Microsoft 365 Security for Sydney Businesses – What the Default Configuration Misses

Microsoft 365 security defaults are a starting point, not a strong finished security posture. Many Sydney businesses assume the default configuration is enough, but important gaps often remain around MFA enforcement, mailbox protections, legacy authentication, alerting, and access controls.

That matters because Microsoft 365 is one of the most heavily targeted business platforms in Australia. If the default setup has not been reviewed and tightened, attackers may only need one weak account or one overlooked setting to get in. This article explains what the default configuration misses and what businesses should lock down first.

Why Microsoft 365 Is a High-Value Target

Microsoft 365 is attractive to attackers for straightforward reasons. It contains email (including sensitive communications, invoices, and credential reset links), documents (financial records, client data, contracts), identity credentials (an M365 account is often the gateway to dozens of connected business systems), and sometimes direct access to cloud storage and collaboration tools used across the whole organisation.

A compromised M365 account gives an attacker the ability to read and send email impersonating the account owner, access files stored in OneDrive and SharePoint, participate in Teams conversations, and potentially pivot to other cloud services using single sign-on. Business email compromise (BEC), where attackers use access to email to redirect payments, request sensitive information, or impersonate executives, is one of the most financially damaging forms of cyber crime targeting Australian businesses. The ACCC’s Targeting Scams report has repeatedly identified BEC as a leading cause of financial losses for Australian organisations.

What Default Microsoft 365 Security Misses

Microsoft 365 ships with a default security configuration that is better than nothing but significantly weaker than what most businesses need. The defaults are designed for broad compatibility, not maximum protection. The main gaps include the following.

MFA not enforced by default. Multi-factor authentication is the single most effective control against credential theft and account takeover. It is not enforced by default across all M365 tenants. Businesses that have not explicitly enabled and enforced MFA are relying on passwords alone, and passwords are regularly compromised through phishing, credential stuffing, and data breaches.

Legacy authentication protocols not blocked. Older authentication protocols (Basic Auth, IMAP, POP3, SMTP Auth in legacy clients) do not support MFA and provide a bypass path for attackers even when MFA is configured. Microsoft has disabled Basic Auth by default in new tenants but it must be explicitly verified and blocked in existing ones.

Audit logging not always enabled. Microsoft 365 audit logs record user activity across the platform, including logins, file access, email forwarding rules, and admin changes. These logs are essential for detecting and investigating incidents. Depending on your licence tier, audit logging may not be enabled by default and has a limited retention period.

Email forwarding rules not monitored. Attackers who gain access to an M365 email account frequently create auto-forwarding rules that silently copy all incoming email to an external address. These rules can run undetected for months if no one is monitoring for them. Default M365 configuration does not alert on suspicious forwarding rule creation.

Admin accounts without dedicated protection. Global Administrator accounts in M365 have unrestricted access to the entire tenancy. Using a GA account for day-to-day work, or having GA accounts without separate, protected credentials, creates significant risk if those credentials are compromised.

2026 Threats Targeting M365 Environments

The threat picture has shifted noticeably through 2025 and into 2026. Three attack methods in particular are now common against Australian M365 tenants.

AI-powered phishing. Attackers are using generative AI tools to craft phishing emails that are grammatically flawless, contextually relevant, and personalised to specific organisations. These messages reference real projects, actual staff names, and current business activity scraped from public sources. Traditional phishing awareness was built around spotting obvious grammar errors and generic greetings. Those signals have stopped being reliable. A well-crafted AI phishing email targeting a Sydney accounting firm can reference real client names and recent ASIC filings, making it extremely difficult to distinguish from legitimate correspondence.

Session token theft. Rather than stealing passwords, attackers are stealing active session tokens through malware on endpoint devices, adversary-in-the-middle phishing pages, or compromised browser extensions. A stolen session token grants full access to the M365 account without triggering an MFA prompt, because the session has already been authenticated. This method bypasses even properly configured MFA. Conditional Access policies that evaluate sign-in risk and require re-authentication for suspicious sessions are the primary defence, and these are not part of default M365 configuration.

OAuth app consent attacks. Attackers register malicious applications in Azure AD and trick users into granting permissions through phishing links that look like legitimate Microsoft consent prompts. Once approved, the application has ongoing access to email, files, and calendar data without needing the user’s password or MFA. The ACSC has issued specific advisories about OAuth consent phishing targeting Australian organisations, and it remains one of the most under-detected attack vectors in M365 environments.

The Microsoft 365 Security Baseline

A properly configured M365 environment should include the following controls.

• MFA enforced on all accounts, ideally using Conditional Access policies that enforce MFA based on user, location, device state, and application risk level, rather than a blanket prompt
• OAuth application consent restrictions, limiting which third-party applications users can approve, and requiring admin consent for high-privilege requests
• Legacy authentication blocked, verified and enforced across all users and protocols
• Dedicated Global Admin accounts, separate from day-to-day user accounts, with MFA and Privileged Identity Management (PIM) for just-in-time access
• Audit logging enabled and retained, minimum 90 days, preferably 180 days for incident investigation purposes
• Defender for Office 365, Safe Links (scanning URLs in email and documents at click time) and Safe Attachments (sandboxing email attachments before delivery) significantly reduce phishing success rates
• Anti-spoofing controls, SPF, DKIM, and DMARC configured correctly to prevent your domain being used to send phishing emails to your own clients
• External forwarding rules blocked, transport rules preventing users from creating auto-forwarding rules to external addresses
• Intune device compliance, Conditional Access policies requiring that only enrolled, compliant devices can access M365, preventing access from unmanaged personal devices

M365 Licensing and Security Features

Microsoft 365 security capabilities vary significantly by licence tier. Business Basic and Business Standard include the core apps but have limited security features compared to Business Premium. Business Premium includes Microsoft Defender for Business, Intune device management, Defender for Office 365 Plan 1, Entra ID Premium P1, and Azure Information Protection, the full security stack for SMB environments. Most Sydney businesses that are not on Business Premium are missing significant security capabilities. The upgrade cost is often modest relative to the security improvement.

Microsoft 365 Backup and What Microsoft Does Not Cover

A persistent misconception among Sydney businesses is that Microsoft backs up their M365 data. Microsoft does not provide backup in the traditional sense. Microsoft’s infrastructure is highly resilient, with data centres replicated across regions and hardware failures handled transparently, but this protects against Microsoft infrastructure failure, not against accidental deletion, ransomware, malicious insider activity, or retention policy misconfiguration.

Microsoft’s standard retention for deleted items is 30 days in most cases. After that, deleted emails, files, and Teams messages are not recoverable through the standard Microsoft interface. Ransomware that encrypts files in SharePoint or OneDrive can propagate through synchronised devices and, once the 180-day version history is exhausted, leave files unrecoverable without a third-party backup.

Third-party M365 backup provides genuine point-in-time recovery capability that Microsoft’s native tools do not, and for businesses with compliance obligations, it also provides the documentation trail that M365’s native retention policies cannot always satisfy.

Signs Your M365 Environment May Have Been Compromised

Indicators that warrant immediate investigation include the following.

• Staff receiving password reset or MFA change emails they did not initiate
• Clients reporting emails from your domain that you did not send
• Email forwarding rules appearing that no one created
• Unusual login activity in the M365 admin centre, including logins from unfamiliar countries or at unusual times
• Files in OneDrive or SharePoint appearing as modified by users who were not working at that time
• Unusual new inbox rules redirecting or deleting incoming email
• Unknown applications appearing in the Azure AD enterprise applications list

If you see any of these, the priority is immediate. Change the affected account’s password, revoke all active sessions, review and remove any suspicious forwarding rules or inbox rules, and engage your IT support provider to assess the extent of any access. Speed matters. Attackers with email access can do significant damage in a short time if the compromise is not contained quickly.

How Milnsbridge Manages Microsoft 365 Security

Microsoft 365 management is included in all Milnsbridge plans. At the Growth level ($99 per seat per month), M365 management covers user provisioning and deprovisioning, licence management, security configuration, MFA enforcement, and monitoring of the M365 environment alongside all other managed devices.

Email security, including cloud-hosted filtering, anti-phishing, and anti-spoofing, is included across all plans. DNS filtering (DNSFilter) blocks access to malicious sites at the network level, providing a layer of protection beyond what M365 itself delivers. Duo MFA enforcement across all accounts and applications is available as a separately quoted add-on for businesses requiring granular MFA policy control beyond what native M365 Conditional Access provides.

For businesses handling sensitive data or with compliance obligations, we conduct M365 security configuration reviews aligned with industry benchmarks and ACSC guidance, identifying gaps in the current configuration and providing a prioritised remediation plan.

Milnsbridge holds a 4.9-star Google rating across 99 reviews. We operate on straightforward 12-month agreements with a 10-seat minimum, serving organisations from 10 to 200 seats. Adrian Weir founded Milnsbridge in 2002 following a career spanning 30-plus years in senior IT roles at Telstra, Citibank, and Unilever. Milnsbridge is a Microsoft Solutions Partner with offices in Penrith and the Sydney CBD.

For reliable Microsoft 365 support Sydney businesses can count on, contact Milnsbridge. Whether you need M365 security for business or a full managed IT partnership, review our per-seat pricing or see our complete cyber security services.