you front M365 with third-party gateways. This is the cheapest cyber-insurance control this quarter.

External Sharing Controls

Set SharePoint external sharing to "Existing guests" with a controlled domain allowlist. Limit Teams guest meeting policies. Apply sensitivity labels to auto-classify regulated content (financial, PII, KYC).

LAYER 3

Data Security & Microsoft Purview

Sensitivity Labels

Define 4-tier taxonomy: Public / Internal / Confidential / Restricted. Auto-labelling for Aadhaar, PAN, credit card, KYC. Apply RMS encryption at Restricted tier; require justification to downgrade.

DLP Policies

Enable Endpoint DLP, Exchange DLP, SharePoint/OneDrive DLP, and Teams DLP from one Purview policy. Start audit mode, tune 30 days, then enforce. Key rules: bulk download by external user, PCI patterns in Teams.

Insider Risk Mgmt

Enable IRM policy templates for data leak by departing employees, theft to personal cloud, and risky browser activity. Pair with HR signal (terminations) for highest signal-to-noise ratio.

Layer 4 — Monitoring & Detection

Enable Unified Audit Log and target one-year retention via Audit Premium or Sentinel archive tier. Stream all M365 audit, Entra sign-in, and Defender alerts into Microsoft Sentinel or your managed SOC. Configure detection rules to trigger on the five highest-signal patterns below.

D1
New External Mailbox Forwarding Rule
Alert on any Set-Mailbox, Set-InboxRule, or New-InboxRule operation in Exchange that adds an external ForwardingSmtpAddress, ForwardTo, or RedirectTo parameter. Scope the alert to any destination domain outside your own tenant.
D2
New Service Principal Credential Added
Alert on "Add service principal credentials" and "Update application – Certificates and secrets management" operations in Entra audit logs. Capture the initiating account, target application, and timestamp. Any credential addition to a high-privilege SP should trigger immediate review.
D3
Anomalous OAuth App Consent
Alert on "Consent to application" audit events where the granted scope includes high-risk permissions: Mail.Read, Mail.ReadWrite, Files.Read.All, Sites.Read.All, or Directory.Read.All. Unverified publisher apps with these scopes warrant immediate revocation review.
D4
Sign-in from Previously Unseen Network with Token Reuse
Alert on successful sign-ins (ResultType 0) where the authentication detail indicates a previously satisfied claim being replayed, originating from an autonomous system number (ASN) that has never been seen for that user. This pattern strongly indicates token replay from attacker infrastructure.
D5
Mass File Download from SharePoint / OneDrive
Alert when a single user downloads more than 200 files — or over 1 GB of data — from SharePoint or OneDrive within any rolling 5-minute window. This threshold catches both automated exfiltration scripts and rapid manual bulk downloads that precede ransomware staging.
LAYER 5

Device & Endpoint

  • Deploy Defender for Endpoint to all corporate devices
  • Mark devices Compliant via Intune; require in CA
  • Enable Token Protection for sign-in sessions
  • Block personal cloud storage at egress proxy
  • Edge security baseline + Smart App Control
LAYER 6

Logging & Backup

  • Enable mailbox audit logging on every mailbox
  • Extend audit log retention to 1 year minimum
  • Deploy third-party or native M365 Backup for ransomware recovery
  • Keep eDiscovery ready for legal hold
LAYER 7

Incident Response

  • Revoke all sessions via Graph endpoint
  • Reset password and re-register MFA
  • Audit and remove inbox rules
  • Audit app consents; revoke unfamiliar OAuth grants
  • Inspect service-principal credentials for new secrets
  • Disable newly registered devices; revoke PRTs

M365 Security Baseline — Quick-Reference Checklist

Control AreaWhat to EnableOwner
Phishing-resistant MFAFIDO2 / Windows Hello / passkeys for admins and high-risk usersIdentity team
Conditional Access10-policy baseline incl. legacy auth block, device compliance, risk-basedIdentity team
CAETenant-wide; verify on Exchange, SPO, Teams, GraphIdentity team
PIMNo standing admin; JIT activation with MFA + approvalIdentity team
App governanceDefender for Cloud Apps OAuth policies + admin consent workflowIdentity team
Defender for O365Standard or Strict preset + impersonation protection on VIPsMail / SecOps
DMARCp=reject on production domains, DKIM signed, SPF strictMail / SecOps
Purview labels + DLP4-tier taxonomy + endpoint, mail, SPO, Teams DLP enforcedData governance
Defender XDR + SentinelUnified incident view; M365 connectors + custom KQL rules deployedSOC
Audit log retentionOne year (Audit Premium or SIEM archive)SOC / Compliance
Token ProtectionCA policy binding tokens to compliant devicesIdentity team
M365 backupThird-party or Microsoft 365 Backup for ransomware recoveryIT Ops
IR runbookM365-specific tabletop rehearsed quarterlySOC / IR
India Regulatory Notes — RBI, DPDP & CERT-In

For RBI-regulated entities, NBFCs, payment aggregators, and DPDP-bound businesses: audit log retention must be at least 180 days under CERT-In (one year is the practical RBI inspection answer). Customer KYC and PII in OneDrive/SharePoint should carry a Restricted sensitivity label with RMS encryption. Microsoft is a material technology provider under RBI Master Directions — keep documented evidence ready for IS audits.

Frequently Asked Questions

Click any question to expand the answer.

Q Does MFA stop AiTM phishing in 2026?
Standard MFA (SMS, push, TOTP) does not. AiTM kits sit between the user and Microsoft, capture the session token after MFA, and replay it from attacker infrastructure. Only phishing-resistant MFA — FIDO2 security keys, Windows Hello, device-bound passkeys — binds the credential to a hardware origin and breaks the AiTM pattern. Combine with CAE and Token Protection for layered defence.
Q What is the minimum M365 licence for these controls?
Most controls require Microsoft 365 E5 or Entra ID P2 + Defender for Office 365 P2 + Microsoft Purview add-ons. CA requires Entra ID P1 at minimum. PIM, CAE enhancements, risk policies, app governance, and Defender XDR require P2. Audit Premium for 1-year retention is a separate SKU.
Q Where do we start if we have done none of this?
First 30 days: (1) block legacy auth tenant-wide, (2) require MFA with number matching, (3) enable Defender for O365 Standard preset, (4) configure DMARC at p=reject, (5) enable Unified Audit Log and verify retention, (6) put Global Admins into PIM. These six steps close the largest share of M365 breach vectors.
Q Can Adayptus harden our Microsoft 365 tenant for us?
Yes. Adayptus runs M365 security baseline assessments, Conditional Access design and implementation, Defender XDR + Sentinel tuning, identity-attack tabletop exercises, and co-managed SOC coverage for M365 telemetry. Engagements map to RBI / DPDP / ISO 27001 / SOC 2 evidence requirements.

How Adayptus Helps

M365 Security Baseline Assessment

Full gap assessment against the 7-layer baseline in this guide, with prioritised remediation roadmap and licence-mapping advice.

Co-Managed SOC for M365

24x7 SOC consuming Defender XDR and Sentinel telemetry, with M365-specific detection use cases pre-tuned for AiTM, token theft, and OAuth abuse.

Phishing & AiTM Simulation

Realistic AiTM-style phishing campaigns to validate user training, Defender for O365 efficacy, and SOC response timing.

M365 Incident Response Retainer

Pre-agreed runbooks for tenant compromise — session revocation, OAuth grant audit, mailbox-rule cleanup, service-principal credential review.

Adayptus M365 Security

Turn this guide into a remediation plan for your tenant.

A 60-minute scoping call with our identity-and-M365 architects. We benchmark your tenant against the 7-layer baseline and tell you exactly which licences and CA policies you need to get there.

Conclusion

Modern Microsoft 365 attacks bypass the default configuration of the platform — not the platform itself. Phishing-resistant MFA, a designed CA policy set, Continuous Access Evaluation, PIM, app governance, Defender for O365, Purview DLP, Defender XDR, and a tested IR runbook are the levers that decide whether your tenant becomes the next BEC headline or stays out of it.

Disclaimer: This article reflects observations from Adayptus engagements in 2025–2026 and is not a substitute for licence-specific advice from your Microsoft representative or formal compliance counsel.


Share this Insight
CybersecurityCloud SecurityAdayptus Intelligence
Peyush Baranwal

Peyush Baranwal

Senior Delivery Manager — Cyber Security, Adayptus

Peyush Baranwal is a Senior Delivery Manager at Adayptus Consulting with 11+ years of experience designing, implementing, and managing enterprise security programmes. His core expertise spans Vulnerability Assessment & Penetration Testing (VAPT), Application Security, and Security Operations — leading web, mobile, API, and infrastructure security assessments for CISOs and security teams across BFSI, healthcare, and SaaS. He focuses on measurable risk reduction, governance maturity, and operationalising detection-and-response capability. Outside work, Peyush is a passionate biker and part-time photographer.

Connect on LinkedIn

Executive Intelligence Briefing

Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.

Zero Spam. Unsubscribe Anytime.