I recently worked with a business that had a serious Microsoft 365 security incident — one that’s worth sharing because it highlights a gap many businesses don’t realize exists.
This client managed their own M365 accounts without outside monitoring from my Las Vegas IT business Novak Networx. Unfortunately, that meant no one was actively watching for suspicious changes or unusual app connections.
The attack was an interesting one: the hackers connected two third-party applications to one of their Microsoft 365 accounts — SecureMailMerge and Sol Inventum Licensing Server. Somehow, the connection process didn’t trigger a 2FA (two-factor authentication) prompt. I’m still not sure why, but the end result was that these apps were granted permission to send emails directly from the account.
From there, the attackers used this “trusted” connection to send malware links to every one of the client’s customers. Because the messages came from a legitimate, real account, they passed through normal email security filters without a problem.
The breach was discovered only when customers began replying to the emails asking if they were legitimate (spoiler: they weren’t). At that point, the client called me, and I jumped in to lock things down. I quickly:
- Removed the malicious applications
- Tightened app approval policies so only authorized administrators can grant permissions
- Changed passwords and enforced proper security controls across all accounts
The takeaway?
You cannot rely on Microsoft’s default setup to fully protect your business accounts. If you run a business, you need proper identity and email security monitoring in place. Without it, you’re one compromised account away from risking your reputation or worse.
Needless to say, we now have this client fully secured with the right monitoring and controls in place. Don’t wait until it happens to you.
