Foundational Gaps in Identity and Email Security
A Vectra AI Spotlight Report on Microsoft 365 detailed common security misconfigurations that expose organizations to significant risk. The report identified that many security teams overlook critical settings within the platform’s complex environment. One of the primary findings was the continued use of legacy authentication protocols, such as POP3 and IMAP, in Exchange Online. These protocols do not support modern security controls like Multi-Factor Authentication (MFA), creating a direct path for credential-based attacks.
Furthermore, the analysis uncovered overly permissive roles within Azure Active Directory (now Microsoft Entra ID). Security analysts found that many organizations assign high-privilege roles to user accounts that do not require such extensive access, violating the principle of least privilege. Attackers who compromise these accounts gain elevated permissions to manipulate the cloud environment, create new accounts, and access sensitive data across the tenant.
Risks Within Collaboration and Compliance Tools
The report also highlighted how threat actors exploit native M365 applications for malicious purposes. Microsoft Power Automate, designed for workflow automation, was observed being used to create malicious flows. These flows were configured to exfiltrate data from SharePoint or send phishing emails internally, effectively bypassing traditional security measures. Another area of concern involves eDiscovery permissions. Attackers who gain access to an account with eDiscovery privileges can search across all mailboxes and SharePoint sites, allowing them to locate and export sensitive information without raising immediate alarms.
Finally, the report detailed the manipulation of Exchange mailbox permissions. After gaining initial access, threat actors were seen adding their own accounts as delegates to a user’s mailbox. This technique grants them persistent access to read, send, and delete emails from the compromised account, enabling further internal phishing or business email compromise (BEC) attacks.
Concise Cyber 