Shared mailboxes are everywhere.
Finance@
HR@
Info@
Support@
They’re convenient and simple, but if you’re not careful, they can quietly become a security risk.
I see this often in real Microsoft 365 tenants:
Shared mailboxes are treated like “low risk” because no one logs in directly.
That assumption is where problems start.
Let’s break this down simply.
Why Shared Mailboxes Are a Target
A shared mailbox itself can’t log in, but the users who have access to it can.
And those users often:
- Don’t use MFA consistently.
- Have excess permissions
- Forward emails externally
- Access the mailbox from unmanaged devices.
If one user account is compromised, every shared mailbox they have access to is exposed.
That’s how attackers get:
- Invoices
- Password reset emails
- Vendor conversations
- Internal documents
No alerts. No noise. Just quiet access.
Common Mistakes I See
Too Many Users Have Access
Shared mailboxes slowly turn into “everyone needs access.
”More users = larger attack surface.
No MFA Enforcement
Admins assume MFA doesn’t matter because the mailbox isn’t licensed.
But MFA is enforced on the user account, not the mailbox.
If users accessing shared mailboxes don’t have MFA, those mailboxes are exposed.
External Forwarding Enabled
Attackers love mail forwarding rules.
With just one rule, all emails can be silently copied outside the tenant.
This happens more than people realize. (Paubox, 2025)
No Monitoring or Alerts
Shared mailboxes are rarely monitored. (Velazco, 2025)No alerts for:
- New inbox rules
- External forwarding
- Unusual access
That makes them perfect for long-term abuse. (43% of Healthcare Email Breaches Tied to Microsoft 365—New Report Uncovers the Major Cybersecurity Gaps, 2025)
How I Secure Shared Mailboxes (Simple Checklist)
Limit Access
Only give access to users who truly need it.
Review access regularly.
Remove old users.
Avoid “just in case” permissions.
Enforce MFA on All Users
Every user with shared mailbox access should have MFA enforced.
No exceptions. If MFA isn’t enforced, shared mailbox security doesn’t matter.
Block External Forwarding
Disable automatic forwarding to external addresses unless there’s a documented business need.
This alone stops a huge number of silent breaches.
Use Conditional Access
Even basic Conditional Access helps:
- Block legacy authentication
- Require compliant devices
- Limit access by location.
Shared mailbox access inherits these protections.
Monitor Activity
Enable alerts for:
- New inbox rules
- External forwarding
- Suspicious sign-ins
Shared mailboxes shouldn’t be “set and forget.”
Final Thought
Shared mailboxes aren’t inherently insecure.
They become insecure when no one owns them.
If your tenant has shared mailboxes:
- Assign ownership
- Review access
- Enforce MFA
- Monitor activity
Quiet attack surfaces are the ones attackers love most.
If you want to see how I test and validate mailbox security in real environments, I document my lab setups and security experiments at f11.ca.I write real-world Microsoft security lessons based on what I see in production, not just theory.
Jaspreet Singh
Author @ ITBlogs.ca
References
Paubox. (March 11, 2025). 43% of Healthcare Email Breaches Tied to Microsoft 365—New Report Uncovers the Major Cybersecurity Gaps. Business Wire. https://www.businesswire.com/news/home/20250312743974/en/43-of-Healthcare-Email-Breaches-Tied-to-Microsoft-365New-Report-Uncovers-the-Major-Cybersecurity-Gaps
Velazco, M. (2025). Detection: O365 Mailbox Inbox Folder Shared with All Users. Splunk Security Content. https://research.splunk.com/cloud/21421896-a692-4594-9888-5faeb8a53106/
(March 11, 2025). 43% of Healthcare Email Breaches Tied to Microsoft 365—New Report Uncovers the Major Cybersecurity Gaps. Business Wire. https://www.businesswire.com/news/home/20250312743974/en/43-of-Healthcare-Email-Breaches-Tied-to-Microsoft-365New-Report-Uncovers-the-Major-Cybersecurity-Gaps