How common are account takeovers in M365 tenants?

71% of M365 tenants have suffered at least one account takeover, with an average of 7x account takeovers per affected tenant in the last year according to CoreView research.

What are the five stages of M365 attacks covered in the report?

The report covers five stages: Research (before login attempts, attackers know your environment), Entry (exploiting numerous vectors beyond email), Privilege Elevation (standard accounts reaching Global Admin through app permissions), Persistence & Evasion (remaining undetected for weeks), and Ransom & Exfiltration (tenant-wide compromise).

Free Threat Report · 32 pages · 4 Microsoft security experts

Attackers don't break in.

They log in.

This report breaks down where they start, where they go and how to close those gaps before it is too late.

How attackers got into Microsoft's own environment – and what they exploited

Why 36% of M365 admins are over-priviledged – and what to do about it

The 10,000+ configurations attackers target – and how to know if yours have drifted

Co-authored with Vasil Michev (9× Microsoft MVP) and Terence Jackson (Chief Customer Security Officer, Microsoft)

Get the free M365 attack report

32 pages. Instant access.

Attackers are gathering intel. Put yourself one step ahead.

71%

of M365 tenants have suffered at least one account takeover

CoreView research

average account takeovers per affected tenant in the last year

CoreView research

94%

of organisations experiencing cyberattacks in Teams and SharePoint

Mimecast, 2024

$120K

dark web auction price for a single domain admin account

Digital Shadows

Inside the report

How to detect and prevent attacks, every step of the way

Five stages. Twenty critical problems. One complete playbook to stop attackers at every stage, from the first reconnaissance scan to data exfiltration.

Part 1

Research

Before a single login attempt, attackers already know your environment.

Part 2

Entry

Your email might be secure, but attackers exploit numerous vectors.

Part 3

Privilege Elevation

One standard account with the right app permissions reaches Global Admin.

Part 4

Persistence & Evasion

By the time your SIEM alerts you, they've likely been inside for weeks.

Part 5

Ransom & Exfiltration

Tenant-wide compromise becomes inevitable and recovery could take months.

Who wrote this

Written by the people Microsoft calls

Four expert contributors with direct, hands-on experience defending M365 environments at scale.

Vasil Michev

9× Microsoft MVP

Expertise in planning, POC and pilot, migration, security, and ongoing support.

Terence Jackson

Chief Customer Security Officer, Microsoft

A hardened specialist in breach analysis and security.

Rob Edmondson

M365, DevOps & Identity Security Specialist

A decade of experience in SaaS privileged access management.

Sharon Breeze

20+ Years SaaS & Enterprise Security

SaaS specialist with experience at security-conscious firms like Fujitsu and Hewlett-Packard.

Malicious activity might feel invisible.
Until you know where to look.

Configuration drift won't trigger a Defender alert. Overprivileged Entra apps won't appear on any dashboard – until it's too late. But attackers work to a routine and, if you know how they get in, that's how you keep them out. Read the report now to see what falls through the gaps, where to find it in your environment and how to fix it fast.

Get the free report →

Attackers don't break in.

How to detect and prevent attacks, every step of the way

Written by the people Microsoft calls

Malicious activity might feel invisible.Until you know where to look.

Malicious activity might feel invisible.
Until you know where to look.