When Convenience Backfires: A Case Study in 365 Breach Through Poor Security Choices
Introduction
A mid-sized professional services firm experienced a serious Microsoft 365 security breach due to two critical security oversights: the refusal to implement multi-factor authentication (2FA) and maintaining their own set of global administrative credentials with a recycled password. The result was a successful compromise of the client’s tenancy, followed by sophisticated email rule manipulation and targeted phishing of the business’s own clients.
Background & Client Decisions
Despite repeated recommendations to adopt 2FA across all accounts—especially privileged ones—the client declined to take action or authorise action to be taken on their behalf. In addition, the business owners maintained a global admin account with full access, which was solely for their use but did not have 2FA enabled. This account used a password that had been previously exposed in unrelated data breaches and was never changed. Although the risks were clearly communicated, the client maintained their setup.
The Breach
The breach began when a threat actor leveraged the recycled credentials—likely obtained from a dark web data dump or brute-force attempt—to gain access to the business owner’s global admin account. With full administrative privileges and no second layer of authentication, the attacker had unfettered access to the Microsoft 365 environment.
Once inside, the attacker employed stealthy tactics. They set up hidden mailbox rules on the compromised account, forwarding specific emails to external addresses while suppressing any visible indication of the activity in the user’s inbox. This allowed the attacker to extract data and monitor communications without detection.
Simultaneously, the attacker began sending emails from the compromised account to the client’s customers. These emails appeared legitimate and claimed that the business had updated its bank account details, encouraging recipients to send payments to a fraudulent account. Because the emails originated from a known and trusted address and were written in a convincing tone, several clients were at real risk of financial loss.
Consequences
The breach had far-reaching consequences. The organisation faced reputational damage, increased support calls from confused or alarmed clients, and potential financial liability. Although the fraudulent payment redirection was caught before widespread harm occurred, trust had already been eroded.
The most insidious part of the attack was its subtlety. The hidden inbox rules meant that the company was unaware of the compromise until clients began questioning the legitimacy of the payment instructions. At that point, the attacker had been active in the system for several days.
Remediation involved a full audit of all accounts, forced password resets, enablement of 2FA across the organization, and a forensic investigation to determine the extent of the breach. The incident also required direct communication with affected clients to explain the situation and reaffirm security practices.
Lessons Learned
This breach was entirely preventable. The use of 2FA would have stopped the initial login attempt, and enforcing 2FA on all administrative accounts with least-privilege access would have limited the attacker’s reach.
Removing global (or super) admin permissions from daily-use accounts minimises the reach of any threat actor should the account become compromised. GroupSupport recommend a specific Admin account be created for each user requiring that permissions, without it being linked to any email or operational license.
Having an established trust relationship with your IT support team is essential for prompt responses to emerging situations.
Conclusion
Security is often seen as inconvenient—until it’s too late. This incident underscores why best practices like 2FA, unique passwords, and access control are essential. Convenience should never outweigh security, especially when trust, data, and client relationships are on the line.
Whilst this case study is based on a particular incident, it is representative of a very real trend in the current cyber threat landscape. Complacency around security is a business’s biggest enemy.
At GroupSupport we would encourage you to reach out to your IT provider or trusted IT advisor to discuss your security. If you don’t have someone appropriate to speak to or would like a second opinion reach out to one of the GroupSupport team on 08 9277 1768 or support@groupsupport.com.au
