The Microsoft 365 Security Threats Putting MSPs at Risk — and How to Stop Them

Microsoft 365 is a top target for cybercriminals, and the threat landscape is changing daily. Is your business prepared?

In this must-watch webinar, you’ll get real-world insights from industry experts Guillaume Boisvert, Director of Product Innovation, and Camille Loaec, Product Owner of Office Protect.

They’ll break down the latest and most dangerous security threats targeting Microsoft 365 and show you how to defend your business and clients. Stay ahead of cybercriminals with actionable advice you can use right now. Don’t wait for a breach—learn how to protect your MSP and your customers.

Sherweb Office Protect

Sherweb, a prominent provider of cloud solutions and cybersecurity services, offers valuable insights into the Microsoft 365 security threats that pose risks to Managed Service Providers (MSPs) and their clients.

It was created to help MSPs manage and protect multiple Microsoft 365 environments efficiently, reducing the burden of manual configuration and threat response. The solution integrates seamlessly with Microsoft 365, leveraging its APIs to monitor, detect, and mitigate risks in real time. It’s offered in two tiers—Core and Alliance—each catering to different levels of MSP needs, from basic automation to fully managed security services.

Key Microsoft 365 Security Threats Identified by Sherweb

Sherweb emphasizes that Microsoft 365’s widespread adoption—used by millions of businesses globally—makes it the most targeted platform for cyberattacks. Its popularity, combined with the critical data it stores (e.g., employee records, organizational secrets), turns it into a “goldmine” for hackers. This heightened exposure increases the likelihood of attacks on MSPs managing multiple Microsoft 365 tenants.

• Phishing and Business Email Compromise (BEC): A common threat highlighted is phishing, particularly emails disguised as legitimate Microsoft correspondence. These fraudulent messages often trick users into providing credentials or taking actions that compromise security. Sherweb notes that around 25% of messages in Microsoft 365 environments contain malware or phishing attempts, putting MSPs’ clients at risk of unintentional breaches.
• Session/Token Hijacking to Bypass MFA: Sherweb has observed a rise in sophisticated attacks, such as session or token hijacking, which allow attackers to bypass multi-factor authentication (MFA). Tools like Evilginx or for-profit hacker platforms like W3ll enable cybercriminals to steal session tokens, granting them prolonged access even after initial authentication, posing a severe risk to MSP-managed environments.
• Endpoint Access and Data Exfiltration: Vulnerabilities at endpoints—such as compromised user accounts or privileged admin accounts—are a significant concern. Attackers can gain access to infrastructure through Microsoft 365, steal sensitive data, and potentially move laterally across a client’s network. Sherweb points out that smaller businesses often underestimate this risk, assuming their size makes them less of a target, which statistics disprove.
• Password Spraying and Account Enumeration: While traditional password spraying (trying random combinations) has declined due to lockout mechanisms, Sherweb notes that attackers now use targeted approaches. They leverage common passwords across multiple accounts within the allowed login attempts, avoiding detection and increasing the chance of breaching Microsoft 365 tenants.
• Internal Threats and Human Error: Sherweb stresses that over half of IT incidents stem from human error or risky behavior within organizations. Examples include employees sharing credentials, falling for phishing scams, or engaging in unsafe practices like public data sharing via SharePoint or Teams, all of which MSPs must monitor and address.
• Third-Party Software Risks: The integration of third-party apps with Microsoft 365 introduces additional vulnerabilities. Sherweb has observed attacks where attackers exploit these connections (e.g., PerfectData Software components) to infiltrate systems, highlighting the need for stricter controls over app permissions.

Sherweb’s Recommended Strategies to Mitigate These Threats

Sherweb underscores that MSPs face dual pressure: protecting their clients from these threats while maintaining profitability and operational efficiency.

Failing to secure Microsoft 365 tenants can lead to reputational damage, financial losses, and client churn. Conversely, robust security offerings—bolstered by solutions like Office Protect—position MSPs as trusted advisors, opening revenue streams through value-added services. With the managed security services market growing rapidly (projected to reach significant adoption by 2025, per authenticity Gartner), Sherweb sees this as a critical opportunity for MSPs to stay competitive.

• Proactive Monitoring and Detection: Sherweb advocates for real-time monitoring to catch threats before they escalate. Tools like Office Protect provide 24/7 visibility into suspicious activities—such as logins from unusual locations, mailbox rule changes, or outbound spam—allowing MSPs to act swiftly.
• Strengthening MFA and Access Controls: While MFA is essential, Sherweb recommends additional hardening measures, such as revoking existing sessions after a breach and limiting non-admin users’ ability to approve third-party software. This reduces the effectiveness of session hijacking and unauthorized app integrations.
• Hardening Microsoft 365 Tenants: Sherweb suggests configuring tenants with best-practice security settings, such as disabling auto-forwarding to external emails, restricting public sharing, and enforcing strong password policies. Regular vulnerability assessments and post-breach investigations (including endpoint checks) are also critical.
• Educating Users and Clients: To combat internal threats, Sherweb emphasizes the importance of ongoing user training. MSPs should educate clients about phishing risks, safe data-sharing practices, and the importance of adhering to security policies, reducing the likelihood of human error.
• Centralized Management and Reporting: Tools like Office Protect provide MSPs with dashboards and automated reports to track security events across multiple tenants. This transparency helps MSPs demonstrate value to clients and maintain trust by keeping them informed about their security posture.
• Incident Response Preparedness: Sherweb advises MSPs to have a clear plan for threat mitigation, including immediate actions like locking down compromised accounts and investigating beyond Microsoft 365 (e.g., endpoints) to identify the breach’s scope. Office Protect Alliance’s MDR service offloads much of this burden by handling detection and initial response.

Leveraging Office Protect for Simplified Security

Sherweb’s Office Protect (available in Core and Alliance plans) is designed to address these threats directly:

• Core Plan: Offers automated security configuration, monitoring, and alerts for issues like unknown device logins, public data sharing, or CEO phishing scams.
• Alliance Plan: Adds managed detection and response (MDR), where Sherweb’s in-house experts actively monitor threats, suspend compromised accounts, and provide guided remediation, saving MSPs time and resources.

In summary, Sherweb’s insights reveal that Microsoft 365’s popularity makes it a prime target for diverse, evolving threats, from phishing to session hijacking. Their recommended solutions—centered around proactive tools, tenant hardening, and expert support—equip MSPs to safeguard clients effectively while streamlining their own operations. By adopting these strategies, MSPs can turn cybersecurity into a competitive advantage rather than a liability.