What the WA Government Microsoft 365 Incident Teaches Us About Preventable Breach Paths

Published on 2026-03-12T00:00:00.000Z

What the WA Government Microsoft 365 Incident Teaches Us About Preventable Breach Paths

The Western Australia Office of the Auditor General recently highlighted several weaknesses in Microsoft 365 security controls across state entities.

The outcomes included financial loss through invoice fraud and exposure of sensitive child-related data.

What makes the report interesting isn’t the technology involved. It’s the pattern.

Nothing described in the report represents a novel attack technique. The incident appears to follow a path that security teams see repeatedly in cloud environments: a sequence of individually manageable weaknesses that together form a successful breach chain.

In other words, this wasn’t a catastrophic failure of a single control. It was the quiet accumulation of several small ones.

A familiar cloud attack path

Although the public reporting focuses on outcomes, the control gaps described align closely with a typical Microsoft 365 compromise sequence.

A simplified version of the attack chain looks something like this:

Credential theft ↓ Weak MFA allows login ↓ Attacker registers new MFA method ↓ Mailbox persistence established ↓ Inbox monitoring and rule creation ↓ Invoice fraud or data access

None of these steps require exploiting software vulnerabilities.

They rely on configuration gaps and incomplete security controls.

That distinction matters. It means the breach path is largely preventable.

Where the controls broke down

The Auditor General highlighted several recurring issues across state entities.

Individually, each of these issues is relatively common in large Microsoft 365 environments. Combined, they create multiple viable entry points for attackers.

Phishable MFA methods

Many environments relied on authentication methods such as SMS, voice calls, or email-based codes.

While these satisfy MFA requirements, they remain vulnerable to phishing and social engineering.

Modern identity attacks increasingly target the authentication process itself.

Legacy authentication exposure

Legacy authentication protocols lack support for modern protections such as Conditional Access policies.

If they remain enabled, they often become a bypass path for identity protections.

Weak privileged access controls

Standing administrative privileges increase the impact of identity compromise.

If a compromised identity already holds elevated permissions, attackers gain immediate control over tenant resources.

Limited monitoring and detection

Delayed detection significantly increases breach impact.

In several cases described in the report, suspicious activity indicators were either missed or investigated too slowly.

Detection depth often determines whether an incident becomes a minor security event or a major breach.

Incomplete data protection coverage

Data protection policies were not consistently applied across Microsoft 365 workloads.

Coverage gaps between Exchange, SharePoint, OneDrive, Teams, and Power Platform can create unexpected exfiltration paths.

Why these failures are common

None of these issues reflect missing features in Microsoft 365.

The platform includes mature controls for identity protection, data protection, and threat detection.

What often fails is consistency.

Large environments accumulate configuration drift over time. Temporary exceptions become permanent. Security controls are deployed partially or unevenly across workloads.

Eventually those small gaps align.

Attackers rarely defeat modern cloud security by exploiting the platform.

They succeed by finding the one policy that was never fully enforced.

The practical lesson

The most useful takeaway from the WA findings is simple.

Every likely breach step should map to both:

a preventative control
a detective control

If an attacker can move from credential theft to mailbox persistence without triggering either, the environment likely has control gaps.

Cloud security doesn’t fail because controls are unavailable.

It fails when controls exist but aren’t consistently applied.

Closing thought

Microsoft 365 has evolved into one of the most security-capable enterprise platforms available.

But like most powerful platforms, its effectiveness depends on how consistently its controls are implemented.

The WA findings aren’t unique to government.

They are a reminder that security failures rarely come from a single missing feature.

More often, they emerge from the quiet accumulation of configuration gaps that organisations assumed were already covered.

References

WA Office of the Auditor General. Microsoft 365 Security Controls Across State Entities. https://audit.wa.gov.au/reports-and-publications/reports/microsoft-365-security-controls-state-entities/
Cyber Daily. WA gov Microsoft 365 issues led to $71,000 being stolen and exposure of child data. https://www.cyberdaily.au/security/13308-wa-gov-microsoft-365-issues-led-to-71-000-being-stolen-and-exposure-of-child-data
Computer Weekly. WA auditor flags weak Microsoft 365 security controls across state entities. https://www.computerweekly.com/news/366639954/WA-auditor-flags-weak-Microsoft-365-security-controls-across-state-entities