Microsoft 365 is the most commonly used business platform in the country. It’s also configured, out of the box, in a way that would make any security person uncomfortable. Microsoft gives you the tools. They don’t turn them on for you. And they definitely don’t tell you what happens when you leave them off.
In 2024, CISA issued a binding operational directive specifically about securing cloud email environments, including Microsoft 365. The directive exists because so many organizations, including federal agencies, were running Microsoft 365 with critical security features still sitting at their default “off” setting. If the federal government had this problem, your seven-person law firm definitely has it.
Here’s what’s not enabled by default on a standard Microsoft 365 Business Premium account: multi-factor authentication enforcement, conditional access policies, sign-in risk detection, automatic blocking of legacy authentication protocols, and alerts for suspicious inbox rule changes.
The quiet stuff that gets you
Legacy authentication is one of those things nobody thinks about until it’s too late. It’s the old way apps connect to Microsoft 365, protocols like POP3, IMAP, and SMTP. The problem is these protocols don’t support MFA at all. If legacy auth is still allowed on your tenant, an attacker with a stolen password can bypass MFA completely by connecting through an older mail protocol. Microsoft has been trying to deprecate basic authentication since 2022, but a lot of tenants still have it enabled because nobody checked, or because one old copier or line-of-business app still depends on it.
Inbox rules are another one. When an attacker gets into a mailbox, the first thing they do is create a rule. Forward all email to an external address. Or move anything from the firm’s bank to the deleted items folder so nobody sees the replies coming back. These rules run silently. They survive password changes. They’ll keep running for months if nobody looks. Microsoft’s own threat intelligence team has documented this as a standard attacker technique across multiple campaign groups.
The switches you’re not flipping
Conditional access is where things get genuinely useful. You can set policies that say: only allow logins from the United States. Require MFA for any login from a new device. Block access entirely from countries you don’t do business with. Require a compliant, managed device before anyone can access email on their phone. These policies exist. They’re included in your license. Most firms aren’t using a single one.
The security defaults Microsoft offers are better than nothing. They’re also the bare minimum. They’re a starting point for a personal account, not a professional services firm handling client confidential information. Microsoft knows this, which is why they built Secure Score, their own grading system for how well your tenant is configured. Most firms I see for the first time score somewhere between 25 and 35 out of 100. Not because they’re careless. Because nobody told them there was a test.
Getting your Microsoft 365 tenant properly secured takes a few hours of focused work by someone who knows what they’re doing. Conditional access policies. MFA enforced everywhere, not just “enabled” and waiting for users to set it up on their own. Legacy auth blocked. Mailbox auditing turned on. Alert policies configured for suspicious sign-ins and rule changes. It’s not a project. It’s a Tuesday afternoon.
Your firm is trusting Microsoft 365 with every email, every document, every client file you have. The platform can absolutely protect that data. But you gotta actually flip the switches. Right now, on most small firm tenants I look at, they’re just sitting there, turned off, waiting for someone to notice.