Microsoft 365 is the central nervous system of most Quebec SMBs: email, files, meetings, internal communication. It is also one of the most targeted attack surfaces by cybercriminals. After auditing more than 120 tenants of SMBs ranging from 10 to 500 employees, here is what we consistently find.
Problem 1: MFA Not Enabled for All Users
In 68% of tenants we audit, MFA is not mandatory for all users. Often, executives and service accounts are exempted "for convenience." These are precisely the accounts attackers target first.
Fix: Enable Microsoft Security Defaults or deploy Conditional Access policies if your subscription allows it (Business Premium, E3+).
Problem 2: Former Employees With Active Access
On average, we find 7% of active accounts belonging to employees who have left the organization. In one recent case, an account inactive for 14 months still had access to a SharePoint containing client contracts and financial data.
Fix: Implement an offboarding process that disables accounts on the day of departure, revokes active sessions, and transfers data according to a documented procedure.
Problem 3: Email Forwarding Rules to External Mailboxes
This is the most alarming indicator of a compromise. In 23% of audited tenants, we find active forwarding rules — often created without the account owner's knowledge, after an initial compromise. These rules silently forward all incoming emails (or some, filtered by keywords) to an external mailbox controlled by the attacker.
Fix: Immediate audit of all transport and forwarding rules. Enable Microsoft Defender for Office 365 with anti-phishing policies configured.
Problem 4: SharePoint and OneDrive With Uncontrolled Public Shares
"Anyone can access" links created to quickly share a file with a partner remain active indefinitely in most tenants. We regularly find confidential contracts, HR data, and financial reports publicly accessible via links generated months ago.
Fix: Configure SharePoint sharing policies to prevent "Anyone" links, or limit their lifetime to 7 days. Run a quarterly audit of active external sharing links.
Problem 5: No Microsoft Secure Score Monitoring
Microsoft Secure Score is a free dashboard that evaluates your Microsoft 365 security configuration and proposes prioritized improvements. In 77% of the tenants we audit, the score has never been consulted — even though the tool is included in every Microsoft 365 plan.
Problem 6: Microsoft 365 Licenses Used Without Security Features Activated
Business Premium includes Microsoft Defender for Business, Intune for device management, and Azure AD P1 for Conditional Access. In most tenants, these features are not activated — organizations pay for security capabilities they don't use. Activating these tools typically increases the Secure Score by 20 to 35 points without additional cost.