(Updated December 11, 2024)

The numbers don’t lie: 30 billion password-based attacks hit Microsoft 365 accounts every month in 2024. That’s a tenfold increase from just a few years ago. Attackers are no longer just opportunists—they’re well-funded, highly organized, and leveraging automation to compromise even the most diligent organizations.

Case in point? The Midnight Blizzard attack, a targeted brute-force campaign orchestrated by Nobelium, showed how quickly misconfigurations, weak protocols, and unmonitored activity can lead to total tenant compromise. If your defenses rely on yesterday’s best practices, you’re leaving the door wide open.

This guide equips Microsoft 365 administrators with the tools, techniques, and strategies to not just react to these threats but proactively secure their environments against the most persistent and damaging attacks.

The article covers:

• Increased Threats to Microsoft 365
• Best Practices to Reduce Brute Force Cyber Attacks on Microsoft 365
• More Resources to Secure M365

Increased Cyber Threats to Microsoft 365

Brute-force attacks are evolving. Where attackers once relied on sheer volume to crack accounts, they now use sophisticated techniques such as credential stuffing (exploiting leaked passwords from data breaches) and adaptive learning to bypass security controls.

But the consequences are the same:

• Lateral Movement into Admin Accounts: Attackers gain access to one account and escalate privileges, potentially compromising entire networks.
• Back-Door Access for Future Exploitation: Even after detected, attackers often maintain hidden access for future campaigns.
• Disrupted Business Operations: Malware, ransomware, or data exfiltration wreaks havoc on day-to-day operations.

If this sounds overwhelming, the good news is that there are clear, actionable steps to mitigate these risks—steps we’ll break down by priority to help you focus on what matters most.

Prioritized Steps to Reduce Brute-Force Attacks on M365

To address the rising threat and help organizations prioritize their efforts, we’ve divided recommendations into immediate, medium-term, and advanced actions. These steps address both quick wins and longer-term strategies to ensure you tackle the highest-impact actions first.

Immediate Actions: Deploy High-Impact Solutions First

Enable and Monitor Audit Logs

Many breaches go undetected simply because no one is looking. Audit logs in Microsoft 365 are your first line of defense. Here’s how to get started:

• Enable Audit Logging: If it’s not already active, this should be your top priority. It captures every admin and user action, from logins to configuration changes.
• Look for Key Indicators:
  • Frequent failed logins from the same IP address.
  • Unusual geographies (e.g., a user logging in from the US and Russia within an hour).
  • New admin role assignments outside of approved processes (e.g., changes to user roles, security settings, and application permissions that could indicate an attack in progress).

Why It Matters: Attackers don’t cover their tracks perfectly. Audit logs give you the breadcrumbs to detect and stop malicious activity early. Specific tools, like Azure Monitor or Microsoft Sentinel, can help automate log analysis and set up alerts for anomalous behavior.

Disable Legacy Authentication Protocols

Still using IMAP, POP, or SMTP for email? These outdated protocols don’t support modern authentication and are a goldmine for attackers.

• Identify Accounts Using Legacy Protocols using Sign-In Logs and disable them immediately. You can use Conditional Access policies to block legacy protocols for specific users or groups.
• Transition Users to Modern Authentication to support multi-factor authentication (MFA) or passwordless authentication.

Why It Matters: Organizations that disable legacy authentication typically see a 70–90% reduction in brute-force attempts.

Restrict PowerShell Access

PowerShell is a double-edged sword—an essential admin tool but also a favorite for attackers. If left unsecured, it can be a gateway for malware and unauthorized changes to your environment.

• Block Unauthorized Access: Use Conditional Access policies to restrict who can use PowerShell. Only admins with a valid business need should have access.
• Secure Required Access: For those who must use PowerShell, enforce Multi-Factor Authentication (MFA) or passwordless authentication and secure credentials with Azure Key Vault.
• Monitor for Abuse: Keep an eye on suspicious PowerShell activity by enabling detailed logging and reviewing usage patterns regularly.

Why It Matters: Attackers love PowerShell for its versatility and lack of built-in visibility. By restricting access and monitoring its use, you cut off a powerful tool from being weaponized against your organization.

Block Anonymous IP Addresses

Configure Conditional Access policies to deny access from anonymous or high-risk IP addresses. This preemptive measure can thwart brute-force attacks before they gain traction.

Here are some examples of recommended conditional access policies:

• Policy 1: Block Access from Risky Locations: Define "risky" based on geographic data or known malicious IP ranges.
• Policy 2: Require MFA for All Privileged Roles: Specify MFA for global admins, service accounts, and high-privilege roles.
• Policy 3: Device-Based Access: Allow access only from devices compliant with corporate security standards.

Pro tip: You can test these policies before deploying them organization-wide using Microsoft’s Report-Only Mode.

Medium-Term Actions: Strengthen Your Environment Over Time

Review Indicators of Compromise (IoCs)

Monitoring IoCs provides early warning signals of potential breaches. Focus on:

• Suspicious IP Addresses: Watch for login attempts from known malicious IPs  
  (e.g., 158.58.173[.]40, 185.141.63[.]47, 185.233.185[.]21, 188.214.30[.]76, 195.154.250[.]89, 93.115.28[.]161, 95.141.36[.]180, 77.83.247[.]81, 192.145.125[.]42, and 193.29.187[.]60)
• Anonymous Sign-Ins: Audit anonymous access events, particularly those tied to VPN usage or unverified browsers.
• Application Impersonation: Regularly review the use of Application Impersonation Roles to detect unauthorized activity.

You can detect these IOCs with these Microsoft tools:

• Legacy Protocol Usage: Use Azure AD (now Entra ID) Sign-In logs to identify users connecting via protocols like IMAP and SMTP.
• Application Impersonation: Use the Unified Audit Log to track when impersonation permissions are granted and correlate these events with unusual activity.
• Suspicious IP Monitoring: Monitor flagged IPs for suspicious activity using Microsoft Entra ID Sign-In Logs or Microsoft Defender for Identity. Track repeated failed login attempts or unusual geographic access patterns.

Pro tip: Admins can automate flagging suspicious IP addresses by enabling conditional access policies or integrating threat intelligence feeds.

Enforce Strong Password and Session Policies

Implement secure password requirements and account lockout policies to limit brute-force attempts.

Configure session timeouts to reduce exposure from inactive sessions. For example:

• SharePoint Online mobile sessions: 90 days
• Microsoft 365 admin center: 8 hours
• Azure AD (Entra ID) refresh tokens: 90 days, unless revoked.

Admins can set shorter timeouts for sensitive areas like SharePoint Online or admin portals using Azure AD (Entra ID) Conditional Access policies.

Reduce Administrative Privileges

Over-permissioned accounts are an open invitation for attackers. The fewer global administrators you have, the smaller your attack surface. Start by identifying who truly needs these elevated privileges—hint: it’s probably not as many people as you think.

• Trim the Admin List: Conduct a permissions audit to ensure users only have access to what they need—this is the principle of least privilege in action.
• Use Role-Based Access Control (RBAC): Instead of blanket admin rights, assign granular roles tailored to specific tasks.

Why It Matters: Every unnecessary admin account is a potential doorway for attackers. Regularly auditing and reducing these permissions closes those doors.

57% of organizations have overprivileged admins—is your tenant vulnerable? Use the Admin Permissions Scanner for Microsoft 365 to help cut down the number of admins with tenant access.

Advanced Actions: Build Long-Term Resilience

Refine Conditional Access Policies

Conditional Access policies are your dynamic security gatekeepers, ensuring that only verified, trusted users can access your environment. These policies are central to a zero-trust approach, adapting to different scenarios in real-time.

• Enforce MFA (or Passwordless Authentication) Everywhere: Make MFA mandatory for all privileged roles and sensitive operations.
• Geo-Blocking: Deny access from countries or regions where you don’t operate or from known risky geographies.
• Control Device Access: Limit access to compliant devices that meet corporate security standards.

Pro Tip: Test new policies in Microsoft’s Report-Only Mode before rolling them out to ensure they don’t disrupt legitimate workflows.

Why It Matters: Conditional Access policies don’t just block attackers—they adapt to evolving risks, making your environment resilient against both brute force and stealthier intrusion attempts.

Example: Configure a policy to block access from non-corporate devices while allowing exceptions for verified, compliant endpoints.

Deploy Automated Threat Response Tools

Manual threat responses are too slow for today’s automated attacks. By the time you’ve detected and analyzed the threat, damage could already be done. That’s where automated tools come in.

• Real-Time Threat Detection: Use Microsoft Defender or Azure Sentinel to identify brute-force attempts and other anomalies as they happen.
• Automate Actions: Set up automated workflows to revoke sessions, force password resets, and block malicious IPs immediately after detection.

Why It Matters: Automation doesn’t just save time—it saves your organization from preventable breaches by responding to threats before they escalate.

Monitor Application Permissions

Third-party apps are often overlooked as a security risk, but they can be a backdoor for attackers if permissions aren’t carefully managed.

• Conduct Regular Audits: Check which apps have been granted access to your tenant and evaluate their permissions.
• Revoke Unnecessary Access: Remove any apps that don’t need access or have permissions that are too broad.

Why It Matters: Attackers often exploit overly permissive app permissions to gain access to sensitive data. Routine monitoring ensures you maintain control over what’s connected to your environment.

More Resources to Prevent Cyberattacks in Microsoft 365

For more in-depth guidance, explore the following resources:

• How Attackers Access Microsoft 365--and How to Stop Them
• How to Prevent Elevation-of-Privilege Attacks in M365
• How to Find and Remove Attackers Evading Detection in M365

CoreView also offers advanced tools to close critical security gaps in Microsoft 365:

• Automated Threat Detection and Response: Identify and shut down brute-force attempts in real-time.
• Session Management: Revoke active sessions and enforce granular timeouts to reduce exposure.
• Configuration Auditing and Rollback: Detect configuration drift, revert to secure states, and ensure compliance with recovery standards.

Learn how your peers use CoreView to close the door on the biggest cybersecurity threats.