Prevent Business Account Compromise in Microsoft 365
May 5, 2026
Compromised Microsoft 365 accounts are increasing, and many organizations don’t clearly understand how or why. Nathan Taylor breaks down what’s actually happening, from phishing and token theft to gaps in identity controls. He explains how business email compromise works, why it’s accelerating, and what follows once access is gained, including the financial and operational impact most teams underestimate.
In this episode of Demystifying Microsoft, Nathan Taylor examines the mechanics behind business email compromise in Microsoft 365. He explains how attackers get access, what they do once inside, and why these incidents often go undetected until real damage occurs. The discussion also covers the scale of financial loss and why Microsoft 365 environments continue to be a prime target.
The episode then shifts to what happens after an account is compromised. This is where many organizations misjudge the risk. Attackers rarely act immediately. They monitor activity, create mail rules, and wait for opportunities to insert themselves into financial workflows. Nathan outlines the downstream impact, including financial loss, operational disruption, and reputational exposure.
The episode then shifts to what happens after an account is compromised. This is where many organizations misjudge the risk. Attackers rarely act immediately. They monitor activity, create mail rules, and wait for opportunities to insert themselves into financial workflows. Nathan outlines the downstream impact, including financial loss, operational disruption, and reputational exposure.
The takeaway is straightforward. These attacks are common, but they are also preventable when the right identity and security foundations are in place.
The focus throughout is clear. These attacks are common, but they are also preventable if the right foundations are in place.
The focus throughout is clear. These attacks are common, but they are also preventable if the right foundations are in place.
What You’ll Learn:
- What business email compromise means in real-world scenarios
- How phishing, token theft, and password reuse enable attacks
- Why incomplete MFA setups create serious vulnerabilities
- What attackers do after gaining access to a mailbox
- The financial and operational consequences of these attacks
- Why Microsoft 365 is a high value target
About the Host:
Nathan Taylor is Senior Vice President and Global Microsoft Practice Leader at Sourcepass, where he leads the Sourcepass Center of Excellence for Microsoft, also known as the Sourcepass MCOE. With nearly two decades of experience, he helps organizations navigate complex Microsoft cloud and security decisions by turning technology into secure, scalable outcomes.
Episode Highlights:
[00:07:15] The MFA Problem Most Organizations Miss
It seems like a solved problem, but it is not. Many teams believe their MFA and phishing protections are fully set up, but small gaps still exist. This moment hints at why those gaps matter more than expected.
It seems like a solved problem, but it is not. Many teams believe their MFA and phishing protections are fully set up, but small gaps still exist. This moment hints at why those gaps matter more than expected.
[00:16:30] The Financial Impact You Don’t See Coming
Did you know a single compromised account can lead to losses in the hundreds of thousands? This part of the episode points to real-world outcomes that show how quickly things can escalate.
Did you know a single compromised account can lead to losses in the hundreds of thousands? This part of the episode points to real-world outcomes that show how quickly things can escalate.
[00:19:45] Why Microsoft 365 is a Prime Target
Attackers are not choosing platforms randomly. This segment explores what makes Microsoft 365 such an attractive target and why it continues to see high volumes of attacks.
[00:03:10] What “Hacked” Really Means
The term gets used loosely, but the reality is more structured. This section teases how business email compromise actually works and why it is so effective.
The term gets used loosely, but the reality is more structured. This section teases how business email compromise actually works and why it is so effective.
[00:11:00] What Happens After Access Is Gained
Did you know attackers often wait before acting? This moment reveals how they observe, set up rules, and position themselves before making a move.
Did you know attackers often wait before acting? This moment reveals how they observe, set up rules, and position themselves before making a move.
Episode Resources:
• Assess your Microsoft 365 Security Posture
Not sure where identity or access gaps exist in your tenant? A Microsoft 365 Security Assessment helps surface real risk and prioritize the next steps. Get a clear view of your exposure: https://sourcepassmcoe.com/m365-security-assessment-sourcepass-mcoe
• Harden your Microsoft 365 environment
Many compromises succeed because foundational settings are missed. This checklist highlights the core controls every tenant should review. Validate your hardening baseline: https://sourcepassmcoe.com/articles/microsoft-365-hardening-checklist-sourcepass-mcoe
• Close gaps with critical Conditional Access policies
Misconfigured Conditional Access remains a common entry point for attackers. This guide outlines the policies every tenant should enforce. Review the must have Conditional Access policies: https://sourcepassmcoe.com/articles/top-conditional-access-policies-for-m365-security-sourcepass-mcoe
Not sure where identity or access gaps exist in your tenant? A Microsoft 365 Security Assessment helps surface real risk and prioritize the next steps. Get a clear view of your exposure: https://sourcepassmcoe.com/m365-security-assessment-sourcepass-mcoe
• Harden your Microsoft 365 environment
Many compromises succeed because foundational settings are missed. This checklist highlights the core controls every tenant should review. Validate your hardening baseline: https://sourcepassmcoe.com/articles/microsoft-365-hardening-checklist-sourcepass-mcoe
• Close gaps with critical Conditional Access policies
Misconfigured Conditional Access remains a common entry point for attackers. This guide outlines the policies every tenant should enforce. Review the must have Conditional Access policies: https://sourcepassmcoe.com/articles/top-conditional-access-policies-for-m365-security-sourcepass-mcoe
Demystifying Microsoft is handcrafted by our friends over at: fame.so