Traditional perimeter security assumed that if you protected the network, you protected the organisation. Microsoft 365 has rendered that model obsolete.
In a cloud-first world, identity is the perimeter — and attackers know it.
For many organisations, this shift has happened almost without notice. There was no formal decision to abandon the perimeter model; it simply eroded as cloud services became business-critical. Email, identity, file storage, collaboration, and administration moved outside the network boundary, while security thinking often lagged behind. The result is an environment where traditional controls still exist, but no longer sit in front of the assets that matter most.
This article explores how modern attackers compromise Microsoft 365 tenants and why identity misconfiguration is now the dominant failure mode.
In a Microsoft 365 tenant, the network no longer acts as a meaningful trust boundary. Users authenticate directly to Microsoft services from unmanaged networks, personal devices, and third-party locations. Whether a user is sitting in a corporate office or on a home Wi-Fi connection is largely irrelevant — the authentication path is the same. This is a fundamental shift in how access must be controlled and defended.
Microsoft 365 is accessible from anywhere:
Every authentication attempt is effectively internet-facing.
As a result:
Identity controls are the only meaningful gate.
These techniques are attractive to attackers because they align perfectly with how Microsoft 365 is designed to operate. Rather than fighting defensive controls, attackers exploit legitimate workflows: authentication prompts, consent requests, and session tokens. From the platform’s perspective, these actions often appear indistinguishable from normal user behaviour, which is why they are so effective and so difficult to detect.
Attackers targeting Microsoft 365 rarely rely on malware. Instead, they use:
Once authenticated, they operate as the user — often without triggering traditional alerts.
MFA is frequently cited as a silver bullet. In reality, its effectiveness depends entirely on how it is enforced.
Common weaknesses include:
Attackers don’t bypass MFA — they work around it.
The common failure is treating MFA as a binary state rather than a control system. In practice, the strength of MFA depends on how consistently it is enforced, what conditions it responds to, and how it behaves under pressure. Exclusions, legacy protocols, and weak second factors all introduce seams that attackers deliberately target. When MFA is implemented without a clear threat model, it provides reassurance without resilience.
Once inside a tenant, attackers look for privilege escalation paths:
Because role assignments are rarely reviewed rigorously, these paths often exist unnoticed.
Privilege escalation paths often persist because they sit at the intersection of convenience and responsibility. Admin access is granted to solve a problem quickly, but the mechanism to revoke it later is informal or forgotten entirely. Over time, the tenant accumulates powerful identities that no longer reflect current roles or business need. For attackers, these accounts represent pre-built shortcuts to full control.
Even when identity compromise is detected, response often lags.
Common gaps include:
Detection without response is little better than no detection at all.
During real incidents, these gaps become painfully obvious. Alerts exist, but no one is sure who should act on them. Logs contain fragments of activity, but not enough context to reconstruct what happened. By the time clarity emerges, the attacker has often already achieved persistence or data access. At that point, organisations are no longer preventing compromise — they are managing consequences.
Effective identity security requires:
Defending the identity perimeter requires treating identity controls as an interconnected system rather than isolated settings. Conditional Access, privilege management, logging, and alerting must reinforce one another. Weakness in any single area reduces the effectiveness of the whole. This is why identity security cannot be validated by configuration alone — it must be understood in terms of behaviour and interaction.
These are not “set and forget” controls.
What makes identity compromise particularly dangerous is not its sophistication, but its subtlety. There is often no clear moment where defenders can say, “this is the breach.” Instead, small, plausible actions accumulate until the damage is already done. Organisations that rely on obvious indicators or perimeter-style alarms often discover incidents long after the opportunity to contain them has passed.
Identity-based compromise in Microsoft 365 rarely looks dramatic at first. There is no malware outbreak, no obvious breach indicator, no perimeter alarm. An attacker logs in, behaves plausibly, and blends into normal activity.
This is precisely why identity security failures are so damaging.
Once an attacker is operating with legitimate credentials, the window for prevention has often closed. At that point, success depends on detection quality, response maturity, and governance discipline — areas that many tenants have never had reason to test.
Treating identity as the new perimeter requires more than enabling MFA or purchasing the right licences. It requires understanding how identity controls behave under real-world pressure, and where trust boundaries actually sit.
That understanding cannot be gained from configuration alone. It has to be validated, challenged, and periodically re-examined — ideally before an attacker does it for you.
Trusted Microsoft Cloud Security Advisor with 27 years experience | Empowering Businesses to Embrace Cloud Innovation with Confidence
