$421K Stolen in 30 Days. Would Your M365 Setup Have Stopped It?

Most Australian businesses run on Microsoft 365, relying on its built-in security controls to protect their data. You probably do too. But a recent string of breaches across Western Australian government shows that these controls, on their own, are not enough.

How a Single Phishing Attack Led to $71,000 in Fraud

In early March, a threat actor bypassed a senior government officer's SMS-based multifactor authentication through a targeted phishing attack. They registered an unmanaged overseas device, set up hidden email forwarding rules, and monitored financial correspondence for an entire month without detection.

After a month of monitoring, the attacker executed a $71,000 invoice fraud. No alert was raised.

In the same department, missing Data Loss Prevention controls meant sensitive files, including the personal information of minors, were emailed to an unvetted third party. That provider uploaded them to a compromised personal Dropbox account.

Not an Isolated Event

Within weeks, two more incidents confirmed this was not a one-off.

On 25 March, the Western Australian Office of the Auditor General released its latest information systems audit results for local governments. The findings confirmed a persistent pattern of weak access management, inadequate endpoint security, and insufficient log retention across the sector.

Then on 1 April, a local government entity lost approximately $350,000 after a phishing attack allowed a threat actor to alter supplier payment details.

Combined, these incidents represent $421,000 in direct losses within a single month. In every case, the root cause was the same: basic Microsoft 365 security configurations were either missing or misconfigured.

How it Unfolded

• Early March 2026 — State government breach: $71K invoice fraud, children's personal data exposed via compromised Dropbox account. $71,000 stolen + data breach.

• 25 March 2026 — WA Auditor General audit confirms systemic access management and endpoint security failures across local governments. Sector-wide risk confirmed.

• 1 April 2026 — Local government entity loses $350K after phishing attack, with supplier payment details altered. $350,000 stolen.

Where the Controls Failed

These were not sophisticated zero-day exploits. They were failures of basic security hygiene, and the kind of gaps that exist in more environments than most organisations realise.

The WA Auditor General's findings were direct:

• SMS-based MFA on privileged accounts. Easily bypassed through targeted phishing. In the $71,000 case, this single weakness gave the attacker full inbox access for a month.

• No Data Loss Prevention controls. Sensitive files, including children's data, were shared externally without a flag being raised.

• No device management. An unmanaged overseas device was registered to the environment and used to access data freely.

• Insufficient log retention. When investigators attempted to reconstruct the breach timeline, key logs had already expired. The Auditor General recommends retaining logs for a minimum of 18 months.

Organisations across the sector were, in the Auditor General's assessment, repeatedly failing to protect sensitive data, relying on authentication methods that are no longer fit for purpose, and unable to support proper forensic investigation when things went wrong.

What This Means for You

These audit findings are not exclusive to the public sector. Any organisation running Microsoft 365 faces the same reality: the platform provides security tools, but it does not configure them for you, monitor them for you, or respond to threats on your behalf.

The moment sensitive data or financial workflows move through your environment, you carry the risk.

There are four areas that deserve immediate attention:

• Adopt phishing-resistant MFA. Move privileged users away from SMS and email-based passcodes. Hardware security keys or authenticator apps are a meaningful step up. In the $71,000 case, this single change would likely have stopped the breach entirely.

• Implement Data Loss Prevention. Prevent the unauthorised sharing or synchronisation of sensitive data to personal accounts and unvetted third parties. These policies should be active and enforced, not sitting in a configuration guide.

• Enforce device management. Restrict MFA registration and data access to approved, managed devices. If an unmanaged overseas device can register to your environment, your perimeter is not where you think it is.

• Extend log retention. Retain logs for at least 18 months to support comprehensive investigation. Without adequate forensic evidence, you are left guessing at what happened and who was affected.

How We Can Help

We know that building an internal Security Operations Centre is out of reach for most businesses. Lumara provides the visibility and response capability to catch these threats before they escalate.

Our SOC team monitors your M365 environment around the clock. Using User Behaviour Analytics (UBA), we flag anomalous activity like overseas logins, hidden forwarding rules, and unusual data movements, then act on it before a threat actor has time to execute. Our practitioners also enforce strict data loss prevention controls, ensure proper log retention, and help maintain audit-ready compliance.

If a threat actor bypassed your MFA today, would you actually know? If you lack the visibility to detect someone operating inside your network, let us show you what Lumara looks like in your environment.

Download our Lumara SecOps Cloud overview or contact our team.