Microsoft 365 Security Risks for SMBs in 2026
M365 is the productivity suite for 91% of SMBs — and it has become the primary attack target. From identity hijacking that bypasses MFA to inherited configurations nobody has ever audited, here is what is actually happening and what to do about it this week.
MFA Is No Longer Enough — February 2026 Proved It
For years the message to SMB clients was simple: enable two-factor authentication and you are protected. In February 2026, that message showed its limits in a very concrete way.
KnowBe4 Threat Labs documented an active phishing campaign targeting over 340 organizations that does not steal credentials — it steals OAuth tokens. The mechanism is technical but the effect is immediate: the attacker gains persistent access to email, OneDrive files, SharePoint, and Teams even after the password has been changed and MFA is active. Tokens remain valid until explicitly revoked by an administrator, and most SMB environments do not monitor for this type of event.
The campaign started in December 2025 and accelerated through Q1 2026. The most affected sectors include manufacturing, professional services, healthcare, and legal — exactly the client base of a typical MSP.
This is the environment in which M365 operates today. It is not a platform you configure once and leave running — it is an active attack surface, at a moment when offensive techniques are evolving faster than standard defenses.
Why M365 Has Become the Primary Target
Microsoft 365 and Google Workspace together cover 91% of SMBs for productivity suites. For an attacker, learning to compromise one M365 tenant means having a playbook applicable to tens of thousands of organizations with nearly identical configurations.
The appeal is not just the reach. It is the concentration. A single M365 tenant holds all company email, critical files on SharePoint and OneDrive, communications on Teams, identities in Entra ID, and increasingly AI-mediated access to company data via Copilot. Compromising one account is equivalent to compromising the entire information infrastructure of the business.
There is also an operational factor: most SMBs have no dedicated security team. The IT generalist managing M365 for a 40-person firm is balancing dozens of priorities. Security configurations end up on a to-do list that never empties.
The Four Main Risks in 2026
1. Identity hijacking via OAuth — the attack that bypasses MFA
The campaign documented by KnowBe4 in February 2026 exploits the OAuth 2.0 Device Authorization flow: the attacker generates a device code, sends it to the victim via phishing with a credible pretext, and when the user enters it on the legitimate Microsoft domain the attacker receives a full access token. The user has just authenticated the attacker while believing they were doing something else.
The result is read/write/send access across email, calendar, files, and administrative functions — persistent and not revoked by a password change. For an MSP, the signal to look for in Entra ID logs is authentication via device code flow from unrecognized addresses or geographies.
2. Legacy authentication — the unlocked side door
Many SMB tenants still have legacy authentication protocols active: SMTP AUTH, Basic Auth, IMAP/POP3 with credentials. These protocols do not support MFA by design. An attacker who obtains a password — via credential stuffing on breach databases, which are always available — can authenticate without triggering MFA and without leaving obvious traces in standard logs.
Microsoft has been deprecating these protocols for years, but disabling them requires an explicit Conditional Access policy and often impacts some undocumented legacy application. The result: they are left active "just in case." That decision is the real vulnerability.
3. Inherited configurations and SharePoint permission creep
Every M365 tenant accumulates configurations over time. SharePoint sites created for a project and never closed. Documents shared with everyone for convenience. Guest access enabled and never revoked. OAuth apps consented by a user years ago and never reviewed.
This problem has become structurally more serious with the introduction of Copilot. The AI assistant operates with the permissions of the user running it — if that user has access, even inadvertently, to sensitive SharePoint documents, Copilot can return them in response to any question. The issue is not the AI: it is the permission creep accumulated over years that AI now makes instantly accessible.
4. The shared responsibility boundary — and the backup that does not exist
Microsoft manages the infrastructure. The data inside the tenant is the customer's responsibility. This is documented, but systematically misunderstood by SMBs, who assume that "cloud" means "automatic backup guaranteed."
Native M365 retention for deleted files is 30–93 days depending on configuration. Ransomware that syncs encrypted files to OneDrive can make months of work unrecoverable if not detected within that window. Third-party backup is not optional for clients with critical data in M365 — it is the only real recovery guarantee in the event of an incident.
5 Controls Most MSPs Have Not Done Yet
These are not the usual generic recommendations. They are the specific controls that emerge from incident patterns documented in Q1 2026.
Check logs for device code authentications. In Entra ID, search for sign-ins with `deviceCode` as the grant type over the past few weeks. If you find authentications from unrecognized locations, the tenant is potentially compromised.
Block device code flow via Conditional Access. Unless there are documented use cases such as browserless devices, this feature should be disabled. It is the primary vector of the active campaign running through Q1 2026.
Audit OAuth apps registered in the tenant. Go to Entra ID > App registrations > All applications and verify every app that holds delegated or application permissions on M365 resources. Revoke anything unrecognized or no longer in use.
Block legacy authentication with a dedicated Conditional Access policy. Do not assume it is already blocked — verify it. Entra ID logs show explicitly which protocol was used for every authentication event.
Verify M365 backup coverage for every client. If no third-party backup exists covering Exchange Online, SharePoint, OneDrive, and Teams, that client cannot recover from a ransomware incident within a reasonable window.
Analysis based on TIRESIS CVE scoring pipeline, KnowBe4 Threat Labs data (February 2026), Hornetsecurity Monthly Threat Report (March 2026), and Gartner Security & Risk Management Summit (March 2026). Check your M365 infrastructure CVE exposure →