How a 200-Employee Logistics Company Went from Secure Score 28% to 81% in 30 Days

The Challenge

When NordLog's IT manager first reached out, he was direct: "We've grown from 60 to 200 employees in four years. Our Microsoft 365 tenant has been running on autopilot the whole time. I don't know what's in there, and that's starting to worry me."

NordLog is a mid-size logistics and freight coordination company headquartered in northern Europe. They coordinate road and intermodal shipments across eight countries, relying heavily on Microsoft 365 for email, document management, and cross-border team collaboration. With a lean IT team of two people managing 200 users, security had never been formally reviewed — they had launched with a reseller-provisioned tenant and default settings, then simply kept adding users as the business grew.

The trigger for the engagement wasn't a breach. It was a compliance question from a new enterprise customer that asked NordLog to complete a vendor security questionnaire. Questions about MFA enforcement, audit logging, and data loss prevention left the IT manager with uncomfortable blanks to fill in.

We ran a full Microsoft 365 security audit over five days. What we found was not unusual — it's what we see in the majority of fast-growing SMB tenants. But the severity of the combined exposure was significant.

Starting Secure Score: 28%. Industry median for similar organizations is approximately 45–55%. NordLog was well below that floor.

The Assessment — What We Found

The audit covered all core M365 workloads: Exchange Online, SharePoint Online, OneDrive, Teams, Entra ID (Azure AD), Microsoft Purview, and the Microsoft Defender portal. We used a combination of the Microsoft Secure Score dashboard, PowerShell scripts against the Microsoft Graph API, and manual review of the admin centers. Here are the ten findings, ordered by severity.

Finding 1: MFA Not Enforced — Only 12% of Users Had It Enabled Critical

Of 200 active user accounts, only 24 had multi-factor authentication enabled — and all of those were self-enrolled by technically-minded staff, not required by policy. The remaining 176 users, including four members of the leadership team, authenticated with username and password alone.

The two Global Administrator accounts — both used for daily email and Office tasks — had no MFA on one account and SMS-based MFA on the other. SMS-based MFA is vulnerable to SIM-swap attacks and does not meet modern security baselines.

Microsoft's own data shows that MFA blocks 99.22% of automated account compromise attacks. With 88% of a 200-person organization exposed to credential stuffing and phishing with no second factor, a single successful attack could hand an attacker full access to a mailbox — or worse, the entire tenant if that user happened to be an administrator.

# Check MFA status across all users (Microsoft Graph PowerShell)
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All", "User.Read.All"

$users = Get-MgUser -All -Property DisplayName,UserPrincipalName
foreach ($user in $users) {
    $methods = Get-MgUserAuthenticationMethod -UserId $user.Id
    $hasMFA = $methods.Count -gt 1
    [PSCustomObject]@{
        Name     = $user.DisplayName
        UPN      = $user.UserPrincipalName
        MFAReady = $hasMFA
    }
} | Export-Csv mfa-audit.csv -NoTypeInformation

Finding 2: Legacy Authentication Protocols Still Enabled Critical

Basic Auth for IMAP and POP3 was active across the tenant. Reviewing the Entra ID sign-in logs for the prior 30 days revealed 47 successful IMAP logins from non-company IP addresses — some from regions where NordLog has no operations. These connections appeared to be automated tools polling mailboxes, not human logins.

Legacy authentication protocols cannot support MFA. This means that even if every user had MFA enabled, an attacker with a valid credential could still authenticate directly via IMAP and bypass every security control in place. Three shared department mailboxes (logistics@, dispatch@, operations@) were the primary offenders, accessed by staff using older Outlook versions and mobile mail clients that had never been updated to OAuth-based authentication.

The combination of legacy auth still active plus near-zero MFA enrollment represented the single highest-risk exposure in the entire tenant.

Finding 3: No Conditional Access Policies Configured Critical

The Conditional Access policies section in Entra ID was completely empty. Zero policies. The tenant was running on Security Defaults — Microsoft's baseline protection layer, which enforces MFA for admin accounts and blocks legacy auth on a delayed schedule. But Security Defaults provide no granular control: no device compliance requirements, no location-based restrictions, no sign-in risk detection, no session lifetime controls.

For a company operating across eight countries with staff accessing Microsoft 365 from a mix of personal and corporate devices, the absence of Conditional Access meant there was no mechanism to require managed devices, block logins from high-risk countries, or enforce re-authentication after a period of inactivity. A session cookie stolen via phishing would remain valid indefinitely.

Finding 4: Global Admin Accounts Used for Daily Work Critical

The tenant had two Global Administrator accounts. Both belonged to the IT manager and the managing director, and both were their primary accounts — used for email, Teams calls, and browsing the web. Neither account had a separate dedicated admin identity.

This is one of the most dangerous configurations we encounter. Every email opened, every link clicked, and every file downloaded on those accounts happens under Global Admin privileges. A single successful spear-phishing attack on the IT manager's account would give the attacker complete, irreversible control of the entire tenant: the ability to create new admin accounts, disable security policies, exfiltrate all email, and delete every user.

# Audit Global Administrator role members
Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "User.Read.All"

$gaRole = Get-MgDirectoryRole | Where-Object { $_.DisplayName -eq "Global Administrator" }
Get-MgDirectoryRoleMember -DirectoryRoleId $gaRole.Id |
  ForEach-Object {
    Get-MgUser -UserId $_.Id -Property DisplayName,UserPrincipalName,SignInActivity
  } | Select-Object DisplayName, UserPrincipalName, @{N="LastSignIn";E={$_.SignInActivity.LastSignInDateTime}}

Running the above revealed both Global Admins had daily sign-in activity — confirming these accounts were in active, routine use, not reserved for administrative tasks.

Finding 5: Unified Audit Logging Disabled in Exchange Online High

Unified Audit Logging was turned off. The tenant had been provisioned several years prior, before Microsoft made audit logging enabled by default for new tenants. At the time of our assessment, no mailbox activity, admin actions, file accesses, or sign-in events had been logged in the Purview audit trail.

This finding has two direct consequences. First, if an incident had already occurred — an account compromise, a data leak, an insider threat — there would be no forensic evidence to investigate. Second, the vendor security questionnaire NordLog needed to complete specifically asked about audit log retention and incident response capabilities. The honest answer would have been: we have none.

# Check and enable Unified Audit Logging
Connect-ExchangeOnline

# Check current state
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

# Enable if off
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Finding 6: SharePoint External Sharing Set to "Anyone" High

The SharePoint Online sharing policy was configured at the most permissive level: "Anyone — users can share files and folders using links that don't require sign-in." This is the default for some licensing tiers and had never been reviewed.

A spot audit of sharing links across the three most active SharePoint sites found 34 active "Anyone" links — some pointing to folders containing carrier rate cards, client shipment records, and supplier contracts. Several of these links had no expiration date and had been created years earlier. There was no way to determine who had accessed them or how many times.

For a logistics company handling commercially sensitive freight pricing and client logistics data, unrestricted anonymous sharing represented a significant confidentiality risk — and a potential liability under GDPR if any of those documents contained personal data.

Finding 7: No Data Loss Prevention Policies High

Microsoft Purview Data Loss Prevention had never been configured. No policies existed for email, SharePoint, OneDrive, or Teams. This meant sensitive data — bank account details in invoice emails, personal identification numbers in HR documents, client contract terms in SharePoint libraries — could be freely emailed externally, shared via link, or forwarded to personal accounts with no detection, no alert, and no block.

During the assessment, we performed a test scan of SharePoint and OneDrive using the Purview content explorer. It surfaced 218 files containing what appeared to be EU national identification numbers, 94 files with IBAN bank account numbers, and 31 files with data patterns matching passport numbers. None of this data was labeled, protected, or access-controlled beyond basic SharePoint site permissions.

Finding 8: All 200 Users on Business Basic — No Defender for Office 365 High

Every licensed user in the tenant was on Microsoft 365 Business Basic — the entry-level plan at €6/user/month. This license tier does not include Microsoft Defender for Office 365 Plan 1, which provides Safe Links (real-time URL detonation), Safe Attachments (sandboxed email attachment scanning), and anti-phishing policies with impersonation protection.

Without Defender for Office 365, every malicious link in an email goes unscanned. Every weaponized PDF or macro-enabled Office document is delivered directly to the user's inbox. NordLog was processing a high volume of external email — carrier confirmations, customs documentation, supplier invoices — exactly the document types most commonly used as phishing lures in logistics sector attacks.

The licensing gap also meant no access to Conditional Access (requires Entra ID P1, included in Business Premium), no Intune device management, and no Microsoft Purview Information Protection features beyond basic labeling.

Finding 9: DKIM and DMARC Not Configured High

NordLog had an SPF record in DNS — but it was the only email authentication layer in place. DKIM signing was not enabled in Exchange Online, and there was no DMARC record published for their domain.

The consequence: anyone could send an email appearing to come from any @nordlog-domain.eu address, and it would be delivered to recipients with no authentication failure. For a logistics company, this is a direct invoice fraud enablement. Business Email Compromise attacks frequently target the accounts payable and operations teams at logistics firms — spoofing a carrier or supplier address to redirect a payment. Without DMARC at p=reject, there is no technical mechanism to stop it.

We verified this with a test: using a mail testing tool, we were able to send a spoofed email that appeared to originate from the IT manager's address. It passed SPF (because SPF without DMARC still permits third-party senders to pass), was delivered to an external mailbox, and showed no warnings in Outlook.

Finding 10: Shared Mailboxes with Direct Login Passwords Medium

NordLog had six shared mailboxes (logistics, dispatch, operations, hr, finance, and reception). All six had been converted from regular user mailboxes when the roles they represented became team functions rather than individual ones. All six still had active user passwords assigned — meaning they could be logged into directly as a user account, bypassing the standard delegation model.

Shared mailboxes should not have active passwords. They should be accessed only via delegation from licensed user accounts. Shared mailboxes with active passwords are invisible in most MFA reports, often excluded from Conditional Access policies, and frequently forgotten in offboarding processes — making them a persistent, low-visibility attack vector.

We also found that two former employees who had left the company eight months prior still had delegation access to the finance shared mailbox. Their user accounts had been disabled (good), but their mailbox permissions had never been revoked.

The Approach — Phased 30-Day Remediation

Rather than attempting to fix everything simultaneously — which would have caused service disruption and user confusion — we structured the remediation into four weekly phases, prioritized by severity and dependencies. Findings 1–3 were prerequisites for everything else: there was no point hardening SharePoint while the identity layer was unprotected.

Week 1: Identity Foundation

The first priority was establishing a secure identity baseline before any other work. We began by creating two dedicated cloud-only Global Administrator accounts with distinct credentials, separate from the IT manager and MD's daily accounts. These admin-only accounts were given hardware FIDO2 security keys (YubiKey 5 NFC) and excluded from all user-facing Conditional Access policies through a named exclusion group. A break-glass emergency access account was also created, credentials printed and stored in a physical safe.

We then enrolled all 200 users in Microsoft Authenticator using a phased rollout: we pre-registered the app via the MyStaff portal and used a targeted Conditional Access policy in report-only mode to identify which users would be blocked before switching to enforcement. After a three-day observation period, we activated enforcement. MFA adoption went from 12% to 100% over 72 hours, with a help desk queue of 14 support requests — mostly users who needed help setting up the Authenticator app on a new device.

Legacy authentication was disabled using a dedicated Conditional Access policy targeting all cloud apps, blocking all Exchange ActiveSync and legacy authentication client types. The three shared department mailboxes that had been using IMAP were migrated to modern authentication via updated Outlook desktop clients and Outlook Mobile. One department had a legacy third-party application connecting via POP3 — we worked with the vendor to configure OAuth-based access before disabling the protocol.

Week 2: Access Control and Governance

With the identity layer secured, Week 2 focused on deploying a proper Conditional Access policy set and addressing the Global Admin over-use finding. We deployed three Conditional Access policies:

1. Require MFA for all users, all cloud apps — Applies to all 200 users. Excludes the break-glass account. Uses Microsoft Authenticator (push notification) or FIDO2 as acceptable methods.
2. Block legacy authentication — Blocks all legacy auth client types across all apps for all users, no exceptions.
3. Require phishing-resistant MFA for admin roles — Applied specifically to the Global Administrator, Exchange Administrator, and SharePoint Administrator roles. Requires FIDO2 hardware key — no other method accepted for admin sign-ins.

The IT manager and MD were assigned their appropriate least-privilege roles for daily tasks: the IT manager received Exchange Administrator and User Administrator roles on his primary account; the MD received no admin role on his primary account (it was not needed). Both were added as eligible — not active — Global Administrators through Entra ID Privileged Identity Management (PIM), enabled under the new Business Premium licensing.

Audit logging was enabled in the first hour of Week 2, establishing a clean forensic baseline going forward.

Week 3: Data and Email Security

Week 3 addressed the data exposure and email authentication findings. We enabled DKIM signing in Exchange Online and published the two required CNAME records in DNS. We then deployed a DMARC record at p=none to begin collecting aggregate reports, with a planned progression to p=quarantine after two weeks of clean report review.

# DMARC record published at DNS — initial monitoring phase
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

# Target state (moved to enforcement after 14 days of clean aggregate reports)
v=DMARC1; p=reject; rua=mailto:[email protected]; sp=reject; adkim=s; aspf=s

SharePoint external sharing was restricted from "Anyone" to "New and existing guests" — meaning shared links now require recipient sign-in. All 34 existing anonymous sharing links were audited and either expired manually or converted to authenticated links where still needed. Link expiration was set to 30 days maximum for all new external shares.

Three DLP policies were deployed in Microsoft Purview, initially in test mode:

• Financial data policy — detects IBAN numbers, credit card numbers, and EU tax identification numbers in email, SharePoint, and OneDrive
• Personal data policy — detects EU national ID numbers and passport numbers, aligned with GDPR obligations
• External email policy — alerts when emails containing detected sensitive data are sent outside the organization's domain

After a five-day test period to tune false-positive rates, the financial data policy was moved to blocking mode for external email (with an override option requiring business justification). The other two policies remained in alert mode, with a review scheduled at 30 days.

Week 4: Licensing, Shared Mailboxes, and Operationalization

The final week addressed the remaining findings and established ongoing security hygiene processes. All 200 user licenses were upgraded from Business Basic to Microsoft 365 Business Premium — unlocking Defender for Office 365 Plan 1, Entra ID P1 (for Conditional Access and PIM), Intune, and Microsoft Purview Information Protection. Safe Links and Safe Attachments policies were configured in the Defender portal and activated for all users and all email.

The six shared mailboxes were corrected: passwords were removed using PowerShell, sign-in was disabled on the mailbox accounts, and access was re-provisioned cleanly via delegation only. The two former employees with lingering finance mailbox access had their permissions revoked.

# Remove password and disable sign-in for shared mailbox accounts
Connect-ExchangeOnline
Connect-MgGraph -Scopes "User.ReadWrite.All"

$sharedMailboxes = @("[email protected]","[email protected]",
                     "[email protected]","[email protected]",
                     "[email protected]","[email protected]")

foreach ($mbx in $sharedMailboxes) {
    # Convert to proper shared mailbox (removes license requirement)
    Set-Mailbox -Identity $mbx -Type Shared
    
    # Disable direct sign-in via Entra ID
    $user = Get-MgUser -Filter "userPrincipalName eq '$mbx'"
    Update-MgUser -UserId $user.Id -AccountEnabled:$false
    
    Write-Host "Processed: $mbx"
}

We closed the engagement by establishing a monthly security review cadence: the IT manager receives an automated Secure Score report on the first Monday of each month, with a 30-minute review call with Clear365 to assess any score changes, review Purview alert summaries, and address new recommendations. This institutionalizes security as an ongoing practice rather than a one-time project.

The Results

Measured at day 30 from the start of the engagement:

The Secure Score improvement from 28% to 81% in 30 days is not unusual when an organization starts from a near-default baseline. Most of the score increase came from a small number of high-weight actions: MFA enforcement, Conditional Access deployment, legacy auth blocking, DKIM/DMARC, and SharePoint sharing restrictions. Each of these carries significant point weight in the Secure Score model because they address the highest-frequency attack vectors.

More meaningfully, NordLog was able to complete the vendor security questionnaire they had been unable to fill out before the engagement. Their new enterprise customer signed the contract the following week.

"I knew things weren't perfect, but seeing all ten findings written out in the audit report was a wake-up call. The most surprising part was how quickly it all got fixed. I expected months of disruption. We had zero service outages, and most users barely noticed anything had changed — except that they now use the Authenticator app."

— IT Manager, NordLog (name withheld)

The full remediation summary by finding:

Finding	Severity	Before	After
MFA enforcement	Critical	12% of users (voluntary)	100% enforced via CA
Legacy authentication	Critical	Enabled (47 IMAP logins/30d)	Fully disabled, 0 legacy auth
Conditional Access	Critical	0 policies	3 active policies deployed
Global Admin usage	Critical	2 GA accounts for daily work	Dedicated admin accounts + PIM
Audit logging	High	Disabled	Enabled, 1-year retention
SharePoint sharing	High	"Anyone" links, no expiry	Guest auth required, 30d expiry
DLP policies	High	None	3 policies (financial + PII + external)
Licensing	High	Business Basic (no Defender)	Business Premium + Defender P1
DKIM / DMARC	High	SPF only, no DKIM, no DMARC	DKIM + DMARC p=reject
Shared mailboxes	Medium	6 mailboxes with active passwords	Delegation-only, sign-in disabled

Key Takeaways for Other SMBs

NordLog's situation is not unusual. In fact, if your Microsoft 365 tenant was provisioned more than two years ago and has never been formally reviewed, there is a high probability your configuration looks similar. A few patterns worth noting:

Growth hides risk

NordLog's tenant was not negligently managed — it was just never formally reviewed after initial setup. Fast-growing companies add users and workloads quickly, and the security baseline set at day one rarely scales with the organization. An annual security review is not a luxury for a 200-person company. It's a standard operating procedure.

The Critical findings are almost always the same three

In virtually every SMB tenant we audit, the same three Critical findings appear together: no MFA enforcement, legacy authentication enabled, and no Conditional Access policies. These three are not independent — legacy auth defeats MFA, and without Conditional Access you cannot enforce either properly. Fix all three as a unit, not individually.

Secure Score is a useful proxy, but not the goal

Moving from 28% to 81% is meaningful — it reflects genuine security improvements across identity, data, and email. But the goal is not to maximize a score. The goal is to eliminate the highest-probability attack paths. In NordLog's case, the combination of no MFA, legacy auth enabled, and Global Admins used daily represented an existential risk to the business. Those three findings, fixed, were worth far more than any score point.

Licensing is a security decision

The difference between Microsoft 365 Business Basic and Business Premium is approximately €14/user/month. For a 200-person company, that is roughly €2,800/month in additional licensing cost. That cost includes Defender for Office 365 Plan 1 (email sandboxing), Entra ID P1 (Conditional Access, PIM), Intune (device management), and Azure Information Protection. The cost of a single BEC incident — average loss in European logistics sector: €45,000+ according to Europol's 2024 Internet Organised Crime Threat Assessment — exceeds 16 months of the licensing delta for the entire company. This is not a close calculation.

Shared mailboxes are a persistent blind spot

Every SMB we've audited with shared mailboxes has at least one configured incorrectly — usually with an active password, often with stale access permissions from former employees. This is an easy fix that is almost never done. Check yours now: in the Microsoft 365 Admin Center, go to Teams & groups → Shared mailboxes, click each one, and review the Members list for anyone who should no longer have access.