Microsoft 365 security: threats and defence
Microsoft 365 security is about protecting identity, email and data in the Microsoft cloud ecosystem. The main threat today is not the password but the session: AiTM attacks and OAuth token theft bypass classic MFA, followed by BEC and fraud. Defence requires post-authentication identity protection (ITDR), AiTM anti-phishing and continuous detection & response on the Defender platform.
The perimeter is identity
With Microsoft 365 the data and the identity live in the cloud: the perimeter is no longer the network, it is identity. Attackers know this, and they have stopped stealing passwords: they steal sessions. It is the paradigm shift that makes classic MFA necessary but no longer sufficient.
The session is the new credential
In AiTM and device-code attacks, the attacker captures the session token after legitimate authentication: they get into M365 without triggering alerts, sometimes for weeks. From there BEC begins: inbox rules to hide alerts, payment diversion, exfiltration, all with legitimate APIs.
Defending M365 for real
Three levers: identity (ITDR, advanced Conditional Access, FIDO2/passkey), AiTM anti-phishing that blocks before credentials are entered, and continuous detection & response on the Defender and Sentinel platform, operated by a 24·7 SOC. The service: MDR on Microsoft Defender.
M365 threat → defence
| Threat | What it does | Defence |
|---|---|---|
| AiTM phishing | Intercepts credentials and tokens in reverse-proxy | AiTM anti-phishing, FIDO2/passkey |
| OAuth token theft | Uses the session, skips MFA | ITDR, post-auth anomaly detection |
| BEC | Fraud via compromised mailbox | Behavioural detection, MDR |
The analysis of the PhaaS platform Kali365 (800 domains mapped) shows how OAuth token theft after legitimate authentication bypasses classic MFA on Microsoft 365: the proof that post-authentication identity protection is needed.
Read the analysis →Frequently asked.
Is MFA enough to protect Microsoft 365?
No, not on its own. AiTM attacks and session token theft bypass classic MFA by stealing the session after authentication. You need FIDO2/passkey, AiTM anti-phishing and post-authentication identity protection (ITDR).
What is an AiTM attack on M365?
AiTM (Adversary-in-the-Middle) is reverse-proxy phishing that intercepts credentials and session tokens in real time, allowing access even with MFA enabled. See AiTM phishing protection.
What is BEC (Business Email Compromise)?
It is fraud that starts from a compromised mailbox: the attacker reads the threads, inserts themselves and diverts payments or data. It uses no malware: legitimate tokens and APIs, so the endpoint sees nothing.
How do you protect Microsoft 365?
Identity (ITDR, Conditional Access, FIDO2), AiTM anti-phishing, and continuous detection & response on the Defender and Sentinel platform operated by a 24·7 SOC. See MDR on Microsoft Defender.
From theory to a real operation.
What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: MDR on Microsoft Defender.
Related resources: AiTM phishing protection · Identity protection (ITDR) · What is MDR
A technical conversation, not a funnel.
Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.