External penetration tests are a critical component, and often one of the first steps, of an organisation's defence strategy. These engagements typically focus on the infrastructure that an organisation controls or hosts. However, this leaves a blind spot within the security posture - services hosted by third parties, such as Microsoft's M365, which grant users access to company resources like SharePoint and Outlook.

## Background

For over 10 years, many Microsoft products (including the M365 login function) have contained enumeration flaws which allow malicious actors to determine if an account is valid. The first step to any password attack against an organisation's userbase is to compile a list of targets, and tooling exists to automate this process. Microsoft has not indicated that they are going to address these user enumeration flaws.

Tooling also exists to automate the process of systematically attempting to log into each account in that list of targets.

## The Budget Problem

This kind of threat is typically only tested during a simulated attack against the organisation (such as during a red team engagement), but these projects are covert, comprehensive, and usually last for weeks or months. A cost-effective way to address this initial access threat is to carry out a targeted credential attack against your organisation's M365 user accounts. A straightforward engagement will confirm whether any leaked credentials are still valid and whether any users utilise a weak password and can usually be carried out in one or two days.

## The Password Problem

Would you consider the following password policy strong?

- at least 10 characters in length  
- upper case character  
- lower case character  
- a digit  
- and a special character

Well, "Password1!" meets these guidelines and is occasionally the condition for an initial compromise. You may think you are fine as you utilise multifactor authentication; however, there are several methods to defeat these controls. It's worth noting that users with weak passwords may be less security conscious in general and more likely to fall victim to a phishing attack designed to capture sensitive information such as an MFA token. A user may utilise the same password elsewhere which does not enforce MFA. We have also found that some organisations have special shared accounts where MFA is not enforced for quality-of-life purposes.

## Contact Us

If you want peace of mind regarding this attack vector, contact us and we can tailor the engagement to your organisation's needs. We can perform a simulated credential attack and many other kinds of review to secure this gap. [www.fortiscyber.co.uk](/content/site-root.html)

[Supercharging Cyber Attacks: How AI has changed the threat landscape for businesses. ](/content/post/supercharging-cyber-attacks-how-ai-has-changed-the-threat-landscape-for-businesses/index.html)

## Are You Ready for the Impending Cyber Essentials Changes?

As of April 27th 2026, there are important changes to Cyber Essentials which all organisations holding, or looking to achieve Cyber Essentials or Cyber Essentials Plus, must be aware of. These changes have come about to reflect what is being seen by IASME and the National Cyber Security Centre across real-world incidents, evolving cyber threats and feedback from assessments. The current question set is being updated to tighten certain criteria and to help organisations become aware of evolving threats.
