.png)
.png)
Account takeovers remain a major blind spot for Microsoft — we'l dive into how Material fills this gap and what "free" really costs in practice.
Microsoft 365 comes with a robust set of security and compliance tools like Purview and Azure Information Protection (AIP). These are powerful when used correctly — and they’re already bundled into many Microsoft enterprise plans.
But when it comes to protecting sensitive email data from account takeovers, these tools don’t actually solve the problem.
This post explores:
- What Microsoft’s native protections do well — and where they fall short
- Why account takeovers remain a major blind spot
- How Material Security addresses this specific gap
- What “free” really costs in practice
What Microsoft Purview and AIP Actually Do
A mature approach to risk management requires you to have an awareness of what’s happening in your Microsoft environment. And to that end, Microsoft Purview and AIP offer real value. They let you:
- Classify and label emails and files so you can understand where the most sensitive, proprietary information lives within your Microsoft environment.
- Apply encryption and rights management (via Azure RMS) to prevent data from being accessed without account permissions.
- Audit access and monitor for abnormal behavior to research what happened during a security incident.
These capabilities are excellent for the compliance and data governance aspects of managing risk. But these features rely on a central assumption: that a login with a user’s credentials can be trusted. And that assumption breaks down in the real world.
The Blind Spot: What Happens After an Account Is Compromised?
The problem is that protections from Purview and AIP are identity-enforced. If an attacker gains access to a user’s account — whether via phishing, token theft, or OAuth abuse — that attacker inherits the user’s rights. This gives the attacker the keys to everything in that user’s account, allowing them to circumvent all the careful preventative measures that have been configured via Microsoft Purview and AIP. In the case of an account takeover, the attacker can:
- Access archived or sensitive emails.
- Decrypt “protected” messages.
- Quietly exfiltrate or forward sensitive emails.
There’s no second checkpoint. No MFA prompt. No challenge. Once an attacker has gained access to an account, Purview and AIP simply can’t prevent sensitive data exposure.
Let’s Talk About Cost
While Purview and AIP might not be perfect solutions, it can be hard to argue with their price tag. Purview and AIP are often seen as “free,” bundled into E5 or added as checkboxes in a Microsoft renewal. While the licenses may not come at an additional cost, the tools are far from free to implement and manage. To understand the total cost of ownership for Purview and AIP, you need to factor in:
- Complex rollout and configuration: Building and tuning sensitivity labels and encryption policies can take months of work, making an investment in Purview and AIP look more like the “build” option of “build vs. buy.”
- Low adoption: Users frequently bypass or ignore labels. Protections can be inconsistent across devices and clients. All this leads to features going unutilized, leading to uncertainty around risk.
- False confidence: Perhaps the biggest cost is the belief that data is protected. In reality, that data is only protected until an attacker logs in with compromised credentials.
Purview and AIP are great tools for compliance use cases where seeing the data landscape is the most important thing, but they are painful for security use cases where actually protecting that information is required.
Material is built to directly protect your company’s sensitive data even after a breach, plus it’s fast to deploy and simple to operate.
Material Security Takes a Different Approach
.png)
Material is built around the idea that account takeovers happen, and companies need a security approach that assumes a breach and contains the damage. As Thomas Brittain, SVP of IT at Mariner Wealth Advisors explains: “Taking a Zero Trust approach to email security is critical because malicious content is always going to get through. Blockers might catch 98% of attacks, but the answer is not to get from 98% to 99% because it's still not bulletproof.” That means going beyond identity-enforced features and adding layers of verification to ensure the most sensitive data stays protected.
Instead of relying solely on labels or encryption, Material:
- Redacts sensitive messages and attachments from inboxes at rest, so attackers can’t exploit a treasure trove of proprietary data.
- Enforces a fresh MFA challenge before allowing access to redacted content.
- Works across all devices and email clients, with no end-user installation required.
Even if an attacker has full control of a mailbox, they can’t access the redacted data without passing an identity check that’s out-of-band from the session they compromised. Authorized users will authenticate using a familiar MFA flow, with minimal training and no complicated behavior change required. The Material solution is so simple for end users that customers like Oportun report a simple, intuitive experience to enforce security policies. “The lack of friction for me to get that email back is genius,” says Veejay Leswal, Oportun’s VP of Technology & Cloud Operations. “I click the link, I hit my multifactor. I don’t have to enter anything.”
Let’s take a look at the differences between Microsoft’s native features and Material’s approach to ATO resiliency:
.png)
The Bottom Line
Purview and AIP are valuable tools — for what they’re designed to do. But they’re not designed to prevent data loss from account takeovers, which remain the most common and damaging form of email-based attack. All it takes is one email to hit one inbox when a single employee is distracted, and an attacker can steal credentials that allow them to evade the defenses of Purview and AIP. It’s a high-risk, high-stakes security gap that no company wants to fall victim to.
Material Security fills this specific gap. It works with Microsoft, not against it — but it provides a layer of protection that Microsoft simply doesn’t offer.
If you're serious about securing email — not just labeling it — it's time to go the last mile. Contact us for a demo today.
.png)