
How to Secure Microsoft 365 Against Modern Attacks (2026)
How to secure Microsoft 365 against modern attacks — AiTM phishing, token theft, OAuth abuse — with technical controls, KQL detections and a 2026 baseline.
Microsoft 365 is the single highest-value attack surface in most enterprises. Identity, mail, files, Teams chats, OneDrive, SharePoint and the Graph API that ties them together all live behind one Entra ID tenant. Compromise the tenant and the attacker compromises the company. In 2026, modern attackers steal post-authentication tokens, abuse OAuth consent, and bypass MFA wholesale with Adversary-in-the-Middle kits sold as a service.
This is the technical playbook for hardening Microsoft 365. Every control ties to a real Microsoft feature, a real Conditional Access policy, or a real KQL detection. The order matters: identity first, email second, data third, monitoring fourth.
The Modern Microsoft 365 Attack Chain
Modern M365 intrusions follow a recognisable pattern. Map the chain to place controls at the right stage.
Top Attack Patterns in 2025–2026
Mapping each pattern to its primary defence closes the gap between threat intelligence and engineering action.
| Attack Pattern | How It Works | Primary Defence |
|---|---|---|
| AiTM phishing | Reverse-proxy kit relays creds + steals session cookie | FIDO2 MFA + Token Protection |
| Token replay | Stolen token reused from attacker infra to access mail/files | Continuous Access Evaluation + risk policies |
| Illicit consent grant | User tricked into approving malicious OAuth app | Disable user consent; admin-consent workflow |
| Device-code phishing | Attacker sends valid device-code URL out-of-band | Block device code flow via Conditional Access |
| SP credential abuse | Attacker adds new client secret to a privileged SP | CA for workload identities + PIM for SPs |
| Mailbox forwarding rule | Hidden rule auto-forwards mail externally | Anti-phishing policy + mailbox audit alert |
| MFA fatigue | Attacker spams MFA approvals until user accepts | Authenticator number matching + context |
| Legacy auth abuse | IMAP/POP/SMTP basic auth bypasses CA | Block legacy auth tenant-wide via CA |
| Password spray | Low-and-slow attempts across many accounts | Smart Lockout + sign-in risk + CA policy |
| OAuth app data exfil | Granted app uses Graph permissions to pull mail/files | App governance + Defender for Cloud Apps |
Identity Hardening — Highest Leverage
More than 80% of M365 incidents Adayptus investigates start at the identity layer. Fix this layer first.
Phishing-resistant MFA in Conditional Access for admin roles.1.2 The 10-Policy Conditional Access Baseline
Adayptus recommends this 10-policy set as a starting point for all tenants:
Email & Collaboration Hardening
- Safe Links for Office apps + Teams
- Safe Attachments with dynamic delivery
- Impersonation protection for top 50 VIPs
- Block external auto-forwarding
- User-reported phish to submission portal
Publish DMARC at p=reject for production domains. Sign with DKIM on all sending domains. Add ARC trusted senders if you front M365 with third-party gateways. This is the cheapest cyber-insurance control this quarter.
Set SharePoint external sharing to "Existing guests" with a controlled domain allowlist. Limit Teams guest meeting policies. Apply sensitivity labels to auto-classify regulated content (financial, PII, KYC).
Data Security & Microsoft Purview
Define 4-tier taxonomy: Public / Internal / Confidential / Restricted. Auto-labelling for Aadhaar, PAN, credit card, KYC. Apply RMS encryption at Restricted tier; require justification to downgrade.
Enable Endpoint DLP, Exchange DLP, SharePoint/OneDrive DLP, and Teams DLP from one Purview policy. Start audit mode, tune 30 days, then enforce. Key rules: bulk download by external user, PCI patterns in Teams.
Enable IRM policy templates for data leak by departing employees, theft to personal cloud, and risky browser activity. Pair with HR signal (terminations) for highest signal-to-noise ratio.
Layer 4 — Monitoring & Detection
Enable Unified Audit Log and target one-year retention via Audit Premium or Sentinel archive tier. Stream all M365 audit, Entra sign-in, and Defender alerts into Microsoft Sentinel or your managed SOC. Configure detection rules to trigger on the five highest-signal patterns below.
Device & Endpoint
- Deploy Defender for Endpoint to all corporate devices
- Mark devices Compliant via Intune; require in CA
- Enable Token Protection for sign-in sessions
- Block personal cloud storage at egress proxy
- Edge security baseline + Smart App Control
Logging & Backup
- Enable mailbox audit logging on every mailbox
- Extend audit log retention to 1 year minimum
- Deploy third-party or native M365 Backup for ransomware recovery
- Keep eDiscovery ready for legal hold
Incident Response
- Revoke all sessions via Graph endpoint
- Reset password and re-register MFA
- Audit and remove inbox rules
- Audit app consents; revoke unfamiliar OAuth grants
- Inspect service-principal credentials for new secrets
- Disable newly registered devices; revoke PRTs
M365 Security Baseline — Quick-Reference Checklist
| Control Area | What to Enable | Owner |
|---|---|---|
| Phishing-resistant MFA | FIDO2 / Windows Hello / passkeys for admins and high-risk users | Identity team |
| Conditional Access | 10-policy baseline incl. legacy auth block, device compliance, risk-based | Identity team |
| CAE | Tenant-wide; verify on Exchange, SPO, Teams, Graph | Identity team |
| PIM | No standing admin; JIT activation with MFA + approval | Identity team |
| App governance | Defender for Cloud Apps OAuth policies + admin consent workflow | Identity team |
| Defender for O365 | Standard or Strict preset + impersonation protection on VIPs | Mail / SecOps |
| DMARC | p=reject on production domains, DKIM signed, SPF strict | Mail / SecOps |
| Purview labels + DLP | 4-tier taxonomy + endpoint, mail, SPO, Teams DLP enforced | Data governance |
| Defender XDR + Sentinel | Unified incident view; M365 connectors + custom KQL rules deployed | SOC |
| Audit log retention | One year (Audit Premium or SIEM archive) | SOC / Compliance |
| Token Protection | CA policy binding tokens to compliant devices | Identity team |
| M365 backup | Third-party or Microsoft 365 Backup for ransomware recovery | IT Ops |
| IR runbook | M365-specific tabletop rehearsed quarterly | SOC / IR |
For RBI-regulated entities, NBFCs, payment aggregators, and DPDP-bound businesses: audit log retention must be at least 180 days under CERT-In (one year is the practical RBI inspection answer). Customer KYC and PII in OneDrive/SharePoint should carry a Restricted sensitivity label with RMS encryption. Microsoft is a material technology provider under RBI Master Directions — keep documented evidence ready for IS audits.
Frequently Asked Questions
Click any question to expand the answer.
How Adayptus Helps
M365 Security Baseline Assessment
Full gap assessment against the 7-layer baseline in this guide, with prioritised remediation roadmap and licence-mapping advice.
Co-Managed SOC for M365
24x7 SOC consuming Defender XDR and Sentinel telemetry, with M365-specific detection use cases pre-tuned for AiTM, token theft, and OAuth abuse.
Phishing & AiTM Simulation
Realistic AiTM-style phishing campaigns to validate user training, Defender for O365 efficacy, and SOC response timing.
M365 Incident Response Retainer
Pre-agreed runbooks for tenant compromise — session revocation, OAuth grant audit, mailbox-rule cleanup, service-principal credential review.
Conclusion
Modern Microsoft 365 attacks bypass the default configuration of the platform — not the platform itself. Phishing-resistant MFA, a designed CA policy set, Continuous Access Evaluation, PIM, app governance, Defender for O365, Purview DLP, Defender XDR, and a tested IR runbook are the levers that decide whether your tenant becomes the next BEC headline or stays out of it.
Disclaimer: This article reflects observations from Adayptus engagements in 2025–2026 and is not a substitute for licence-specific advice from your Microsoft representative or formal compliance counsel.

Peyush Baranwal
Senior Delivery Manager — Cyber Security, Adayptus
Peyush Baranwal is a Senior Delivery Manager at Adayptus Consulting with 11+ years of experience designing, implementing, and managing enterprise security programmes. His core expertise spans Vulnerability Assessment & Penetration Testing (VAPT), Application Security, and Security Operations — leading web, mobile, API, and infrastructure security assessments for CISOs and security teams across BFSI, healthcare, and SaaS. He focuses on measurable risk reduction, governance maturity, and operationalising detection-and-response capability. Outside work, Peyush is a passionate biker and part-time photographer.
Connect on LinkedInExecutive Intelligence Briefing
Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.
On This Page
- The Modern Microsoft 365 Attack Chain
- Top Attack Patterns in 2025–2026
- Identity Hardening — Highest Leverage
- Email & Collaboration Hardening
- Data Security & Microsoft Purview
- Layer 4 — Monitoring & Detection
- M365 Security Baseline — Quick-Reference Checklist
- Frequently Asked Questions
- How Adayptus Helps
- Conclusion


