What can happen if my Microsoft 365 account gets compromised?

Before we get started, what’s MFA again?

MFA stands for multi-factor authentication. It is a security feature that requires users to provide two or more forms of authentication to access an account or system.

Microsoft 365 breaches by the numbers

Let’s start by stating that Microsoft 365 is the most comprehensive and cost-effective IT solution for any business, large or small. Popularity from customers also attracts popularity from the “bad guys” also Microsoft is just responsible for providing the platform but is not responsible for the end user security practices. Before we get into why securing your Microsoft 365 environment is so important, let’s look at the numbers…

  1. Microsoft 365 has approximately 50% of the global market share
  2. There are approximately 400 million active users with Microsoft 365
  3. Of those 400 million users, approximately 1.2 million of them are breached each month
  4. 99.9% of the accounts breached do not have MFA enforced
  5. MFA can prevent 99.9% of account compromise attacks
  6. 78% of Microsoft 365 administrator accounts do not have MFA enforced

What can happen if your account gets compromised?

If someone gains unauthorized access to your Microsoft 365 account, it can lead to a variety of negative consequences, including:

Data theft: An attacker could access and steal your sensitive data, such as emails, files, and personal information, which can be used for identity theft, fraud, or other malicious activities.

Account takeover: Once an attacker has access to your account, they can change your account password, security settings, and recovery options, making it difficult for you to regain control of your account.

Malware distribution: An attacker can use your account to distribute malware/ransomware to your contacts, compromising their devices and potentially spreading the malware to other networks. There are numerous other repercussions here that can lead to insurance claims, legal intervention, and reputation rebuilding.

Email phishing: An attacker can use your account to send phishing emails to your contacts, tricking them into sharing their login credentials or personal information.

Unauthorized access to other services: If you use your Microsoft 365 account to access other online services, such as banking or social media, an attacker could potentially gain access to those services as well.

The above all describes what CAN and DOES happen to end user accounts without MFA all the time. But what happens if an Administrator account get compromised? Well, basically the same consequences but instead of for one user, it can be multiplied to the entire environment including all users just as easily. Imagine if every email ever sent/received has been captured by a “bad guy” or all your files were encrypted and the only way to get them back were to pay thousands in ransom. Pretty scary stuff.

If MFA has been proven to be so effective (99.9% effective), why is implementing this security feature continuing to be pushed lower on the company’s priority list?

SHORT ANSWER: We aren’t quite sure.

LONG ANSWER: Like most things, change is hard, and most people don’t want to do anything until they are forced (via compliance or insurance requirements) or a breach occurs.

Common misconceptions we hear about MFA

  1. MFA is too complicated: While there is some initial setup and configuration, the process is relatively straightforward and can be completed in just a few steps with minimal oversight.
  2. MFA is unnecessary if you have a strong password: While a strong password can help protect your account, it is not foolproof. MFA adds an extra layer of protection and can prevent unauthorized access even if your password is compromised which can actually take less of the pressure off of needing complex passwords or passwords at all (passwordless). Also, MFA allows us as administrators to set up users so they can reset passwords themselves securely. Without MFA, they will need to go through their administrators to reset their account logins.
  3. MFA is only needed for high-risk users: Every user in an organization, regardless of their level of access, is a potential target for cyberattacks. Therefore, MFA should be implemented for all users in Microsoft 365.
  4. MFA will slow down productivity: While MFA may require an additional step when logging in to the web version (not desktop applications like Outlook), the process is quick and should not significantly impact productivity. Additionally, the added security provided by MFA can help prevent security incidents that could cause downtime and loss of productivity.
  5. MFA is expensive: Many MFA solutions are available for free or at a low cost. The benefits of adding an extra layer of security to your Microsoft 365 account far outweigh the potential costs of a breach.

Unfortunately, rolling out these company-wide security features is not something we can accomplish on our own. We need management approval, end user follow through and overall coordination to see this solution through to completion. Again, this process doesn’t need to be complicated and can be accomplished relatively easy in just a few steps.

Click here to schedule a time to talk about MFA and get your questions answered now!