6 Cybersecurity Challenges M365 Admins Face

Microsoft 365 is used by well over 1 million organizations around the world, making it the most popular productivity suite among businesses.[1] And for good reasons: Its cloud-based software components integrate seamlessly and enable companies to give their employees the tools they need to do their jobs anywhere, on any device. 

However, popularity does not equal security. In part because of its prevalence, M365 — and, in particular, its email and collaboration tools — is a common target for cybercriminals. “What increases accessibility for you increases it for attackers, too,” explained J. Peter Bruzzese, a Microsoft Office Apps and Services MVP, in a recently published Mimecast ebook. “Email continues to be the number one vector for the bad guys.” 

As many security leaders have experienced, the native cybersecurity protections built into M365 may fail to keep pace with evolving threats. The vast majority (94%) of security professionals around the world say that additional layers of cybersecurity are required when using platforms such as M365, according to Mimecast’s State of Email Security 2023 (SOES 23) report.

While M365 hosting can be outsourced, cyber risk management cannot. That’s why many experienced IT and security professionals opt for a multilayered, “defense-in-depth” approach that includes purpose-built security tools designed for email and collaboration tools to fill gaps and protect against likely outages, admin missteps, and attacks.

Securing M365: IT Admins’ Biggest Headaches

IT admins face a number of cybersecurity challenges when managing an M365 platform. Understanding these common issues, particularly in supporting the email and collaboration tools within M365, can help organizations develop a stronger cybersecurity strategy for protecting their networks and data. 

1. Good enough security isn’t good enough. In the old days of mostly on-premises productivity software, there was a clear case for the adoption of additional cybersecurity solutions to detect and protect against cyberthreats. One of the benefits of modern hosted business solutions is the ability to offload some of the associated worry and overhead. Indeed, many business leaders expect that adoption of a leading cloud-based business software suite delivers adequate, reliable built-in protections. 

Cloud-based products, like M365, offer functionality in the areas of security, compliance, continuity, and recoverability, as laid out in their contracts. However, IT admins recognize the value of deploying additional tools designed to keep pace with today’s ever-changing and complex cyber threat environment. Email remains the primary entry point for cyberattacks, with collaboration tools not far behind. M365 has integrated safeguards against malware, for example, but establishing multiple points of protection (including additional email security software) increases its cybersecurity exponentially. The key is making the case for these additional investments to business leaders. Gateway-less offerings tailor-made for the M365 environment can instantly increase protection against sophisticated email-borne attacks. 

2. Employees are only human. While email may be the most common entry point for bad guys, it is an organization’s users who often let them in. One of the biggest headaches for IT admins charged with managing the M365 environment is user behavior. One wrong click can expose the organization’s network to cyber adversaries. Even IT admins can make mistakes. One of the best ways companies can help their admins secure their M365 environments is to invest in consistent, up-to-date security awareness training, for everyone from the owner of the company, to line managers, to systems admins themselves.

3. M365 is more than just email. While Outlook is likely the most frequently used M365 application, Microsoft’s productivity suite could come with more than 20 applications installed, including OneDrive, Word, Excel, PowerPoint, OneNote, SharePoint, Teams, and Yammer. Some of these tools, like Teams, are newer, while the SharePoint application is now a couple of decades old. Each one comes with its own security challenges and, importantly, is a separate attack surface for IT admins to secure and monitor. Most of these applications have Internet-facing connectivity to enable, for example, file sharing or chat, inherently creating network-level exposure. And it doesn’t seem to matter whether the organization is actually using the application; if it appears live and available, it’s exploitable by cybercriminals. Therefore, it’s incumbent on admins to restrict availability of unused applications as well.

4. Securing systems without stifling collaboration is a balancing act. The use of cloud-based business software platforms, like M365, boomed during the pandemic, enabling organizations to quickly adapt to remote work with anywhere-access to email, real-time chat, collaboration, file sharing, video conferencing, and more. Yet all of that functionality has created additional vulnerability. In addition to threats like malware and phishing that arrive via email, cybercriminals quickly developed tactics to exploit capabilities including videoconferencing, file sharing, and chat as ways to slip into corporate networks. The continuous connectivity that M365 applications provide is essential to business performance, particularly in an era defined by remote and hybrid work models, but it also has created new footpaths that bad actors can use. 

For example, cybercriminals can use file-sharing functionality (built into several different M365 applications) to install viruses, worms, spyware, and other malicious code. And bad actors can use some of their social engineering tactics in new ways via chat or videoconference. Nearly three-quarters (72%) of SOES 23 respondents say it is likely, extremely likely, or even inevitable that a collaboration-tool-based attack will damage their organizations in 2023. Admins must walk the line to protect their organizations’ data and networks without stifling collaboration and productivity. An important first step is to classify all sensitive data, back that data up, and restrict access to a need-to-know basis. Establishing best practices for collaboration and file sharing — including, for example, password protection, file encryption, virus scanning, encryption, system monitoring, and expiring links — is also essential.

5. The dangers of unauthorized access abound. As highlighted above, a key benefit of M365 applications is the ability to share insight and collaborate. It’s also a big business risk. While IT admins want to provide employees with adequate entry to these mission-critical apps, unmitigated access exposes the organization to greater cyber risk. And outsiders aren’t the only problem. Admins must ensure that the accounts of employees or contractors who no longer work for the company are disabled. Identity and access management become indispensable when securing the M365 environment. Instituting role-based access — giving employees and contractors access to only the applications and information necessary to perform a task — and setting appropriate security restrictions for each user within an application are critical tasks.[2]An identity and access management system that integrates with the M365 platform can also make an admin’s job easier by automating defenses, improving governance, and coordinating incident response.

6. Credential-based attacks create broad exposure. Along with controlling access to M365 applications is the challenge of preventing the loss or theft of credentials used to log in to the platform. If one of an organization’s M365 credentials gets into the wrong hands, there is potential for a severe data breach or other cyberattack. In fact, most data breaches are linked to stolen credentials. Given the broad adoption of M365 by companies around the world, it’s an easy target for credential phishing attacks as well. Once a bad actor has a working login for M365, they have access to that user’s email account, SharePoint folders, OneDrive files, Teams sessions, and more. If they procure an admin’s credentials, the risk skyrockets. Microsoft itself recommends having no more than four global admins for this very reason.[3] Solutions that can help include identity and access management, email scanning capabilities, security awareness and user behavior training, multifactor identification, and insider threat monitoring.

The Bottom Line 

Although M365 has built-in security measures, IT admins still must manage an array of risks and vulnerabilities on a daily basis. Wrapping additional cybersecurity tools and processes around the cloud-based productivity platform can ease the burden. Investing in security tools specifically designed to work with M365 out of the box deepens protections without impeding day-to-day business operations. One option is Mimecast’s Email Security, Cloud Integrated solution, a gateway-less solution that secures the M365 environment and can instantly bolster an organization’s defenses against increasingly sophisticated email-borne attacks.

[1] “Number of companies using Office 365 worldwide as of February 2023, by leading country,” Statista

[2] “Microsoft Office 365 Security Challenges and Solutions,” VisualEdge IT

[3] “About admin roles in the Microsoft 365 admin center,” Microsoft