Skip to content
The Cadarn IT team

How One Stolen Microsoft 365 Login Exposes Client Files

For accountancy practices, one stolen Microsoft 365 login can open client files, tax returns and payroll in SharePoint, plus the email used for fraud.

  • Security
  • Microsoft 365
A Microsoft 365 sign-in screen on a laptop in an accountancy office

Think about everything your practice keeps in Microsoft 365. Client tax returns. Payroll runs. Year-end accounts. Bank details, National Insurance numbers, the lot. Now picture all of that sitting behind a single staff login, and that login being typed into a fake sign-in page during a busy January week.

That is the uncomfortable reality of how a modern practice works. One stolen Microsoft 365 credential is rarely “just a mailbox”. It can be the key to every client file you hold.

How a single login turns into a whole-practice problem

Most attacks on a practice do not start with clever code. They start with a person. A staff member gets a call from someone claiming to be IT support, or clicks a convincing email, and hands over their username and password without realising it.

From there, the attacker works methodically rather than smashing the door down. Reports of these incidents describe a familiar pattern:

  • They chain together password attempts and try to wear down or trick the multi-factor prompt.
  • They abuse the digital tokens that confirm a user is “logged in”, so they look like the real person.
  • They register their own device as a trusted device, giving themselves a quiet way back in.
  • They explore permission levels, looking for a route to go deeper into the cloud tenant.

The frightening part is how normal it all looks. Sign-ins, file downloads, permission changes, storage access: every one of those happens hundreds of times a day in a working practice. By the time anyone notices, thousands of sensitive files can have left the building silently.

Why accountancy practices are a rich target

For an attacker, a small firm of solicitors is interesting. An accountancy practice can be a goldmine.

Once inside a practice tenant, that one login can reach far beyond a single inbox:

  • SharePoint and OneDrive libraries holding client files, tax computations, accounts and supporting documents.
  • Shared mailboxes such as the general practice address, where client correspondence and HMRC messages collect.
  • Payroll and pension records, often with bank details and personal data for clients’ staff as well as your own.
  • The email account itself, which is exactly what is needed to commit invoice fraud and business email compromise.

That last point matters more than people expect. A compromised mailbox lets an attacker watch real conversations about real money, then step in at the right moment with a “change of bank details” message that looks entirely genuine because it comes from your address. We cover that pattern in detail in our piece on invoice fraud and business email compromise.

The forwarding rule you will not notice

One quiet trick deserves its own mention. After getting in, an attacker often sets up a hidden mailbox rule.

It might forward copies of incoming email to an outside address, or quietly move anything mentioning “invoice”, “bank” or “payment” into a folder you never check. The result is that they keep reading your client correspondence even after a password change, and they get early warning if anyone starts asking awkward questions.

Because the rule lives in the background, the staff member sees nothing wrong. Their mailbox looks completely normal. This is why simply resetting a password is not enough on its own. You have to go and look for what was left behind.

The GDPR and ICO side, in plain terms

A practice does not just have a security problem here. It can have a legal duty too.

If an attacker has had access to personal data, client names, addresses, tax affairs, payroll details, and you cannot confidently show otherwise, you may be looking at a notifiable personal data breach under UK GDPR. That comes with a 72 hour clock to assess and, where required, report to the Information Commissioner’s Office.

On top of that, practices are AML-supervised and hold records your professional body and your clients expect you to protect. A credential breach is exactly the kind of incident your insurer and your regulator will ask pointed questions about. Being able to say “we had monitoring, we caught it, here is what we did” is a very different conversation from “we are not sure what they saw”.

What actually keeps one stolen login from cascading

The good news is that the defences are well understood and very achievable for a firm of three to twenty-five people. The aim is simple: make sure one stolen password is an inconvenience, not a catastrophe.

Strong, phishing-resistant MFA

Multi-factor authentication is the single biggest improvement most practices can make. Use an authenticator app or a phishing-resistant method rather than text-message codes, which can be intercepted or phished. MFA belongs on every account, and especially on any account with admin rights or access to sensitive data.

Conditional access and least privilege

Conditional access rules let you say “only sign in from expected places and known devices”, which blocks a lot of opportunistic attacks outright. Least privilege means each person, and each admin account, can only reach what their job needs. If the bookkeeper’s login is stolen, it should not open the whole tenant.

Monitoring you will actually see

Most firms have no alerting for the warning signs: a password reset at an odd hour, a sign-in from an unfamiliar country, a new device enrolling, or a sudden bulk download. Turning on Microsoft 365 audit logging and identity protection, and having someone watching it, is what turns a silent breach into an early catch. Our cyber security and Cyber Essentials work is built around getting these basics switched on and monitored properly.

Fast, clean offboarding

When someone leaves the practice, their access should go promptly and completely, including app passwords and any lingering sessions. Dormant accounts are a favourite hiding place. Tidy offboarding is part of the day-to-day managed IT support that keeps the attack surface small.

Backups you can trust

Finally, keep immutable, offline backups of your Microsoft 365 data. If the worst happens and files are deleted or encrypted, a backup an attacker cannot reach is what gets you back to serving clients.

A sensible next step

None of this requires ripping anything out. It is mostly configuration, good habits and someone keeping an eye on the right signals. For a practice running on Microsoft 365, it is some of the highest-value work you can do.

If you would like an honest, plain-English look at how exposed your practice is right now, we offer a free Practice IT Health Check. We will look at how your logins, file access and email are set up, and tell you straight where one stolen password could do the most damage, and what to fix first.

Frequently asked questions

If one Microsoft 365 login is stolen, are only that person's emails at risk?

No. A practice mailbox is the front door to far more than email. The same login often reaches SharePoint and OneDrive, where client files, tax returns and payroll records live, and it carries the sender's trust for invoice fraud. Treat any compromised login as a potential whole-practice exposure until you have checked the audit logs.

Is a stolen Microsoft 365 login a reportable data breach to the ICO?

It can be. If an attacker has accessed personal client data, or you cannot rule that out, you may have a notifiable personal data breach under UK GDPR, with a 72 hour clock to report to the ICO. Practices also hold AML and tax records, so the bar for taking it seriously is high. Get the incident assessed quickly rather than assuming no harm was done.

Does multi-factor authentication on its own protect a practice?

MFA is essential and stops a large share of attacks, but text-message codes can be intercepted or phished. Pair authenticator app or phishing-resistant MFA with conditional access rules, least privilege and monitoring so that one stolen code does not hand over everything.

Want this checked for your own practice?

Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.

Book your free Health Check

← Back to all guides

See where your practice's IT really stands

Book a free, no-obligation Practice IT Health Check, a plain-English, 15 to 20 minute review of your backups, security, compliance gaps and cloud-readiness. No jargon, no hard sell.