The following contribution was penned by Christian Bajada, Head of Information Security at BMIT Technologies

I’m seeing firsthand the fallout from security incidents. Every month, numerous self-managed customers reach out for help with ongoing malicious attacks. Whether it’s ransomware or invoice fraud, phishing is a common factor. What’s especially concerning is the increasing frequency of these incidents. In today’s security cat-and-mouse game, attackers seem to have the upper hand.

The damage

This is a painful situation. In nearly all cases, attackers gain access to your mailbox, patiently waiting for an invoice to show up. If you’re the one sending the invoice as part of your business, they’ll modify the bank account details on the invoice to theirs, claiming there was an account update. They’ll hide these emails from you with mailbox rules and take over the conversation in your name. Similarly, if you’re receiving an invoice, they’ll use a look-alike domain to trick you into sending money to their account.

With mailboxes now storing gigabytes of data, they have essentially become business archives. Once an attacker gains access to a mailbox, losing money is only the beginning. You now face the reality that the entire contents of the compromised mailbox could be exploited for further damage.

Worse still, if you don’t stop the attacker in time, they can use your account to launch new attacks on your partners and customers. At best, it’s an embarrassing demonstration of weak security. At worst, these attacks succeed, leaving your contacts blaming you for their own breaches.

We can do better.

Security awareness training

Focus on the essentials. Too often, security awareness sessions are packed with information, overstating some risks (like public Wi-Fi use), while important skills like identifying phishing attempts or understanding the difference between domains and subdomains are left under-taught.

Preparedness goes a long way. Keeping employees updated on current scams and providing practical examples is crucial:

  • HR personnel: Watch for emails from "employees" asking to change their salary bank account details.
  • Finance teams: Any changes to invoice bank accounts signals fraud.
  • All employees: The CEO or any executive will never ask you to buy gift cards.

Attackers don’t do any magic to pick their targets as LinkedIn makes it easy to map out an organization, identify who to impersonate, and who to target. If you have a LinkedIn profile and work in HR or Finance, you are at high risk of receiving fraud attempts or being outright impersonated.

These attackers don’t just come at you from look-alike domains or random email addresses. Once they gain access to a mailbox, they launch phishing attacks from familiar contacts and company names. Legitimate services like Dropbox, Docusign, and Adobe Sign are frequently abused to send phishing lures that trick users into entering credentials on fake portals.

Technical measures (Microsoft 365)

Cloud platforms like Microsoft 365 aren’t secure by default, and it’s essential to harden configurations to make exploitation difficult. With today’s advanced security features, doing so has minimal impact on user experience, thus ignoring these measures is negligent. A few measures you can implement right away are the following:

  1. Prevent session theft by ensuring access tokens are time-bound and restricted to the devices they were issued to, using conditional access policies.
  2. Even MFA methods like Windows Authenticator with number challenges are vulnerable to Adversary-In-The-Middle attacks. Enforce strong authentication methods like Windows Hello, FIDO2, or Passkeys through conditional access policies.
  3. Restrict unauthorized logins by allowing sign-ins only from Intune-managed or hybrid-joined devices that meet compliance checks.
  4. It's often easy to detect malicious access by geolocating IP addresses in log entries. Additionally, set up policies to block access from multiple countries within 30 minutes.
  5. To prevent unauthorized device registration, use conditional access policies and monitor specific Entra ID audit logs.
  6. Also make sure to protect against rogue applications. Block users from registering service principals for apps and ensure the Azure setting “Users can register applications” is set to “No”.
  7. In addition, make sure your SIEM (Security Information and Event Management system) monitors for indicators of data theft, such as the creation of mail forwarding rules, and make sure that you monitor your SIEM!

Technical measures can only go so far, as attackers are constantly evolving their methods. Ongoing, tailored security awareness training keeps your users informed on the latest threats and how other organizations are being breached. This training, combined with up-to-date security practices, helps you stay ahead of potential attacks.

Investing in a robust security posture is no longer optional in today’s threat landscape. If your organization lacks the necessary resources or expertise, BMIT offers a tailored program designed to provide security training, technical defences, and real-time monitoring to safeguard your business.

Main Image:

Read Next: Placeholder