In This Article
- What the Five Eyes Just Told Every Business Leader
- Why "We're Probably Fine" Is the Most Expensive Assumption
- Five Moves Drawn From the Agencies' Guidance, and Where Microsoft 365 Gives Them to You
- AI Is the Threat. Governed AI in Microsoft 365 Is Also the Defense.
- What a Microsoft 365 Security Second Opinion Actually Looks Like
- Same Threat, Different Exam: Banks, Credit Unions, Mortgage, and Healthcare
- Frequently Asked Questions
In late June 2026, the cyber security agencies of all five "Five Eyes" nations issued a high-profile joint statement. The United States, the United Kingdom, Canada, Australia, and New Zealand put their names on a single warning and told business leaders to act now. Their message was blunt: artificial intelligence is about to give attackers capabilities that can outrun conventional defenses, and the timeline for that shift is measured in months, not years.
If you run technology or security at a bank, a credit union, a mortgage company, or a healthcare organization, that warning lands in a very specific place. You already believe your environment is reasonably locked down. Your team patched the urgent things. Multi-factor authentication is turned on. The last assessment came back fine. Everything is under control. That belief is reasonable. It is also almost never tested.
The agencies were careful to say that AI is not only a weapon for attackers. It is also becoming the most important tool defenders have. That is the real story for any organization running on Microsoft 365. The same platform that holds your email, files, and identities is also where Microsoft Defender, Microsoft Sentinel, and Microsoft Purview now apply machine-speed defense. The question is no longer whether you have the tools. It is whether they are actually configured to do their job before the next wave of attacks arrives.
What the Five Eyes Just Told Every Business Leader
The joint statement, signed by the US National Security Agency and the Cybersecurity and Infrastructure Security Agency, the UK National Cyber Security Centre, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and New Zealand's National Cyber Security Centre, makes one core argument. Frontier AI models are advancing faster than most organizations can update their security assumptions, and that gap is what attackers will exploit first.
The thrust of the statement: frontier AI is advancing fast enough that an organization's cyber risk assumptions can go out of date in months, not years.
Read that line again with your own environment in mind. The risk is not that a brand new category of attack appears overnight. The risk is that the assumptions behind your current defenses quietly expire. AI lowers the barrier for less skilled attackers, increases the speed and complexity of campaigns, and shrinks the window between a vulnerability becoming public and that vulnerability being exploited at scale. The agencies also warned that AI is accelerating how quickly attackers discover and exploit software flaws, forcing organizations into a faster patch cycle than most are built for.
The agencies also reframed the problem in a way that should matter to every board. Cyber risk, they wrote, can no longer be treated as a purely technical issue. It is a core business risk and a leadership responsibility. Boards and executives are expected to make sure cyber resilience is in place and that it actually works under pressure. For a regulated financial institution or a healthcare provider, that is not aspirational language. It is the standard your examiner already holds you to.
Why This Matters for Financial Institutions and Healthcare
Your attack surface is not just your network. It is your Microsoft 365 tenant: every identity, every legacy authentication protocol still enabled, every over-shared SharePoint site, every account without phishing-resistant multi-factor authentication. AI-driven attacks are built to find the weakest of those configurations automatically. The defenses the Five Eyes recommend are, almost line for line, Microsoft 365 settings you either have switched on correctly or you do not.
Why "We're Probably Fine" Is the Most Expensive Assumption
Most security failures do not start with a clever zero-day. They start with a confident assumption. Leadership believes the environment is configured well because nothing has gone obviously wrong yet. The assessment from two years ago said the posture was acceptable. The team is busy and the dashboard is mostly green. None of that tells you what an attacker armed with AI will find when they probe your tenant next quarter.
The cost of being wrong is no longer abstract. A breach now runs into the millions, and regulated industries pay the most. The reason a second opinion is worth the time is simple: the gap between what a team believes is configured and what is actually configured is where breaches live. An outside review measures that gap with evidence instead of assumption, which is exactly why we built our guidance around why your Secure Score matters and how to read it honestly.
The Assumption
- "MFA is on, so identity is covered."
- "We patched the urgent items."
- "Legacy systems are isolated enough."
- "Our last assessment came back fine."
- "Defender is licensed, so we are protected."
The Verified Reality
- Conditional Access gaps and legacy auth still allow password-only sign-ins.
- Patch cadence is measured against AI-accelerated exploit timelines.
- Unsupported systems are inventoried, scored, and scheduled for removal.
- Secure Score and tenant config are re-measured against today's threat model.
- Defender, Sentinel, and Purview are tuned and actually generating signal.
This is the difference between a posture you hope is sound and a posture you can prove is sound. The Five Eyes statement effectively gave every organization a checklist. The honest question is whether you can show, today, where you stand on each item.
Five Moves Drawn From the Agencies' Guidance, and Where Microsoft 365 Gives Them to You
The joint statement set out the priorities organizations should act on now. ABT groups that guidance into five practical moves, and what makes them useful is that for any organization running on Microsoft 365, every one of them maps to a specific capability in the Microsoft 365 and Microsoft security stack, some already in your plan and some a license tier away, and much of it not yet fully configured. ABT manages Microsoft 365 tenants for more than 750 financial institutions and a growing roster of healthcare organizations, and these five moves are the spine of how we read a tenant's real posture.
Disable legacy authentication, tighten Microsoft Entra ID Conditional Access, and review external sharing and guest access in SharePoint and Microsoft Purview. Every exposed surface you close is one an AI-driven scanner cannot find.
Use Microsoft Intune update rings and Microsoft Defender Vulnerability Management to shrink the window between a flaw going public and your systems being protected, because AI is shrinking that window for attackers.
Block legacy authentication protocols in Entra ID and gate unsupported clients with Conditional Access. Unsupported systems are a strategic liability, not just technical debt.
Enforce phishing-resistant multi-factor authentication, apply Privileged Identity Management, and run regular access reviews so the right people hold the right permissions and nobody else does.
Assume breaches will occur. Stand up Microsoft Sentinel and Microsoft Defender XDR, rehearse the response, and make sure detection and containment work when they are needed, not just on paper.
None of these five moves is exotic. That is the point. The capability lives in the Microsoft security stack around Microsoft 365, sometimes in your current plan and sometimes a license tier up. Whether you are licensed for it and whether it is actually configured to do its job are the questions a second opinion is built to answer. For identity specifically, we walk through the mechanics in our guide to the Entra ID security assessment for financial institutions.
AI Is the Threat. Governed AI in Microsoft 365 Is Also the Defense.
The part of the Five Eyes warning that gets lost in the alarming headlines is the part that should give security leaders confidence. The statement is equally clear that organizations should integrate AI tools into their own security operations. Defenders are not being asked to fight machine-speed attacks with manual effort. For organizations on Microsoft 365, that defensive AI lives in the surrounding Microsoft security stack, much of it a configuration or a license away.
Microsoft Defender XDR correlates signals across email, endpoints, identities, and cloud apps and responds at machine speed, automatically disrupting some attacks before an analyst opens a ticket. Microsoft Sentinel, an Azure-native security information and event management service licensed separately from Microsoft 365, brings those signals together and, with Microsoft Security Copilot, lets a small team triage and investigate at a scale that used to require a large one. Microsoft Purview governs where sensitive data lives and who can reach it, which matters enormously once you introduce AI assistants that can summarize anything a user is allowed to open.
That last point is where governed AI becomes a security control in its own right. Microsoft 365 Copilot stays inside your tenant, honors the permissions a user already has, and is covered by enterprise data protection. Deployed on a tenant where permissions are loose, an assistant becomes a fast way to surface data nobody should see. Deployed on a tenant where Purview and identity are configured correctly, the same assistant is safe and genuinely useful. The difference is configuration, which is the recurring theme of this entire warning.
Microsoft's own telemetry shows the scale of the identity fight: more than 97 percent of identity attacks are password-based, identity attacks rose 32 percent in the first half of 2025, and phishing-resistant multi-factor authentication blocks the overwhelming majority of them even when the attacker already holds a valid username and password. The tooling works. In our assessments, the gap is almost always between what is licensed and what is actually turned on. Finding that difference is the entire point of a second opinion.
What a Microsoft 365 Security Second Opinion Actually Looks Like
A second opinion is not a sales pitch and it is not a generic scan. It is an objective, evidence-based read of your actual Microsoft 365 posture, performed by people who manage these tenants for a living. The goal is to replace "we think we're fine" with a clear picture of where you stand and what to fix first. A real assessment covers the same ground the Five Eyes named, plus the regulatory layer your examiner cares about.
What Is Microsoft Secure Score?
Microsoft Secure Score is a measurement of your security posture inside Microsoft 365, expressed as a percentage of the maximum score you could achieve. It rewards specific, verifiable configuration choices: phishing-resistant MFA, blocked legacy authentication, tuned Defender policies, and more. The honest way to read it is as a measure of which recommended controls you have actually implemented, one you can compare against peer or industry benchmarks, not as a vanity number to push toward 100.
A complete Microsoft 365 Security Assessment from ABT looks at five things and produces a prioritized plan:
Your real score, what is dragging it down, and which improvements actually reduce risk versus which just move the number.
Legacy authentication, external sharing, mail flow, and the default settings that were never meant for regulated industries.
Where MFA is enforced, where it is not, who holds privileged roles, and whether access reviews actually happen.
Your configuration measured against FFIEC and NIST CSF for financial institutions, or HIPAA-aligned safeguards for healthcare.
Whether your permissions and Purview data governance are tight enough to deploy Microsoft 365 Copilot safely.
If you want the longer view on why a single score is a starting point and not the finish line, our piece on building a security program beyond Secure Score for financial institutions connects the assessment to an ongoing operating model.
An assessment shows you where you stand. Keeping that posture strong as the threat accelerates is ongoing work, and it is the work ABT does every day. M365 Guardian is our managed operating model for Microsoft 365 security: we implement the hardening the assessment identifies, keep your Entra ID, Defender, Intune, and Purview controls tuned as Microsoft changes them, and hold the configuration to the standard your examiner expects. For institutions that need eyes on the threat around the clock, Guardian MxDR adds managed detection and response, so an AI-speed attack is caught and contained by a security team, not just flagged in a console nobody is watching. The second opinion is the starting point; Guardian is how you stay ahead of the threat the Five Eyes warned about.
Key Takeaway
The Five Eyes did not tell you to buy something new. They told you to verify that what you already run is configured to survive a faster, AI-driven threat. A Microsoft 365 second opinion answers that question with evidence before an attacker answers it for you.
Same Threat, Different Exam: Banks, Credit Unions, Mortgage, and Healthcare
The AI-accelerated threat is the same across every vertical ABT serves. What changes is the exam you have to pass. A community bank is examined by its primary federal regulator, the FDIC, OCC, or Federal Reserve, against FFIEC-coordinated standards. A credit union answers to the NCUA. A mortgage company carries its own data-security obligations to investors and regulators. A healthcare organization answers to HIPAA's Security Rule. Credit unions, banks, and mortgage companies all share one reality: the same Microsoft 365 misconfiguration that an examiner would cite is also the gap an AI-driven attacker would exploit first.
That is the quiet advantage of treating this as a posture question rather than a compliance scramble. When your tenant is configured correctly, the same work that defends against the threat also covers the technical controls an examiner expects to see. Our walkthrough of the FFIEC cybersecurity assessment for community banks shows how those control mappings line up in practice. The Five Eyes warning simply raised the urgency: examiners now expect to see that your resilience works under pressure, not just that a policy exists in a binder.
The Window Is the Point
"Months, not years" is not a reason to panic. It is a planning horizon. The organizations that come through the next wave in good shape will be the ones that used this window to verify their posture, close the gaps the agencies named, and confirm their Microsoft 365 defenses are actually doing their job. The ones that assumed they were fine will find out the hard way.
Get an objective second opinion on your Microsoft 365 security
Before the AI-speed attack wave lands, find out exactly where your tenant stands. ABT's Microsoft 365 Security Assessment delivers a real Secure Score read, a full tenant configuration and identity audit, controls mapped to FFIEC, NIST, or HIPAA, and a Copilot-readiness check, with a prioritized plan you can act on.
Frequently Asked Questions
It is an objective, evidence-based review of your actual Microsoft 365 security posture, performed by an outside team that manages these tenants for a living. Instead of assuming your environment is configured well, a second opinion measures your real Secure Score, audits your tenant and identity configuration, and maps what it finds to the regulatory standards you answer to, then gives you a prioritized plan to fix the gaps.
In a joint statement in late June 2026, the cyber security agencies of the United States, United Kingdom, Canada, Australia, and New Zealand warned that frontier AI models are advancing fast enough to give attackers powerful new offensive capabilities on a timeline of months rather than years. They emphasized that AI lowers the barrier for attackers, increases the speed and complexity of attacks, and shrinks the window between a vulnerability becoming known and being exploited, so organizations should act now to strengthen their defenses.
The assessment covers five areas: your Microsoft Secure Score read honestly against peers, a full tenant configuration audit of settings like legacy authentication and external sharing, an identity and Conditional Access review, a mapping of your controls to FFIEC and NIST for financial institutions or HIPAA-aligned safeguards for healthcare, and a Copilot-readiness check of whether your permissions and Microsoft Purview data governance are tight enough to deploy Microsoft 365 Copilot safely. You receive a prioritized plan, not just a score.
The Microsoft security stack built around Microsoft 365 provides strong, AI-powered defenses through Microsoft Defender XDR, Microsoft Sentinel paired with Microsoft Security Copilot, Microsoft Purview, and Microsoft Entra ID. Some are included in your plan and some are separate licenses or add-ons. These tools can defend against AI-accelerated attacks, but only when they are correctly licensed, configured, and actively monitored. Most organizations that suffer breaches had the right licenses but had not fully enabled or tuned the protection. The defense is in the configuration, which is exactly what a security assessment verifies.
Microsoft Secure Score is a percentage from 0 to 100 that measures your security posture inside Microsoft 365 based on verifiable configuration choices. In an assessment it is the starting point, not the verdict. The value comes from interpreting it: which recommendations actually reduce risk for your organization, how you compare to peers of similar size, and what to prioritize first. A high score with the wrong priorities can still leave real gaps, so the assessment reads the score in context rather than chasing the number.
The Microsoft 365 controls the Five Eyes agencies recommend, identity protection, attack surface reduction, patching, and tested incident response, are the same controls your examiner expects to see. ABT maps your tenant configuration to FFIEC and NIST CSF for banks and credit unions, to the relevant data-security obligations for mortgage companies, and to the HIPAA Security Rule for healthcare. When the environment is configured correctly, the same work that defends against the AI-accelerated threat also covers the technical controls your examiner reviews.