>_AYSOLI SECURITY HUB
THREAT AREA

M365 Tenant Governance

The security of your entire M365 ecosystem begins at the global administration level. Default settings are often too open and allow attackers to establish a permanent foothold in the tenant or exfiltrate data unnoticed.

Your Strategy

Establish strict control over third-party apps and authentication methods. Use the Unified Audit Log (UAL) as a central "single source of truth" for forensic analysis. Consistently disable legacy auth to prevent MFA bypassing.

Best Practices

  • App Governance: Allow only verified publishers and enforce the admin consent workflow.
  • Identity: Use cloud-only admin accounts without licenses/mailboxes to reduce the attack surface.
  • Monitoring: Integrate the UAL into your SIEM and monitor global setting changes.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-M365-01

Exfiltration via Inbox Rules

Automated forwarding of emails to external addresses.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-M365-01

Illicit Consent Grant

Attackers trick users into granting extensive permissions to a malicious app.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Modern Auth EnforcementBaseline ProtectionLow
CIS: 6.1NIST: PR.AC-1
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
T1566-003

Spearphishing via Service

ATT&CK

Phishing via trusted cloud services (Teams, LinkedIn).

Mitigated by
Anti-Phishing & Anti-Spam PoliciesBaseline ProtectionLow
CIS: 9.2NIST: PR.PT-4
Execution
T1137

Office Application Startup

ATT&CK

Exploitation of Office startup processes for code execution.

Mitigated by
Restricted App ConsentBaseline ProtectionLow
CIS: 16.1NIST: PR.AC-1
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Restricted App ConsentBaseline ProtectionLow
CIS: 16.1NIST: PR.AC-1
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
T1484

Domain Policy Modification

ATT&CK

Modifying domain policies for privilege escalation.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Break-Glass AccountsBaseline ProtectionLow
CIS: 6.5NIST: PR.IP-4
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Credential Access
T1528

Steal Application Access Token

ATT&CK

Theft of tokens to bypass authentication.

Mitigated by
Restricted App ConsentBaseline ProtectionLow
CIS: 16.1NIST: PR.AC-1
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Modern Auth EnforcementBaseline ProtectionLow
CIS: 6.1NIST: PR.AC-1
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Discovery
T1087

Account Discovery

ATT&CK

Enumeration of internal accounts and group structures after initial access.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Lateral Movement
T1550

Use Alternate Authentication Material

ATT&CK

Using stolen tokens or hashes to authenticate without a password.

Mitigated by
Modern Auth EnforcementBaseline ProtectionLow
CIS: 6.1NIST: PR.AC-1
Collection
T1114-003

Email Forwarding Rule

ATT&CK

Automated exfiltration through inbox rules.

Mitigated by
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
M365 Tenant Governance | IT Security Checklist for SMEs · AYSOLI Security Hub