Beyond Default Settings: 5 Hidden Microsoft 365 Security Configurations to Stop Wire Fraud
“Your default Microsoft 365 license isn’t enough to stop a hacker.”
That’s not a knock on Microsoft—it’s just the reality of Business Email Compromise (BEC) in 2026.
Attackers don’t “break into Microsoft 365.” They log in—often using stolen credentials, abused app permissions, or tricks that bypass basic MFA. And once they’re in, they don’t always deploy malware. They sit quietly inside email threads until they can redirect a payment.
The FBI’s Internet Crime Complaint Center (IC3) tracks BEC as a massive, ongoing fraud category, reporting $55.5B in exposed losses (Oct 2013–Dec 2023). Internet Crime Complaint Center
This guide shares a practical baseline we use in high-risk, money-moving environments (like banking and finance)—five Microsoft 365 security configurations that dramatically reduce wire fraud risk without turning your tenant into a usability nightmare.
The threat: how attackers bypass “basic MFA” (and still get into your tenant)
If your security strategy is “we have MFA, so we’re safe,” here are two common ways attackers get around that assumption:
1) SIM swapping and call forwarding bypass phone-based MFA
The FBI warns that criminals use SIM swap attacks (convincing a carrier to transfer a victim’s number) and call forwarding/simultaneous ring to potentially bypass multi-factor authentication tied to a phone number. Internet Crime Complaint Center
If your most privileged accounts rely on SMS/voice MFA, you’re betting your entire email environment on the security of a mobile carrier helpdesk process.
2) MFA fatigue (“push bombing”) wears people down
CISA has warned about MFA fatigue attacks and strongly urges phishing-resistant MFA. If phishing-resistant MFA isn’t possible immediately, CISA recommends number matching to reduce the chance users approve a fraudulent push prompt. American Hospital Association
Translation: Default MFA alone isn’t a wire-fraud control. You need identity + policy + detection + email hardening working together.
How wire fraud usually happens in Microsoft 365 (the “quiet” attack chain)
A common BEC pattern looks like this:
- Attacker gains access to a mailbox (stolen password, token theft, consented app, SIM swap, push fatigue).
- They create inbox rules or forwarding that hides evidence and keeps them in the loop. Microsoft lists suspicious inbox rules and newly added external forwarding as common compromise signals. Microsoft Learn
- They watch email threads involving invoices, law firms, real estate, procurement, payroll, or vendors.
- They send a “small change” message: new bank details, updated wiring instructions, “urgent payment—same amount.”
- Money leaves. Recovery is hard. IC3 emphasizes that time is of the essence if a fraudulent transfer occurs. Internet Crime Complaint Center
So the goal isn’t “more security stuff.”
It’s breaking this chain in multiple places.
The Fix: 5 Hidden Microsoft 365 Security Configurations That Stop Wire Fraud
1) Disable “Legacy Authentication” (this blocks a huge slice of credential attacks)
Legacy authentication protocols don’t support modern controls the way you think they do. Microsoft explicitly recommends blocking legacy auth and notes that (based on Microsoft’s analysis) 97%+ of credential stuffing and 99%+ of password spray attacks use legacy authentication protocols—and that these attacks would stop if basic auth is blocked. Microsoft Learn
What this stops
- Password spray and credential stuffing attempts that rely on older protocols
- “Stealth logins” that bypass MFA enforcement patterns
How to configure it (practical approach)
- If you have Conditional Access: create a “Block legacy authentication” policy and start it in Report-only mode first (Microsoft recommends this staged approach). Microsoft Learn
- Exclude break-glass/emergency access accounts and account types that must not be locked out (Microsoft calls out emergency access accounts and service accounts/service principals as exclusions to consider). Microsoft Learn
If you don’t have Conditional Access
Microsoft states that customers without Conditional Access licensing can use Security Defaults to help block legacy authentication. Microsoft Learn
Security Defaults also explains why this matters: legacy auth doesn’t support MFA, so attackers can use older protocols to bypass MFA. Microsoft Learn
Quick reality check: if you still have a copier/scanner emailing via old SMTP patterns, plan that migration before flipping the switch.
2) Conditional Access: block logins from countries you don’t do business in
Most organizations don’t need logins from the entire planet—especially for finance roles.
Microsoft’s Conditional Access location condition is commonly used to block access from countries/regions where your organization knows traffic shouldn’t come from. Microsoft Learn
What this stops
- A large percentage of opportunistic credential abuse from unfamiliar geographies
- “Night shift” account takeovers that originate in regions you never operate in
The configuration we see work best
- Create Named locations:
- “Allowed countries” (or your core regions)
- “Blocked countries” (everywhere else or specific high-risk regions)
- Apply to:
- All users for core apps (at minimum Exchange Online)
- Finance and admin roles with stricter controls
- Pair it with additional requirements:
- Require MFA (strong auth)
- Require compliant device for finance staff (if you have endpoint management)
Important nuance: Conditional Access is enforced after first-factor auth is completed. It’s not a DDoS shield—it’s an access control layer. Microsoft Learn
Common mistake
Blocking “the rest of the world” without an exception plan for travel. The fix is simple: create a “Travel” group and a temporary exception policy with stronger verification (never a blanket bypass).
3) Turn on “Impossible Travel” (and other sign-in risk) alerts—and actually enforce them
If you’re trying to prevent wire fraud, you don’t just want logs—you want high-signal detections and automatic response.
Microsoft Entra ID Protection includes sign-in risk detections such as Atypical travel and Impossible travel (listed as premium detections). Microsoft Learn
What this stops
- Token/session abuse where attackers authenticate from distant locations in impossible time windows
- “Two places at once” logins that signal account compromise
The key: alerts are good, enforcement is better
Microsoft provides guidance for building sign-in risk-based Conditional Access policies and notes that organizations with Entra ID P2 can create policies incorporating sign-in risk detections. Microsoft Learn
You can use risk policies to:
- Block access for risky sign-ins, or
- Require remediation (Microsoft-managed remediation / secure password change flows), depending on your maturity and tolerance for disruption. Microsoft Learn
Practical deployment tip
Start with:
- Report-only for 7–14 days
- Then enforce for:
- admins and finance roles first
- everyone second
This avoids breaking legitimate travel and VPN edge cases without leaving you blind.
4) Disable automatic external email forwarding (and hunt suspicious inbox rules)
This one is brutally effective against BEC.
Attackers love external forwarding because it gives them:
- persistence,
- visibility into future invoices,
- and a place to monitor negotiations without staying logged in.
Microsoft explains that disabling automatic forwarding disables inbox rules (user-created) and mailbox forwarding (admin-configured) that redirect messages to external addresses. Microsoft Learn
And Microsoft’s compromised mailbox guidance specifically lists suspicious inbox rules (including auto-forwarding to unknown addresses) and newly added external forwarding as common compromise symptoms. Microsoft Learn
What this stops
- Silent data exfiltration through forwarding rules
- Long-term thread monitoring (the foundation for wire fraud)
How to configure it (minimum viable)
- Set external automatic forwarding to Off (explicitly, not “system-controlled” ambiguity) using Microsoft 365 controls. Microsoft Learn
- Review the “auto-forwarded messages” reporting capabilities to find users who are forwarding externally. Microsoft Learn
“But we need forwarding for a few mailboxes”
That’s normal. The better approach is:
- block by default,
- allow by exception,
- document who has it and why.
5) Lock down OAuth app consent (this stops “login without a password” attacks)
Here’s the uncomfortable truth: an attacker doesn’t always need your password if they can trick a user into granting a malicious app access.
Microsoft explains that before an application can access your organization’s data, a user must grant permissions—and by default, users can consent to apps for certain permissions, including allowing an app to access their mailbox. Microsoft recommends reducing risk by allowing user consent only for apps from a verified publisher (or restricting/disabling user consent). Microsoft Learn
What this stops
- OAuth “consent phishing” where a user authorizes a malicious app
- Persistent mailbox access via tokens even after a password reset (in some scenarios)
What to configure
- Restrict user consent (ideally to verified publishers only, or require admin approval). Microsoft Learn
- Enable an admin consent workflow so users can request access and designated reviewers can approve/deny in a controlled way. Microsoft describes this workflow as a secure way for admins to grant access requiring admin approval. Microsoft Learn
Quick win you can do today
Audit:
- which enterprise apps exist,
- which have mail or file permissions,
- and whether they’re truly needed.
The ROI: how these settings prevent a $50k wire fraud loss
Let’s use a realistic, non-hypothetical scenario (because this happens every day):
Scenario: An attacker compromises an accounts payable mailbox, watches vendor conversations, then sends updated wiring instructions. AP wires $50,000 to the attacker’s account.
Is $50k guaranteed? No.
Is it common for BEC incidents to run into tens of thousands (or much more) and be difficult to recover? Yes—and IC3’s reporting shows how large this problem is at scale. Internet Crime Complaint Center
Now map each setting to the fraud chain:
- Legacy auth blocked → fewer credential-spray “easy logins” in the first place. Microsoft Learn
- Conditional Access location rules → a stolen password from a foreign IP often can’t even reach the inbox. Microsoft Learn
- Impossible/Atypical travel detections + risk policies → suspicious sign-ins get blocked or forced through remediation quickly. Microsoft Learn
- External forwarding disabled → attackers lose their silent monitoring channel that makes wire fraud possible. Microsoft Learn
- App consent locked down → reduces token-based mailbox access that bypasses “we reset the password” assumptions. Microsoft Learn
This is what “Microsoft 365 security best practices for business” looks like when the goal is preventing BEC and wire fraud, not just passing a generic checklist.
Bonus: 2 additional improvements that drive down BEC risk fast
Bonus A) Use Defender for Office 365 anti-phishing policies (impersonation protection)
If you have Microsoft Defender for Office 365, Microsoft notes anti-phishing policies can provide anti-spoofing and anti-impersonation protections and recommends using Standard/Strict preset security policies instead of managing lots of custom policies in many cases. Microsoft Learn
This is directly relevant to wire fraud because many BEC attempts use:
- display name impersonation,
- domain lookalikes,
- “CEO/CFO” impersonation.
Bonus B) Add an “external sender” banner (process-level control)
The FBI recommends companies add a banner labeling emails received from outside the organization (for example, “EXTERNAL EMAIL”). Internet Crime Complaint Center
It’s not a magic bullet—but it reduces the success rate of impersonation attempts that rely on staff acting fast.
Quick audit checklist (15 minutes)
If you want to know whether your Microsoft 365 is “wire-fraud resistant,” answer these:
- Legacy authentication is blocked (or Security Defaults are enabled and confirmed).
- Conditional Access blocks countries/regions you don’t operate in.
- Risk detections (Atypical/Impossible travel) are monitored and tied to an enforcement policy.
- Automatic external forwarding is disabled by default.
- User app consent is restricted (ideally to verified publishers) and admin consent workflow is enabled.
- You routinely review suspicious inbox rules and forwarding changes (common compromise indicators).
If you’re missing 2+ of these, you’re likely depending on luck for fraud prevention.
If you suspect an account is already compromised
Microsoft notes common signs include missing/deleted mail, suspicious inbox rules (including forwarding), suspicious sent items, and newly added external forwarding.
Treat those as an incident—not “an IT ticket.”
Immediate actions (practical):
- Block sign-in, reset credentials, revoke sessions
- Remove forwarding/inbox rules
- Review recent sign-ins and risky sign-in indicators
- Notify finance and pause wire changes until verified out-of-band
Also remember: IC3 emphasizes time-critical response for fraudulent transfers—contact the bank immediately and file a report. Internet Crime Complaint Center
FAQ
Can hackers bypass MFA in Microsoft 365?
They can bypass some MFA methods through social engineering (SIM swaps, call forwarding) and push fatigue. That’s why stronger MFA plus Conditional Access, risk policies, and email hardening matter.
Do I need Microsoft 365 E5 to do this?
Not necessarily for all five steps. Some controls can be done with Security Defaults and standard Exchange settings, but risk detections like Impossible/Atypical travel are listed as premium detections and Entra ID Protection features generally require P2 for full functionality.
What’s the single most important setting to prevent Office 365 wire fraud?
If forced to choose one: disable external forwarding and lock down inbox rules—because attackers rely on silent monitoring to time invoice fraud.
Closing thought: “Default” protects Microsoft. You need settings that protect your money.
BEC isn’t a “malware problem.” It’s an identity + email workflow problem.
If you implement the five configurations above, you’re not just “hardening Microsoft 365.” You’re reducing the probability of a high-impact event—like a $50,000 wire fraud—by breaking the attack chain where it most often succeeds.