The Attack Your Security Strategy Missed – The European Financial Review

By Andrea Sivieri

A new class of attack is targeting the Microsoft 365 tenant itself – manipulating identities, encrypting cloud-held data and extorting firms without deploying a single line of traditional malware. For banks, insurers and other regulated firms, this is not a future threat. It is happening now, and most organisations lack the visibility to detect it.

Also Read

Kazakhstan’s sovereign wealth fund issues $440m panda bond | FinanceAsia

‘Data economy’ of loans: What lenders look for beyond credit scores, income

Borrowing among Indians up 44%! Household liabilities at decade high

Plugin developed by ProSEOBlogger. Get free gpl themes.

Most European financial services firms think they have their critical infrastructure locked down. But the reality is much more complicated.

Microsoft 365 sits at the centre of daily operations alongside mission critical finance infrastructure. It covers identity, collaboration, device management, and security across the entire enterprise. Yet many organisations would struggle to prove it can be trusted with its confidential financial and compliance-regulated data.

In a world where financial services firms are under increasing regulatory pressure, this is a problem. The EU’s Digital Operational Resilience Act (DORA), in force since January 2025, requires financial entities to continuously monitor, evidence and recover their ICT systems, with cloud platforms explicitly included. In the UK, the FCA’s Policy Statement PS21/3 Building Operational Resilience, mandates that banks, insurers and payment firms identify critical business services and demonstrate they can remain within impact tolerances when things go wrong.

For the hundreds of thousands of financial services organisations running Microsoft 365, that mandate is increasingly hard to meet.

The threat most security strategies are missing

Ask any CISO how they would respond to a breach of their Microsoft 365 environment, and the answer will usually involve endpoint detection tools, identity logs, and a call to the Microsoft a security team. What very few of them will mention is the piece that attackers have identified as the most valuable target of all: tenant configuration.

This is not a theoretical threat. Sophisticated threat actors are now routinely gaining an initial foothold inside Microsoft 365 environments and then, rather than immediately exfiltrating data, working methodically through the environment’s controls. They change conditional access policies. They elevate application permissions. They disable multi-factor authentication for targeted accounts. They create new privileged roles. Then they wait.

By the time the damage becomes visible (if it ever does) the attacker has been resident for weeks or months, with unfettered access to some of the most sensitive data an organisation holds. Microsoft’s 2024 Digital Defense Report recorded over 600 million identity attacks every day globally, with password-based attacks accounting for more than 99% of incidents. In a single month, May 2024, Microsoft detected 176,000 instances of configuration tampering across its customer base.

The visibility gap that attackers exploit

Microsoft 365 is not a single application. It is a fabric of more than sixty interconnected services, including Teams, SharePoint, Exchange Online, Entra ID, Intune and Defender, each carrying its own configuration surface. Across these services, there are over 8,000 individual settings that can be adjusted, combined and exploited. Legacy security tooling was simply not built to monitor this at scale.

There is no native Microsoft 365 tool that alerts you when a conditional access policy is silently modified or an Entra application is granted risky permissions. And attackers know this. Nearly half of large organisations (45%) have experienced a security or compliance incident caused by a Microsoft 365 misconfiguration in the past twelve months. Our analysis of over 1.6 million users found that 87% of organisations had administrators operating without MFA, and organisations face an average of more than 140,000 failed login attempts every week, a volume that buries genuine intrusion signals in noise.

Five pillars of genuine tenant resilience

Addressing this challenge requires a shift in how organisations think about Microsoft 365 security. A shift away from perimeter defence and reactive incident response, towards continuous tenant resilience. In practice, that means five interconnected capabilities:

1. Hardening. In every tenant compromise I have examined, the entry point was not a zero-day. It was a misconfigured conditional access policy that no one had touched since deployment. These are fundamentals which too many organisations are still treating as optional. A good starting point is aligning configurations with the CIS Microsoft 365 benchmarks, and continuously remediating weak passwords, as well as addressing absent MFA and misconfigured sharing policies.
2. Privilege reduction. In many cyberattacks, a single compromised global administrator account is sufficient for total tenant takeover. The answer is not merely to manage privilege but to remove it, partitioning the tenant into virtual segments with administrative boundaries and granting each administrator only the access genuinely required for their specific function.
3. Tamper detection. This is where financial services firms can transform incident response, reducing it from a weeks-long investigation into a matter of minutes. The introduction of real-time alerting shows IT teams when an unauthorised configuration change occurs. This provides forensic audit trail of exactly what changed, when and by whom, and builds continuous tenant resilience.
4. Configuration backup and rapid recovery. Most incident response plans account for data loss, but almost none account for configuration loss. These are not the same problem: after an attack, it’s not sufficient just to be able to restore user data.The tenant configuration itself must be recoverable to a known-good state, or else organisations face weeks of manual reconfiguration while remaining exposed and operationally impaired.
5. Operational automation. Resilience is not a one-time project. It requires ongoing management of an attack surface that is complex and constantly expanding. Automating routine governance workflows, licence reviews, user lifecycle management, policy enforcement, reduces both human error and the administrative burden that drives security shortcuts.

A new discipline for a new threat

The organisations that will navigate this threat environment most effectively are those that recognise Microsoft 365 for what it is: a piece of critical business infrastructure deserving the same rigorous, continuous security governance as any other enterprise system. The era of assuming that Microsoft’s default settings are adequate, or that a quarterly licence audit constitutes governance, is over.

Attackers have already identified configuration tampering as their preferred route in. The question is not whether your organisation is a target. It is whether you would know. The organisations that successfully answer that question today will define the next decade of operational resilience.

About the Author

Andrea Sivieri is the Chief Product and Technology Officer at CoreView, where he leads Product, Engineering, Architecture, Design, DevOps, and Product Marketing. With over 20 years of experience building and scaling product and technology organizations across the SaaS industry, Andrea brings a rare combination of deep technical fluency and product vision to one of the most operationally complex challenges in enterprise IT: making Microsoft 365 truly governable at scale.