Microsoft 365

    Why IT Admins Shouldn’t ‘Sleepwalk into Microsoft 365’

    Microsoft MVP warns against moving to Microsoft 365 without a critical eye towards enhancing email security.

    by David Hood

    Key Points

    • With email remaining the top attack vector for cybercriminals, organizations cannot simply rely on built-in email application security.
    • Organizations need to seek out third-party vendors that can fill in the gaps in their email security.
    • A new Conversational Geek guide provides insight into how to improve Microsoft 365 cyber resilience.

    Ninety-four percent of cyberattacks use email. Email is also one of the most critical business applications. You see where we’re going with this? Email security is extremely important. Many organizations count on buying a brand-name email application and then expect it to be secure. And while email applications can handle security fairly well, they simply cannot handle attacks as effectively as required in today’s dynamic and sophisticated threat environment.

    In Conversational Microsoft 365 Cyber Resilience, J. Peter Bruzzese, an eight-time Exchange/Office Microsoft MVP, calls the act of deploying that well-known, brand-name email application and then forgetting about it, “sleepwalking.” His key concerns are as follows:


    Microsoft 365 provides basic anti-spam, malware, and spoofing protection. These foundational protections do work, but living in a security monoculture carries tremendous risk – given cybercriminals only need a single entry point to attack - and can outweigh basic email security. 

    Opportunistic Attacks

    Most cybercriminals, save for insider risk attacks, are looking for low-hanging fruit in their targets. Cybercriminals can conduct social engineering, combined with some pretexting, to reveal whether their targets exhibit strong email security behaviors. With “naked” Microsoft 365, opportunistic attacks can be at an all-time high.   


    As Bruzzese says, “It’s not what your security solution can stop that matters. It’s what it lets through that you really need to worry about…EOP and MDO365 do work. They DO stop stuff: spam, malware, ransomware, and malicious links or impersonation attacks.” Yet, results show these solutions letting through too many attacks for most admins’ comfort. 

    The Bottom Line 

    Without going too deep in the weeds about how Mimecast can provide a great complementary solution to Microsoft 365, Bruzzese tells the story his own way. He says to his readers, “I want you to see their solution how I see it. I won’t be able to give you every last bell and whistle of their solution, but I will certainly be able to tell you how it will add value to either your Microsoft 365 Exchange Online, hybrid, or on-premises environment.”

    Email admins facing pressure to reduce email-based attacks should take the time to read the new Conversational Geek Guide.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top