Without turning on Multi-Factor Authentication and advance notification features, a compromised username and password goes undetected. Once the Microsoft Office 365 credentials are compromised, the perpetrators will gain access to emails, email rules, email settings, one drive and all its settings, SharePoint online and any apps that are part of your Microsoft subscription. Additionally, if the compromised credentials provide elevated privileges, then the entire Azure and Office 365 tenant is at risk. A great example of compromised credentials invading our privacy is when a hacker configures Microsoft email transport rules to duplicate and forward all sent and received emails to an external email account. These settings typically go unchecked for days. It is important for you and your business to be aware of any email protocols which allow automatic forwarding of emails outside of your organization. To improve security, we recommend that you disable this functionality by default. This may need to be done by your service provider or email host. If an email account is hacked and auto-forwarding email is enabled, there will be no way of knowing that the user is sharing all of their emails with the hacker. Auto-forwarding mail to external contacts can have some legitimate use. However, it is risky. Allowing staff to automatically forward mail to external email addresses brings the danger of information leakage. Additionally, your employees can select not to keep copies of the forwarded messages in their business mailboxes. This means emails do not get archived and will not be available for future reference.
Back to the topic of compromised credentials which can be prevented by enabling multi-factor authentication that adds an additional step after providing the password such as a hardware token, SMS notification, or biometric input to complete the authentication process. In the near future, Microsoft is hoping to finally kill passwords within businesses with its latest upgrade to its Microsoft Authenticator App. The password is increasingly viewed as an insecure way to authenticate users, with employees often resorting to weak passwords as they try to keep up with corporate demands for frequent changes. Microsoft already offers a range of alternatives to passwords, such as Windows Hello facial and fingerprint log-in which is used by over 47 million users, and the Microsoft Authenticator app which can be used to login to a range of Microsoft and third-party accounts. The iOS and Android app eliminates the need for passwords by offering authentication via a combination of phone and fingerprint, face or PIN for a more secure, multi-factor sign-in. Now, Microsoft has extended its support for passwordless login using the app to the hundreds of thousands of Azure Active Directory-connected apps used by business.