Office 365 Email Security: The Hidden Threats Microsoft Defender Doesn't Cover

Microsoft Has Done a Lot Right

Let's be clear upfront: Microsoft Defender for Office 365 is a serious security product. It blocks millions of phishing emails, detects malicious attachments, provides advanced anti-malware capabilities, and includes threat intelligence from one of the largest security organizations in the world.

For organizations using Microsoft 365, enabling and properly configuring Defender should be a baseline requirement.

But there's a category of threats that Defender wasn't designed to address — and understanding that gap is essential to actually protecting your organization.

What Defender Covers Well

Microsoft Defender for Office 365 excels at inbound threat detection:

• **Anti-phishing protection:** Machine learning models detect spoofed senders, impersonation attempts, and malicious content
• **Safe Links:** Real-time URL scanning and detonation of suspicious links
• **Safe Attachments:** Sandboxing of attachments before delivery
• **Anti-malware:** Detection of malicious payloads in email content
• **Anti-spam:** Filtering of unsolicited bulk mail
• **Spoof intelligence:** Detection of emails using your domain but not coming from your servers

These are genuine capabilities that prevent a large volume of attacks from reaching your users.

The Gap: Post-Compromise Configuration Threats

Here's where it gets complicated. Defender is fundamentally a message-layer security tool. It evaluates emails as they arrive and flags or blocks those that appear malicious.

But modern sophisticated attacks — particularly Business Email Compromise — often operate entirely outside the message layer. They don't need to send malicious emails. They exploit configuration features built into the platform itself.

The Hidden Forwarding Rule Problem

When an attacker compromises a Microsoft 365 account (through phishing, credential stuffing, or purchasing credentials), their first move is typically not to start sending emails. That's noisy. Instead, they:

1. Create an inbox forwarding rule to send copies of all mail to an external address
2. Create a rule to auto-delete security notifications from Microsoft or IT
3. Possibly mark forwarded emails as read to suppress unread counts
4. Log out and wait

Defender doesn't flag this. These are legitimate platform features being used in a malicious way. There's no malicious payload to scan. There's no suspicious link. Just a configuration change that looks exactly like any other inbox rule.

Microsoft does have some alerting for "suspicious inbox manipulation rules" — but these alerts are triggered by specific patterns, not comprehensive monitoring of all rule changes across all users.

Tenant-Level Policy Drift

Beyond individual mailbox rules, attackers who gain admin access (or who target accounts that have accumulated excessive permissions) can make tenant-level changes:

• Enable external auto-forwarding (if it was previously disabled)
• Create mail flow transport rules that BCC every email to an external address
• Modify remote domain settings to allow forwarding to specific targets
• Add connector configurations that route certain mail through external servers

These changes are silent. They look like administrative actions. And they can affect your entire organization, not just one mailbox.

The Persistence Problem

Here's the detail that catches most organizations off guard: forwarding rules survive password resets.

When you detect a compromised account and force a password reset, the rules remain. The attacker loses their ability to log in, but the forwarding continues. Unless someone specifically audits and removes the rules, the exfiltration keeps running.

We've seen cases where organizations thought they'd contained a compromise — reset the password, revoked sessions, checked the login logs — but the attacker's forwarding rule ran undetected for months afterward.

What a Complete Office 365 Security Stack Looks Like

Defender covers the inbound message layer. But a complete security posture requires additional visibility into the configuration layer:

1. Continuous Mailbox Rule Auditing

All inbox rules across all users should be inventoried and reviewed:

• Rules forwarding to external addresses
• Rules that delete or hide emails
• Rules created recently (especially on high-value accounts)
• Rules targeting financial keywords (invoice, wire, payment, ACH)

This should happen continuously, not on a quarterly audit cycle.

2. Tenant Configuration Monitoring

Tenant-level settings should be monitored for changes:

• Auto-forward to external domains (should be disabled by default)
• Transport rules and mail flow configurations
• Remote domain settings
• Admin role assignments and permissions

Any change to these settings should trigger an alert and require review.

3. Unified Audit Logging (and Actually Reviewing It)

Microsoft 365 has extensive audit logging capabilities. But logging alone isn't the same as detection. You need:

• Audit logging turned on (it's not always enabled by default)
• Retention long enough to detect slow-moving attacks (90 days minimum)
• Active review of mailbox rule creation events
• Alerts for high-risk event types, not just passive logging

4. Cross-User Visibility

Defender protects individual accounts from inbound threats. But detecting organization-wide patterns requires a different view:

• Which users have external forwarding rules? (A single user may be acceptable; dozens is suspicious)
• Are rules appearing on multiple executive accounts? (Suggests a coordinated attack)
• Are new rules appearing on accounts with recent suspicious login activity?

This correlation requires a centralized view across your entire tenant.

Practical Steps for Microsoft 365 Administrators

Immediately

Disable external auto-forwarding:

Go to Exchange Admin Center → Mail Flow → Remote Domains → Default → Uncheck "Allow automatic forwarding." This removes the most impactful attack vector with a single setting change.

Run a forwarding rule audit:

In PowerShell:

Get-Mailbox -ResultSize Unlimited |

Get-InboxRule |

Where-Object {$_.ForwardTo -ne $null -or $_.RedirectTo -ne $null -or $_.ForwardAsAttachmentTo -ne $null} |

Select-Object MailboxOwnerID, Name, ForwardTo, RedirectTo, ForwardAsAttachmentTo

Review every result. Anything forwarding to an external address you don't recognize warrants investigation.

Enable audit logging:

Security & Compliance Center → Search → Audit log search → Turn on auditing.

Ongoing

Create alerts for inbox rule creation:

In the Security & Compliance Center, create an alert policy for the "New-InboxRule" operation with an external destination.

Review admin role assignments quarterly:

Exchange Admin Center → Roles → Admin Roles. Anyone with Organization Management or higher privileges can make tenant-level changes. Keep this list tight.

Correlate logins with rule changes:

If a new rule appears shortly after an unusual login (new device, new location, off-hours), that's a red flag requiring investigation.

The Defender + MailBreach Relationship

Think of it this way: Microsoft Defender is your front gate. It's excellent at stopping threats from getting in. MailBreach is your security camera network watching what happens inside — monitoring whether any insider configurations are being abused, whether any accounts have been compromised and weaponized, whether any silent exfiltration is underway.

They address different threat surfaces and genuinely complement each other. Organizations that want comprehensive coverage need both.

Summary

Microsoft Defender for Office 365 is not the problem — it's excellent at what it does. The problem is assuming it covers everything.

The configuration layer — forwarding rules, transport rules, tenant settings, mailbox delegations — requires its own visibility and monitoring. This is where sophisticated attackers operate, and it's where traditional email security has a genuine blind spot.

Closing that gap doesn't require ripping out your existing stack. It requires adding visibility to the layer Defender wasn't designed to cover.

MailBreach provides the configuration-layer visibility that complements Microsoft Defender — continuous monitoring of forwarding rules, inbox configurations, and tenant-level settings across your entire Microsoft 365 and Google Workspace environment.