#NSBCS.077 - How I Learned to Stop Worrying and Love the M365 Secure Score

How I Learned to Stop Worrying and Love the M365 Secure Score

Cyber security can be an incredibly daunting experience for small and medium-sized businesses. With rising cyber threats and evolving compliance demands, many organisations don’t even know where to begin. Fortunately, if you're using Microsoft 365, you may already have access to a powerful, under-utilised tool: the Microsoft Secure Score.

What is the Microsoft Secure Score?

The Microsoft Secure Score is a built-in security analytics tool included with most Microsoft 365 business and enterprise plans (such as Microsoft 365 Business Premium, E3, and E5). It evaluates your organisation’s current security posture and assigns a score – both as a percentage and a raw point value – based on how closely your environment aligns with Microsoft’s recommended security practices.

The score serves as a measurable indicator of your organisation’s overall security health and provides valuable recommended actions to secure your environment. Each recommendation is weighted (typically up to 10 points) and scored based on whether it is fully implemented, partially implemented, or not implemented at all. The score updates daily and reflects real-time changes in your environment.

How It Works

The Microsoft Secure Score dashboard provides your current score, historical trends, and benchmarking against organisations of a similar size. It also provides prioritised recommendations, each with step-by-step implementation guidance, estimated user impact and the expected point increase.

The Microsoft Secure Score evaluates your environment across several critical areas: Identity, Devices, Apps and Data. Many of the advanced security features included in Microsoft 365 business and enterprise plans - such as Microsoft Defender for Business, Conditional Access, Multi-Factor Authentication (MFA), and Microsoft Defender for Office 365 - are directly integrated into the Secure Score.

Despite being readily available, these tools are often under-utilised due to a lack of awareness or configuration complexity. By leveraging the Secure Score, organisations can better understand and act on opportunities to strengthen their security posture.

Why It Matters

The Microsoft Secure Score provides a practical jumping-off point for businesses looking to enhance their cyber security posture. What might have seemed like an overwhelming challenge, becomes a more manageable and structured process, using tools that many organisations already have at their disposal.

• Clear Priorities: Recommendations are ranked by impact and ease of implementation.

• Measurable Progress: You can track your score over time and demonstrate improvements.

• Industry Benchmarking: Measure how your security compares to organisations of a similar size.

• Insurance Benefits: Some cyber insurers consider Secure Score benchmarks in risk assessments, potentially influencing premiums and coverage.

Getting Started

Log into the Microsoft 365 Defender portal and navigate to Secure Score to review your current security posture. Explore the top recommendations and start with high-impact, low-disruption actions - such as enabling MFA or turning on Defender features that run silently in the background.

You don’t need a perfect score. Moving from 40% to 70% can significantly reduce risk with manageable effort. The key is to focus on practical, high-value changes.

The Bottom Line

If you're already paying for the Microsoft 365 productivity suite, utilising the Microsoft Secure Score can be a smart and accessible way to begin strengthening your cybersecurity posture. It offers a clear, tailored roadmap for improvement using tools you likely already have.

However, it's important to understand that a high Secure Score doesn’t guarantee immunity from cyber threats - it simply reflects how closely your setup aligns with Microsoft’s recommended practices. Additionally, some recommended actions may require higher-tier licenses, so not all features will be available to every organisation out of the box.

While the Microsoft Secure Score isn't a silver bullet for cyber security, it's an invaluable starting point for organisations looking to strengthen their security posture without reinventing the wheel - helping them make the most of what they already have by taking No Steps Backwards.

For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.

What we read this week

• Australia Begins New Ransomware Payment Disclosure Rules - Australia has introduced new ransomware payment disclosure rules, effective from late May, requiring all organisations with an annual turnover above AUD $3 million to report ransom payments to the Australian Signals Directorate reporting tool within 72 hours. The report must detail the impact of the cyberattack, the malware variants and vulnerabilities involved, and any information useful for government-led mitigation or response. It must also include specifics such as the ransom demanded and paid, payment methods, negotiation details, and communication timelines with the extortionists. These are the world’s first mandatory ransomware payment reporting rules, and failure to comply may result in civil penalties; however, public sector organisations are exempt. The rules follow the 2024 Cyber Security Bill and align with Australia’s broader goal of becoming a global cybersecurity leader by 2030.

• Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack - Threat hunters have uncovered a campaign using fake websites mimicking services like Gitcode and DocuSign to trick users into running malicious PowerShell scripts that install NetSupport RAT. Victims are lured through social engineering and prompted to complete fake CAPTCHA checks, which secretly copy a PowerShell command to their clipboard, known as clipboard poisoning. When users paste and run the command, a multi-stage process begins, downloading additional scripts and eventually executing a malicious payload to establish persistence and deploy the RAT. The layered script execution likely aims to bypass security tools and complicate forensic investigations. While the threat actor remains unknown, the infrastructure and tactics resemble those used in previous SocGholish campaigns, and NetSupport RAT itself is a legitimate tool often abused by groups like FIN7 and Storm-0408.

• ‘Russian Market’ Emerges as a Go-to Shop for Stolen Credentials - The Russian Market has become a leading cybercrime platform for trading stolen credentials, especially following the takedown of the Genesis Market. Despite most credentials being recycled, its popularity has soared due to low prices and the vast range of stolen data, such as session cookies and software-as-a-service (SaaS) credentials. InfoStealer malware logs often containing passwords, credit card data, and system information are a major commodity, with 61% of logs including SaaS credentials and 77% containing single-sign-on (SSO) data. Lumma stealer previously dominated the market, but after law enforcement disruptions, a new malware called Acreed has quickly emerged, uploading thousands of logs within its first week. These infostealers spread through phishing, malvertising, and fake software promotions, highlighting the importance of cautious online behaviour.

• Chinese Hacking Group APT41 Exploits Google Calendar to Target Governments - Google has revealed that Chinese state-sponsored group APT41 has been using Google Calendar as a command-and-control channel in recent attacks targeting government entities. In October 2024, APT41 leveraged a compromised government website to deliver the ToughProgress malware via phishing emails containing disguised LNK files, which initiated a multi-stage infection process using process hollowing. The malware created and read Calendar events to exchange encrypted commands and exfiltrate data, making detection more difficult. Google has since taken action by dismantling the group’s infrastructure, blocking malicious content, and alerting affected organisations to aid their response.

• FBI: Play Ransomware Breached 900 Victims, Including Critical Organisations - As of May 2025, the FBI reports that the Play ransomware group has breached around 900 organisations, affecting businesses and critical infrastructure across the Americas and Europe. The group, active since mid-2022, uses recompiled malware in each attack to evade detection, and has even contacted victims by phone to pressure them into paying ransoms under threat of data leaks. Play affiliates have exploited vulnerabilities in remote monitoring tools like SimpleHelp to gain access, create admin accounts, and implant backdoors with Sliver beacons. Unlike other ransomware operations, Play uses email for ransom negotiations and employs a custom tool to extract files from shadow volume copies. Authorities urge organisations to patch systems regularly, use multi-factor authentication (MFA), and maintain offline backups along with tested recovery plans to defend against future attacks.

References
https://www.darkreading.com/threat-intelligence/australia-ransomware-payment-disclosure-rules
https://thehackernews.com/2025/06/fake-docusign-gitcode-sites-spread.html
https://www.bleepingcomputer.com/news/security/russian-market-emerges-as-a-go-to-shop-for-stolen-credentials/
https://www.securityweek.com/chinese-hacking-group-apt41-exploits-google-calendar-to-target-governments/
https://www.bleepingcomputer.com/news/security/fbi-play-ransomware-breached-900-victims-including-critical-orgs/