Reducing Cyber Risk with the Microsoft Tools You Already Have

Midmarket organizations overwhelmingly rely on Microsoft Windows and Office 365/Microsoft 365 to run their businesses. Email, documents, collaboration, identity, and endpoints are tightly integrated into these platforms. That convenience, however, also makes them a frequent target for attackers.

The good news is that security tools are available in many organizations’ existing Microsoft 365 environments, including Microsoft Defender, for protecting endpoints, identity, and other key areas. When properly configured and with supporting processes in place, these tools help reduce cyber risk and organizations respond faster when something goes wrong.

This Q&A with Michael DeNapoli, a senior solutions architect at Pondurance, explores how midmarket organizations can better protect Windows and Microsoft 365 environments by making smarter use of what they already own, and where external detection and response support can add value. 

This article is the first in a series on improving cybersecurity and reducing breach risks with the tools you already have—and how a trusted partner like Pondurance can help.

Why are midmarket organizations especially vulnerable to Microsoft-focused attacks?

Michael: The answer is largely about scale and predictability. Most midmarket organizations use Windows on endpoints and Office 365/Microsoft 365 for email and collaboration. Attackers target what they know will be there. MacOS certainly continues to gain traction in the business world, but Windows is going to be present in nearly every organization.  

When threat actors go after Windows and Microsoft applications, they are not making a judgment about the security maturity of a specific organization. They are playing a numbers game.

Midmarket organizations often face additional constraints. Many operate with small IT teams that must balance security with daily operational demands. Dedicated security roles may not exist, and even when security tools are licensed, they are not always fully configured or consistently maintained. Attackers understand this reality and design their campaigns accordingly.

What types of vulnerabilities are most common in Windows and Microsoft 365 environments?

Michael: Most successful attacks exploit ordinary weaknesses rather than rare or highly technical flaws. Outdated operating systems, unpatched applications, and unmanaged third-party software remain common entry points. Endpoints that are not regularly updated create opportunities for attackers to gain a foothold.

Microsoft is responsible for securing the Microsoft 365 cloud itself, but organizations remain responsible for securing the devices, tenancies, and users that access those services. If an attacker gains control of a workstation, they often do not need to exploit Microsoft 365 directly. They can simply use the applications that are already running and authenticated.

Vulnerabilities also extend beyond technology. User behavior, update discipline, and internal processes all play a role. When users install unapproved software, delay updates, or hesitate to report mistakes, risk increases even if the underlying platform is well designed.

What types of attacks succeed most often in Microsoft environments?

Michael: Business email compromise remains the most common and effective attack against Microsoft-centric organizations. Email addresses are easy to discover, and passwords are often reused. Without strong authentication controls and the ability to recognize unusual user behaviors, attackers who obtain credentials can quietly access sensitive communications and data.

Once inside an email account, attackers can read confidential messages, download files, create inbox rules to hide activity, and impersonate trusted users. Because email sits at the center of most business processes, even a single compromised account can expose a large amount of sensitive information.

Ransomware is a close second. These attacks often begin when a user is tricked into running malicious software. Or, they may be tricked into following convincing instructions that fraudulently appear to come from Microsoft itself, or another legitimate and/or trusted source. In other cases, attackers gain remote access and deploy ransomware directly. While ransomware is not exclusive to Microsoft environments, Windows endpoints are a common entry point simply because they are so widely used.

What general steps can IT and security teams take to mitigate the risk of these attacks?

Michael: One of the most effective steps is also one of the least glamorous: keeping systems and applications consistently updated. Many organizations already license tools such as Microsoft Intune as part of their Microsoft 365 subscription. Intune can help manage updates in a way that minimizes disruption. Updates can be scheduled, users can be prompted with clear deadlines, and reboots can occur overnight rather than during working hours.

When updates are predictable and automated, resistance tends to drop. Users are far more likely to comply when they understand what is happening and when it will occur.

User training also plays an important role, but expectations must be realistic. Training should focus on helping users recognize common warning signs rather than trying to turn them into security experts. Mistakes will still happen. The goal is to reduce the number of successful attacks and ensure that users report issues quickly when something feels off.

Perhaps most important is creating an environment where users feel safe speaking up. When employees know they can report a mistake without fear of punishment, security teams gain valuable time. Early reporting allows passwords to be reset, tokens to be rotated, and access to be reviewed before real damage occurs. While repeated disregard for security is a disciplinary issue, the occasional mistake shouldn’t put an employee in fear of losing their livelihood.

How can organizations in Microsoft environments use their existing security tools to improve cybersecurity—and how does Pondurance MDR help organizations optimize these tools? 

Michael: First of all, there’s Microsoft 365 (M365) Defender, which has many features to increase cybersecurity resilience. These capabilities include blocking emails with foreign character sets and emails from known malicious senders; removing scripts and other executable code from emails; and blocking any attachment types that aren’t necessary for users to receive in an email (like EXE, IMG, DMG, and SVG files—all of which are routinely used in attacks).

Pondurance continually watches for new threat intelligence, advising customers on new file types to block, new features which can be turned on, and other information about how to configure Office 365/Microsoft 365 and M365 Defender for the best security while still allowing users to get their work done. 

Second is Microsoft Defender XDR, which requires ongoing maintenance and configuration—the days of “set it and forget it” endpoint defenses are long gone. As new forms of attacks are discovered, new ways to use existing attacks emerge, and how we use endpoints themselves change, configuration and settings for Defender XDR must also be updated. For example, file junction points—long seen as a safe and normal part of Windows—are now considered to be too dangerous to allow unrestricted use. 

Pondurance can advise on and even assist in the configuration of Defender XDR over time. Threat research, lessons learned from incident response operations, and what Pondurance currently assists our customers with all contribute to how we can help make sure Defender XDR is working at its best.

Finally, organizations using Entra ID alone, or in a hybrid configuration with on-premises Active Directory, can take advantage of native features like multi-factor authentication (MFA), single sign-on (SSO), and user application portals. Entra ID can work with third-party tools that offer these features. However, many organizations don’t know that much of this functionality is already available to them with their Entra ID licensing. 

Using Entra ID to its fullest also allows MDR providers like Pondurance to monitor identity use (and misuse) in near-real-time, and to take actions such as locking accounts and resetting credentials when unusual or outright malicious activity is discovered. 

What is your primary takeaway for midmarket organizations that rely on Microsoft tools to run their business?

Michael: Windows and Office 365/ Microsoft 365 are foundational tools for most organizations, and they are not inherently the problem. Risk increases when tools are misconfigured/not configured, updates are delayed, processes are inconsistent, or users are afraid to speak up when an inevitable mistake occurs.

Organizations in Microsoft environments that effectively use their available security tools, focus on keeping systems current, and encourage early reporting of security incidents are far better positioned to avoid or limit the impact of cyber threats.

Defend your Microsoft environment against malicious attackers with Pondurance MDR.  Get the solution guide. 

Michael DeNapoli is a seasoned Senior Solutions Architect with more than 25 years of experience in cybersecurity, solution architecture, and enterprise systems design. Throughout his career, he has led technical strategy, security architecture, and advanced solution development for organizations ranging from emerging security vendors to global enterprises. Michael’s expertise spans cybersecurity operations, cloud architecture, technical sales leadership, security posture management, and identity protection, with a proven track record of guiding clients through complex technology challenges. Today, he brings his deep industry knowledge to Pondurance as a Senior Solutions Architect, helping organizations strengthen their security foundations with clarity and confidence.