Mission

M365 Login Attacks: 5 Controls Every SMB Needs

by Oscar Six Security
M365 Login Attacks: 5 Controls Every SMB Needs

An IT admin posted something to Reddit that a lot of people recognized immediately: every single client they managed was getting hammered with Microsoft 365 login attempts at the same time, all traced back to one data center in Valley, Nebraska. Not one client. All of them. Simultaneously.

That's not a fluke. That's automation. And it's exactly what the current threat landscape looks like for small businesses.

This Week's News Confirms It's Not Paranoia

According to The Hacker News, Microsoft itself is actively tracking and warning about credential-harvesting campaigns targeting organizations through Microsoft-ecosystem attack surfaces — including a phishing campaign sophisticated enough to deliver Node.js implants. When Microsoft issues an advisory, it means the attack volume is broad enough that they can't ignore it.

Also this week, The Hacker News' ThreatsDay Bulletin flagged a recurring theme: old credentials still working and trusted workflows being weaponized. The bulletin's framing is important — these attacks feel "cheap, not elite." That's the point. Automated credential-stuffing tools are cheap to run, and they don't need to be sophisticated when millions of recycled passwords are sitting in breach databases waiting to be tried.

Where do those credentials come from? Schneier on Security covered exactly this pipeline this week: high-value credentials end up reused in low-value third-party systems, those systems get compromised, and the credentials feed attacker lists. One million passports leaked. Passwords reused. M365 login page hammered. That's the chain.

The Reddit admin wasn't seeing a weird anomaly. They were watching the assembly line in real time.

Why Small Businesses Are the Ideal Target

Enterprises have SOCs, SIEM tools, and dedicated identity teams. Small businesses have one overworked IT admin — or none at all. Attackers know this. Automated login attacks don't discriminate by company size; they just try every email address they have a password guess for. If your M365 tenant isn't hardened, you're in the queue.

The good news: the five controls below are not enterprise-only. They're available to any M365 subscriber, most are free or low-cost to implement, and together they eliminate the vast majority of credential-based account takeovers.

5 Controls That Actually Stop M365 Login Attacks

1. Enforce MFA — But Do It Right

Basic MFA blocks the overwhelming majority of automated login attacks. If you haven't enforced it tenant-wide, that's the first thing to fix. But not all MFA is equal — SMS-based codes can be intercepted or SIM-swapped. Authenticator app push notifications are better. Phishing-resistant options like passkeys or FIDO2 hardware keys are best. We've covered the tradeoffs in detail in our passkeys vs SMS MFA vs authenticator apps comparison — worth reading before you pick a method.

2. Enable Conditional Access Policies

Conditional Access lets you define when and from where a login is allowed to succeed. At minimum, configure policies to: - Block sign-ins from high-risk locations or known malicious IP ranges - Require MFA for all users, always - Block legacy authentication protocols (SMTP AUTH, IMAP, POP3 — these don't support modern MFA)

Legacy auth blocking alone stops a massive category of attacks. Attackers love legacy protocols because they bypass MFA entirely. Disable them.

3. Turn On Microsoft Entra ID Protection

Entra ID Protection (formerly Azure AD Identity Protection) monitors sign-in risk in real time and can automatically block or challenge risky logins. It flags things like impossible travel (login from Chicago and then Tokyo 20 minutes later), anonymous IP usage, and password spray patterns. For M365 Business Premium subscribers, this is already included. If you're on a lower tier, it's worth the upgrade conversation.

4. Audit and Eliminate Shared Credentials

Shared M365 accounts — like a generic info@ or admin@ mailbox that five people know the password to — are a credential-stuffing dream. There's no per-user MFA, no accountability, and often no monitoring. We covered this exact risk in our post on shared credentials for printers, scanners, and MFPs — the same logic applies to any shared M365 account. Convert them to shared mailboxes with no direct login, or assign individual licensed accounts.

5. Monitor Sign-In Logs — At Least Weekly

You can't respond to what you can't see. M365's sign-in logs (in the Entra admin center) show every login attempt, including failures. A coordinated attack looks like hundreds of failed attempts against multiple accounts in a short window, often from the same IP range or ASN. Set up a weekly review habit at minimum. If you're an MSP managing multiple tenants, this is where centralized monitoring tools earn their keep — the Reddit admin who caught the Valley, Nebraska attack was watching logs. Most small businesses aren't.

For MSPs managing multiple clients, also check out our MSP internal security checklist — your own infrastructure is just as much a target.

The Bigger Picture

Credential attacks against M365 are not going to slow down. The economics favor the attacker: breach databases are cheap, automation is cheap, and every successful account takeover pays off in business email compromise, ransomware staging, or data theft. The Reddit admin who caught the coordinated attack was lucky — or rather, they were paying attention. Most small businesses won't catch it until an account is already compromised.

These five controls aren't a complete security program. But they close the door on the specific attack pattern that's surging right now. Implement them this week.

Take Action

Implementing these controls is step one. Knowing whether your M365 environment and surrounding infrastructure have other gaps — exposed services, misconfigured policies, forgotten legacy endpoints — is step two.

Oscar Six Security's Radar scans your external attack surface for exactly these kinds of exposures, starting at $99/scan. No enterprise contract, no lengthy onboarding. Just a clear picture of what attackers can see before they try to use it.

Focus Forward. We've Got Your Six.

See how Radar works →

Frequently Asked Questions

How do I stop brute force attacks on Microsoft 365?

The most effective combination is enforcing MFA tenant-wide, blocking legacy authentication protocols via Conditional Access, and enabling Entra ID Protection to automatically flag and block risky sign-ins. Monitoring your sign-in logs weekly helps you catch attack patterns before an account is fully compromised.

Does MFA really stop M365 account takeovers?

MFA blocks the vast majority of automated credential-stuffing attacks, but it's not foolproof — phishing-resistant methods like FIDO2 keys or passkeys are stronger than SMS codes or push notifications. Pairing MFA with Conditional Access policies and legacy auth blocking closes most of the remaining gaps.

What is credential stuffing and why does it target small businesses?

Credential stuffing is an automated attack where attackers take username/password pairs from data breaches and try them against other services like Microsoft 365. Small businesses are prime targets because they often lack the monitoring tools to detect the attack until an account is already compromised.

How much does it cost to secure a Microsoft 365 tenant for a small business?

Many of the core controls — MFA, Conditional Access, sign-in log monitoring — are included in M365 Business Basic and above at no additional cost. Entra ID Protection requires M365 Business Premium (around $22/user/month). An external attack surface scan from Oscar Six Security's Radar costs $99 and can identify gaps in your broader security posture beyond M365 itself.

What is legacy authentication in Microsoft 365 and why should I block it?

Legacy authentication refers to older protocols like SMTP AUTH, IMAP, and POP3 that don't support modern MFA — meaning an attacker with a valid password can log in through these protocols even if MFA is enforced on the main sign-in page. Blocking legacy authentication via Conditional Access eliminates this entire attack vector and is one of the highest-impact, lowest-effort controls available.

Step-by-Step Guide

  1. Enforce MFA tenant-wide

    In the Microsoft 365 admin center, navigate to Security > Authentication methods and require MFA for all users. Choose authenticator app push or FIDO2 over SMS where possible.

  2. Block legacy authentication

    Create a Conditional Access policy in Entra ID that targets all users and all apps, with a condition for legacy authentication clients, and set the grant control to Block.

  3. Configure sign-in risk policies

    In Entra ID Protection, enable the Sign-in risk policy set to Medium and above, and configure it to require MFA or block access depending on your risk tolerance.

  4. Audit and remove shared credentials

    Identify any M365 accounts shared by multiple users, convert them to shared mailboxes with no direct sign-in, and ensure every human user has an individual licensed account with MFA enforced.

  5. Review sign-in logs weekly

    In the Entra admin center under Monitoring > Sign-in logs, filter for failed sign-ins and look for patterns: multiple failures across accounts, unfamiliar IP ranges, or impossible travel indicators.

Related Articles

Mission

Printer Shared Email Accounts: The Credential Risk

 Mission

FortiBleed VPN Leak: Check Your Firewall in 10 Min

 Mission

FortiGate Credential Leak: SMB Firewall Next Steps
← Back to Home