Misconfigured Microsoft 365: A Growing Threat Surface

Microsoft 365 has become the backbone of modern business productivity. From Exchange Online and Teams to SharePoint, Power Apps, and Power Pages, its integrated services allow organizations to collaborate at scale. But with convenience comes complexity—and with complexity, misconfiguration risk.

In recent years, attackers have increasingly exploited vulnerabilities created not by Microsoft itself, but by how administrators configure (or fail to configure) their tenants. The result? Sensitive data exposure, spoofing vulnerabilities, and business email compromise (BEC) attacks that bypass the very defenses organizations believe are in place.

The Rising Risk of Misconfigured Exchange Online

Email remains one of the most targeted entry points for cybercriminals—and misconfigured Microsoft Exchange environments are fueling the fire.

A 2023 update to how Microsoft Exchange Online handles Domain-based Message Authentication, Reporting, and Conformance (DMARC) was meant to strengthen email authentication. Specifically, Microsoft announced that Exchange Online would begin honoring sender DMARC policies by default. This means that if an incoming email fails DMARC validation and the sender’s domain is configured with a “p=reject” or “p=quarantine” policy, Exchange Online will appropriately reject or quarantine the message. This change was intended to bolster defenses against spoofed emails and phishing campaigns.

However, many administrators have yet to implement the necessary supporting configurations to ensure these protections are actually enforced—especially in hybrid environments or when third-party email security solutions are involved. In such setups, Exchange Online may not evaluate DMARC, SPF, or DKIM policies correctly unless enhanced filtering is enabled and inbound connectors are properly locked down.

The result? Despite Microsoft’s efforts, organizations remain exposed to spoofing if they haven’t adapted their infrastructure accordingly. This includes risks like:

• DMARC checks being bypassed when MX records point to external services that aren't properly integrated.
• Spoofed messages appearing trustworthy to end users due to improperly handled authentication protocols.
• Inbound traffic flowing freely through unsecured connectors that were never updated to comply with Microsoft’s latest standards.

It is essential for organizations to revisit their DMARC, SPF, and DKIM implementations—not just in DNS records, but in how their mail flow architecture actually enforces those policies inside Microsoft 365.

Data Leaks in Low-Code Tools: Power Apps and Power Pages

Misconfiguration risks are not limited to Exchange.

Power Apps and Power Pages—Microsoft’s low-code platforms for building web apps and portals—have been at the center of some of the most significant accidental data exposures in recent memory:

• In 2021, 38 million records from government agencies and private enterprises were exposed through misconfigured Power Apps portals.
• In 2024, over 1.1 million NHS workers had their PII exposed via misconfigured permissions in Microsoft Power Pages.

These incidents weren’t the result of malicious actors exploiting zero-day vulnerabilities. Instead, they stemmed from:

• Improper use of the ‘anonymous role’ in Power Pages, granting unauthenticated users access to sensitive tables and APIs.
• Failure to enable table-level security, allowing data lists to be fetched without restrictions.
• Default behaviors that permitted self-registration and login functionality without rigorous RBAC or field masking.
• Misunderstanding of low-code tools, where citizen developers unintentionally created externally facing websites that leaked sensitive information.

Microsoft has since changed defaults and added admin console warnings—but the platform still depends heavily on user understanding and proper configuration.

Beyond the Platform: Why Misconfigurations Persist

Misconfigurations in Microsoft 365 don’t occur in a vacuum. They stem from:

• Complex integrations between on-prem and cloud systems.
• Decentralized admin models, where different departments control parts of the environment.
• Overreliance on default settings that prioritize usability over security.
• Limited visibility into current security posture or misapplied policies.
• Assumptions that “secure by default” means “secure enough.”

Unfortunately, these assumptions can lead to real-world consequences—from spoofed executive emails to unauthorized data exposure on the public internet.

What Can Organizations Do?

Mitigating Microsoft 365 misconfigurations requires a proactive and expert-led approach:

• Audit and harden inbound connectors in Exchange, especially in hybrid or third-party MX scenarios.
• Verify SPF, DKIM, and DMARC configurations—and don’t assume they’re enforced by default.
• Use enhanced filtering and define strict transport rules to restrict unauthenticated traffic.
• Secure Power Platform deployments with proper role-based access controls (RBAC), table permissions, and column-level obfuscation.
• Review permissions regularly, especially for anonymous or external users.
• Conduct detailed configuration reviews of all key services: Exchange, Teams, SharePoint, Defender, and Power Platform tools.

Compass Can Help You Uncover—and Remediate—M365 Misconfigurations

At Compass, we’ve seen firsthand how seemingly small misconfigurations can open the door to major security risks. That’s why we offer a comprehensive Microsoft 365 Security Assessment aligned with CISA’s Secure Cloud Business Applications (SCuBA) standard.

We evaluate tenant configurations, access controls, and security policies across key services like Exchange Online, SharePoint, Teams, Defender, and Azure AD. Our assessment includes a detailed conformance report—and we’ll help remediate identified issues.

Misconfigurations are preventable. Reach out today to learn how Compass can help secure your Microsoft 365 environment and reduce the risk of costly security incidents.