Office 365 and Multifactor Authentication

This shouldn’t need to be said, but unfortunately it does.

If you are using Office 365 in any capacity you should have a strong password. More importantly, you should have multi-factor authentication (MFA) configured and turned on. If you don’t, then why not? I’d be very interested to hear a decent excuse as to why this isn’t an option for you.

Since the start of the pandemic there has been a huge increase in malicious actor activity. Business staff are using home devices with no encryption, little or no anti-virus protection, and sometimes even using their work computer at home where they’re not protected by the corporate firewall. This means that devices, work emails and company data are more at risk than ever before.

I’ve seen some very bad practices, including companies permitting very weak passwords and even companies using the same password for every user. Given that every second of every day bots are running and attempting to brute force attack your passwords, these practices are very poor indeed. If you could see the number of attempted attacks every day on your company’s website, you would be shocked.

I have recently seen a company that chose not to have any IT support. They were only a small business and felt they could look after their own IT. Unfortunately, one of their passwords was brute forced. Malicious actors were able to access their Microsoft 365 account for a full week before anything aroused suspicion.

During this time, the company had all their emails compromised, also their OneDrive and SharePoint documents, which included HR documents and financial information.

The last acts of the intruder were to divert all incoming emails to the Recycle Bin, reset passwords for existing company accounts (Dropbox, LinkedIn, Xero etc) and finally to spam everyone in their contacts lists using the familiarity and goodwill of the company’s name to infect and exploit further businesses.

Whilst we were able to re-secure the 365 account, it felt like a case of locking the gate after the horse had already bolted. This company is now on a long and expensive journey with a forensic analysis team to find out exactly how much damage has been caused and which files have been compromised (although it may be quicker to find out which haven’t). They will also need to work out how to repair their reputation with their own customers and suppliers. They also have many online accounts to re-set and re-secure, and quantify what damage has been done there too. This now extends well past Office 365. All of it could have been avoided with a couple of minutes setting up the free MFA authenticator app.

I’ve occasionally heard users say it is inconvenient to have to keep authenticating, especially now so many websites and Internet services are using MFA to improve their security. As an IT professional however, I can tell you from experience it is far more inconvenient, expensive and time-consuming to recover from a breach. Please trust me on this!

Summary: If you haven’t got MFA set up yet, contact your IT company today. It takes next to no time to implement, and it could literally save your company.


This article about multi-factor authentication (MFA) was originally written by our Systems Engineer Daryn Craine in 2021. It has been edited lightly for length.

Posted in NewsTagged , , , ,