Microsoft 365 Security Review: Common Gaps Exposing Singapore Businesses

Microsoft 365 is the productivity backbone of most Singapore businesses — email, Teams, SharePoint, OneDrive, and now Copilot. But the platform's security is only as strong as its configuration. Out of the box, Microsoft 365 ships with defaults that prioritise usability over security. And in our experience reviewing M365 environments across Singapore organisations, the same critical misconfigurations appear again and again — leaving businesses exposed to account takeover, data exfiltration, and ransomware.

This article walks through the most common Microsoft 365 security gaps we find in Singapore businesses — from SMEs running Business Premium to enterprises on E5 licences. If you haven't reviewed your M365 configuration recently, treat this as your starting checklist.

Why M365 Misconfigurations Matter in Singapore

Business Email Compromise (BEC) remains one of the most financially damaging attacks targeting Singapore organisations. In 2024, Singapore Police Force reported BEC losses running into tens of millions of dollars. The majority of successful BEC attacks begin with a compromised Microsoft 365 account — often one without Multi-Factor Authentication, or one where conditional access policies have gaps that attackers have learned to exploit.

Beyond BEC, misconfigured M365 environments create pathways for ransomware operators to move laterally via SharePoint sync, exfiltrate data through Exchange forwarding rules, and establish persistent access through OAuth application consent abuse. These aren't theoretical risks — they're the attack patterns being used against Singapore businesses right now.

Regulators are watching too. MAS Notice 655 (Cyber Hygiene) requires MFA for privileged accounts. The Cyber Trust Mark and Cyber Essentials Mark both assess identity and access management controls. A thorough M365 security review directly supports compliance with both frameworks.

Gap 1: MFA Enforcement Is Incomplete

Multi-Factor Authentication is the single most impactful control in M365 — and yet most Singapore businesses we review have significant MFA gaps. Common problems include:

• MFA enabled but not enforced: "Per-user MFA" is turned on for most accounts, but enforcement is not mandatory. Users who dismiss or bypass MFA prompts are still able to sign in.
• Legacy authentication protocols not blocked: SMTP, IMAP, POP3, and basic authentication bypass modern MFA entirely. Attackers use these legacy protocols specifically because they circumvent conditional access. If your Exchange Online settings still permit basic authentication, your MFA policy has a significant hole in it.
• Privileged accounts missing MFA: Global Administrators, Exchange Administrators, and SharePoint Administrators are the crown jewels. We regularly find privileged accounts excluded from MFA policies — often because "it would be inconvenient" for the administrator in question.
• Weak second factors still in use: SMS OTP is better than nothing, but it's vulnerable to SIM-swapping and SS7 interception. For privileged accounts, the Microsoft Authenticator app (with number matching) or a FIDO2 hardware key is the standard you should be targeting.

Gap 2: Conditional Access Policies Are Missing or Incomplete

Conditional Access is M365's policy engine for identity — the mechanism that determines when and how users must authenticate. Many Singapore businesses have either no Conditional Access policies, or policies with gaps that undermine their security value.

Well-designed Conditional Access should address:

• Require MFA for all users, all apps: The baseline. No exceptions for "trusted" IPs unless your IP ranges are strictly controlled and frequently reviewed.
• Require MFA always for admins: A separate policy targeting your admin roles with stronger authentication requirements and stricter session controls.
• Block sign-ins from high-risk countries: Singapore businesses rarely need staff logging in from regions with high rates of credential-based attacks. Blocking or requiring MFA for sign-ins from such locations is low-friction and high-value.
• Require compliant or Hybrid Azure AD-joined devices: Requiring that M365 access comes only from managed, compliant devices is one of the most effective controls against compromised credential reuse. If an attacker steals a password, they still can't access data from their own machine.
• Sign-in risk and user risk policies: If you have Entra ID P2 (included in E5), use Identity Protection policies to automatically block or step-up authentication when Microsoft detects anomalous sign-in behaviour.

Gap 3: Exchange Online External Forwarding Rules

Attackers who gain access to a compromised M365 account frequently set up silent email forwarding rules — to an external address they control. This allows them to read every email the victim receives, including financial documents, contract terms, and payment instructions. The victim has no idea their inbox is being mirrored.

Microsoft provides controls to stop this:

• Disable automatic external forwarding at the organisational level: In Exchange Admin Centre, set the outbound spam filter policy to block or audit automatic forwarding to external recipients. This should be "Off" for the default policy.
• Audit existing forwarding rules: Use PowerShell or the Microsoft 365 Defender portal to list all inbox rules and transport rules with external forwarding. Anything unexpected is a red flag — investigate immediately.
• Alert on new forwarding rule creation: Configure a Microsoft Sentinel or Defender for Office 365 alert when a user creates a new inbox rule forwarding to an external domain.

Gap 4: OAuth Application Consent Abuse

Illicit OAuth application consent is one of the most overlooked M365 attack vectors. In this attack, a user is tricked (via phishing) into granting a malicious third-party application access to their M365 account. Once consented, the attacker's app can read email, access files, and send messages — without the user's password, and even if MFA is in place.

The default M365 configuration allows any user to consent to any third-party application requesting access to their account. This is a significant risk in a business environment.

• Restrict user consent to apps from verified publishers: In Entra ID (Azure AD), navigate to Enterprise Applications → Consent and permissions → User consent settings. Restrict users to consenting only to apps from verified publishers requesting low-risk permissions. High-risk permissions should require admin approval.
• Enable admin consent workflow: Allow users to request admin consent for apps they need — this creates a review process without blocking legitimate use cases.
• Audit existing consented apps: Review all third-party applications that have been granted consent in your tenant. Remove any you don't recognise or no longer need.

Gap 5: SharePoint and OneDrive Oversharing

SharePoint and OneDrive are collaboration tools — which means they're designed to make sharing easy. Without governance controls, Singapore businesses frequently end up with sensitive documents shared with "Anyone with the link" (public access) or shared externally with personal email addresses belonging to former staff or unknown parties.

• Set the default sharing link to "People in your organisation": The tenant-wide default sharing link type should not be "Anyone". Change this in SharePoint Admin Centre → Policies → Sharing.
• Restrict external sharing to specific domains: If you only collaborate externally with a handful of partner organisations, whitelist their domains and block all others.
• Enable sensitivity labels: Microsoft Purview Information Protection allows you to apply sensitivity labels (e.g., Confidential, Highly Confidential) that automatically restrict sharing and encryption on labelled documents.
• Run a sharing audit: Use SharePoint sharing reports or third-party tools to identify documents and sites shared externally or with "Anyone" links. In most environments, the first audit uncovers dozens of unintended exposures.

Gap 6: Microsoft Secure Score — A Free Roadmap Going Unused

Microsoft Secure Score is a free, built-in tool in the Microsoft 365 Defender portal that measures your M365 security posture and provides prioritised recommendations. Most Singapore businesses have never looked at it.

Secure Score analyses your tenant configuration across identity, device, apps, and data — and scores each recommendation by impact and implementation effort. A well-managed M365 tenant typically scores above 60–70%. Newly reviewed tenants often score below 30%, sometimes significantly lower.

Reviewing and systematically improving your Secure Score is one of the most efficient ways to improve M365 security posture. Start with the high-impact, low-effort recommendations — many can be implemented in under 30 minutes.

Practical Steps for a Singapore M365 Security Review

A structured M365 security review should cover identity and access, data protection, threat protection, and device management. Here's where to begin:

• Run Microsoft Secure Score: Start with the built-in scorecard. Document your baseline and prioritise the top ten recommendations.
• Audit admin accounts: List all global and privileged administrators. Verify each one is a named individual (no shared accounts), has MFA enforced, and holds only the minimum permissions required.
• Review Conditional Access policies: Map your policies against the Microsoft baseline recommendations. Identify gaps — especially legacy authentication blocking and admin MFA requirements.
• Check Exchange forwarding settings: Audit existing forwarding rules and verify the outbound spam policy blocks automatic external forwarding.
• Review OAuth consented apps: Audit third-party applications and tighten user consent settings.
• Assess SharePoint sharing configuration: Review default link type, external sharing settings, and run a sharing audit for sensitive document libraries.
• Enable Defender for Office 365: If you're on Business Premium or higher, ensure Defender for Office 365 anti-phishing, Safe Links, and Safe Attachments policies are active and configured — not just licensed.

How Infinite Cybersecurity Helps Singapore Businesses

We conduct structured Microsoft 365 security reviews for Singapore businesses across a range of sectors — from financial services firms navigating MAS TRM requirements to professional services firms preparing for ISO 27001 or Cyber Trust Mark certification.

Our review methodology covers all six gap areas described in this article, plus device management (Microsoft Intune / Endpoint Manager), data loss prevention (Microsoft Purview DLP), and audit log retention. We deliver a prioritised remediation plan with specific configuration steps your IT team can implement — not a generic compliance checklist.

For organisations on Microsoft Business Premium or E3/E5 licences, there is often significant security value already licensed but not yet configured. Our review identifies where you're leaving that licensed security capability on the table — and helps you activate it without additional spend.