Published by Core Connections – March 2025
Cyberattacks targeting cloud email environments are on the rise—especially when high-ranking executives are involved. Core Connections recently assisted a client in the healthcare-adjacent sector after a critical email compromise incident within their Microsoft 365 tenant. This case illustrates the importance of identity security, access control, and advanced threat protection in modern cloud-based workplaces.
The Incident: Executive Email Spoofing from Within the Microsoft 365 Tenant
The breach was first discovered when one of the client’s external partners flagged a suspicious email allegedly sent from a senior executive at the organization. The message claimed that their banking details had changed and requested urgent wire transfer confirmations—an immediate red flag. Upon closer inspection, it became clear that the email had not just been spoofed but was actually originating from within the organization’s Microsoft 365 tenant.
At this point, Core Connections was contacted to investigate and respond to the incident.
Our Investigation and Initial Findings
Once granted access, our team conducted a series of forensic diagnostics including:
- Audit log reviews across Exchange Online and Azure AD
- Mail flow analysis and message trace logs.
- Review of delegation and forwarding rules for suspicious patterns
- Inspection of login activity by geography and device
We quickly determined that a bad actor had compromised the email account of a senior leader within the organization who—critically—held Global Administrator rights. This allowed the attacker to remain within the Microsoft 365 tenant undetected for a period of time and impersonate trusted contacts internally and externally.
Containment and Remediation Steps
Our team initiated a structured incident response to contain the threat:
- Removal of Global Admin Privileges
We immediately stripped the compromised user account of all administrative roles. Adhering to least privilege access principles, we then audited all other accounts with admin roles and reduced unnecessary access across the board.
- Company-wide Multi-Factor Authentication (MFA) Enforcement
Although MFA had been optional in the past, it became clear that universal enforcement was now mandatory. We deployed and enforced Microsoft 365 MFA using conditional access policies and provided user training for adoption.
- SaaS Defence by Kaseya for Email Security
To stop threats before they reach the inbox, we implemented SaaS Defence (Graphus), Kaseya’s advanced phishing and spam protection system. This provides:
- AI-based detection of phishing, malware, and spoofing attempts
- Real-time banner warnings for suspicious emails
- Automated quarantining of high-risk messages
- SaaS Protection for Backup and Recovery
To further secure the environment, we deployed Datto SaaS Protection across:
- All user Microsoft 365 mailboxes
- SharePoint Online document libraries
- OneDrive for Business files
This ensured that all critical data was being backed up multiple times per day, enabling fast recovery in the event of future incidents or accidental deletions.
Outcome: Full Containment and a Hardened Cloud Environment
Following our intervention:
- All malicious activity was contained and neutralized.
- No financial damage was incurred due to early detection by the external party.
- The client now has company-wide MFA, role-based access controls, real-time email threat detection, and cloud data backups.
- Ongoing monitoring and alerts are in place to detect suspicious behavior moving forward.
Lessons Learned: Proactive Cloud Security Is Non-Negotiable
This incident highlights a reality that many small and mid-sized businesses face: relying on Microsoft 365 without layered security controls is a risk. Cybercriminals often target high-ranking individuals with elevated permissions—and without proper safeguards, the consequences can be serious.
Core Connections helps organizations prevent these attacks before they happen by offering end-to-end Microsoft 365 security services, including:
- Baseline security audits and hardening
- Admin role reviews and least-privilege access enforcement
- MFA rollout and Conditional Access setup
- Deployment of SaaS Defence and SaaS Protection
- Email continuity and recovery planning.
Do not Wait Until After a Breach
If your business is using Microsoft 365 and has not reviewed its security configuration recently, now is the time. Reach out to Core Connections for a free consultation or security assessment. Prevention is always more cost-effective than incident response.
