Cybercriminals Targeting Your Employees to Gain M365 Tenant Access
An engineering firm in Indianapolis came to TeamMIS after their business ground to a halt. Cybercriminals had seized control of their Microsoft 365 tenant, locked out their legitimate users, and deployed ransomware across their network. By the time they reached us, they were losing $70,000 per day in downtime.
The initial entry point? One employee who clicked a link in a phishing email.
This is not a rare or exotic attack. It is the most common way criminals break into businesses today. And if your team uses Microsoft 365, you need to understand exactly how this works and what you can do to stop it.
How Criminals Get In: The Phishing Playbook
Phishing attacks targeting M365 users have become highly sophisticated. Criminals craft emails that look exactly like legitimate Microsoft notifications, internal IT alerts, or messages from a colleague or executive. They use real logos, familiar formatting, and language designed to trigger one emotion above all others: urgency.
Common tactics include:
- Fake Microsoft login prompts warning that your account will be suspended
- Spoofed emails appearing to come from your CEO, HR or IT department
- Shared document notifications that mimic OneDrive or SharePoint alerts
- Invoice or payment emails that impersonate a known vendor
Why Employees Get Fooled
The emails are convincing because criminals do their homework. They research your company, find employee names on LinkedIn, and tailor their messages accordingly. When an email appears to come from your IT department telling you to verify your credentials immediately or lose access, most people do not stop to question it. They click.
A few factors make employees especially vulnerable:
Mobile viewing makes it nearly impossible to inspect URLs before clicking
Email volume and fatigue mean people process messages quickly, not carefully
Social engineering exploits authority, fear, and curiosity to lower a person’s guard
Lookalike domains and shortened URLs disguise the true destination of a link
How Criminals Capture Your Credentials
When an employee clicks the phishing link, they land on a page that is an exact visual copy of the Microsoft 365 login portal. Every logo, color, and font matches what they expect to see. They enter their username and password, and those credentials are instantly captured by the attacker.
Modern phishing attacks have also found ways to defeat multi-factor authentication. Two of the most common techniques are:
MFA Fatigue (Push Bombing): Criminals trigger repeated MFA push notifications until a frustrated employee taps ‘Approve’ just to make them stop.
Adversary-in-the-Middle (AiTM) Attacks: The phishing site acts as a relay, capturing not just credentials but active session tokens, which bypass MFA entirely.
What “Owning the Microsoft Tenant” Really Means
When criminals capture valid M365 credentials, they do not just access one inbox. They gain entry to your entire Microsoft environment, what is called your Microsoft tenant. Think of the tenant as the master account that controls everything your organization does inside Microsoft. It includes:
- Email, calendar, and contacts for every user in your organization
- SharePoint and OneDrive files, including sensitive documents and financial records
- Microsoft Teams conversations and channels
- Third-party applications connected to your M365 account
- Azure Active Directory, where attackers can create new admin accounts and lock out your real ones
Once inside, attackers move quietly. They read emails to understand your business relationships, identify key contacts, and wait for the right moment. They may lurk for weeks before making their move.
From Intrusion to Ransomware: What Happens Next
The company that came to us had experienced the full attack chain. After capturing credentials, the criminals gained administrator access to the Microsoft tenant. They created a backdoor account, began exfiltrating sensitive data, and then deployed ransomware, encrypting files across the network. At $70,000 per day in losses, every hour without containment compounded the damage. Recovery took weeks and carried significant legal and reputational costs on top of the direct financial hit.
The attack progression typically follows this path:
- Credential theft via phishing
- Silent reconnaissance inside the network
- Lateral movement to additional accounts and systems
- Data exfiltration for leverage or sale
- Ransomware deployment to maximize damage and demand payment
What Employees Should Watch For
Security awareness training is one of the most cost-effective defenses available. Here is what every employee on your team should know:
- Check the sender’s actual email domain, not just the display name
- Hover over links before clicking to see the real destination URL
- When in doubt, navigate directly to the application rather than clicking the link in the email
- Verify unusual requests through a separate channel, such as a phone call or Teams message
- Report suspicious emails to IT immediately rather than simply deleting them
How TeamMIS Protects You: The Power of Layered Security
When protecting your business, there is a common misconception that buying an ‘all-in-one’ security package from a single vendor is the best approach. After all, having 70,000 different security vendors out there makes choosing the right solution feel impossible. However, at TeamMIS, we strongly advise against the unified threat management approach.
Why ‘One Throat to Choke’ is ‘One Throat to Bypass’
Many vendors want to sell you their entire ecosystem, promising that they can do it all. The problem with this model is simple: one throat to choke is one throat to bypass. If an attacker figures out how to subvert that single vendor’s system, your entire network is compromised. Vendors may have the answer to their particular piece of the market, but they rarely cover the entire scope of what you need holistically.
Instead, the best defense relies on a true layered security approach using different vendors for different controls. Yes, you have to manage some compatibilities, but each tool brings its own unique strengths to your defense strategy.
Our Recommended Layered Security Stack
To build a robust, proactive defense, we recommend deploying specialized tools at every layer of your infrastructure. Here is a look at the types of solutions we trust to keep our clients secure:
- Security Awareness & Training:Simulated phishing exercises & employee education (Zix/AppRiver email filtering).
- M365,Cloud & Email Security: Microsoft 365 hardening with Conditional Access policies + rigorous email filtering.
- Network Perimeter Protection: Robust edge firewalls and secure switching (Cisco Meraki) to protect your boundaries and prevent lateral movement with Zero Trust access controls.
- Patch Management & Vulnerability Remediation:Continuous monitoring, patching, and remediation (N-able) to close vulnerabilities before attackers exploit them.
- Endpoint Detection & Managed Response (EDR/MDR):Advanced monitoring (e.g., SentinelOne) with 24/7 threat detection, behavioral anomaly analysis, Canary tripwires for breach alerts, and rapid containment.
- Data Protection & Recovery:Secure backup & information management (OpenText)
- Zero Trust Access:Strict credential controls preventing lateral movement across your environment.
- Incident Response Planning: Documented, tested response plans to guide the critical first hours of any attack.
In the end, small security habits done consistently are what stop big security problems before they start. Relying on a carefully curated stack of specialized tools ensures that even if one layer fails, the next layer is there to stop the threat.
Do Not Wait for a $70,000 Day
The company that reached out to us after their attack is recovering, but the financial and operational damage was severe and largely preventable. The entry point was a single employee click on a single phishing email.
How confident are you your team could recognize today’s phishing attempts? Find out where you stand.
TeamMIS works with Indianapolis businesses every day to build the layered security posture that stops these attacks before they start.
Contact TeamMIS today to schedule a complimentary security review.
