Microsoft 365

The Microsoft 365 Security Reset: What Australian SMBs Need to Change in March 2026

23 March 2026·7 min read
The Microsoft 365 Security Reset: What Australian SMBs Need to Change in March 2026

The Microsoft 365 Security Landscape is Shifting

For many Australian small and medium businesses, Microsoft 365 is the backbone of daily operations. It houses your emails, your client files, and your internal communications. Because it is so central to your business, it is also a primary target for cyber criminals. This is why Microsoft constantly updates its security baseline, often enforcing changes that can catch unmanaged IT environments off guard.

In March 2026, we have seen two significant shifts in how Microsoft handles security policies. These are not optional "nice to have" settings; they are fundamental changes to how the platform protects your data. If your business relies on custom SharePoint sites or older mobile device policies, you may already be experiencing disruptions or hidden security gaps.

At Cubit Cyber, we believe in proactive security. This post breaks down exactly what has changed this month and the specific steps you need to take to keep your Microsoft 365 environment secure and functional.

SharePoint Content Security Policy (CSP) Enforcement

The most technical change this month is the strict enforcement of Content Security Policies (CSP) across SharePoint Online. This is a powerful move by Microsoft to eliminate a common type of cyber attack called Cross Site Scripting (XSS).

In an XSS attack, a hacker injects malicious code into a trusted website, like your internal SharePoint portal. When your employees visit that portal, the code runs in their browser, potentially stealing their login session or sensitive data. By enforcing a strict CSP, SharePoint now blocks any untrusted scripts or "inline" JavaScript from running.

Why This Matters for Your Business

If you use a "vanilla" version of SharePoint for basic file storage, you likely will not notice a difference. However, many Australian SMBs use SharePoint for:

  • Customised internal portals or "Intranets".
  • Third party web parts that pull data from other apps (like Xero or Salesforce).
  • Custom scripts used to automate workflows or brand your internal pages.

As of March 2026, many of these customisations will simply stop working. This can lead to broken pages, missing data, or employees being unable to complete their daily tasks.

What You Should Do Now

We recommend an immediate audit of your SharePoint environment. Check for any custom "Modern" or "Classic" pages that seem to be loading incorrectly. If you find broken elements, your IT provider will need to move those scripts to a trusted location or update them to comply with the new CSP standards. This is a critical step to ensure your business continuity while maintaining a high security posture.

The End of "Approved Client App" Controls

For years, many businesses used a setting in Microsoft Entra (formerly Azure AD) called "Require approved client app". This was a simple way to ensure that employees could only access company email through the official Outlook app, rather than a less secure third party mail app on their personal phone.

Microsoft has now officially retired this control. It is being replaced by a more robust and flexible system called "App Protection Policies".

The Risk of Doing Nothing

If your security policies still rely on the retired "Approved Client App" setting, you have a gap in your defences. Your staff might find themselves unable to access their emails on mobile devices, or worse, they may be able to connect via unmanaged, insecure apps that do not protect your company data.

The modern threat landscape requires more than just checking which app is being used. We need to control what happens to the data inside that app. For example, can an employee copy a sensitive client email and paste it into their personal Notes app? A simple "approved app" check cannot stop this, but an App Protection Policy can.

Moving to App Protection Policies

The new standard allows you to protect company data without needing to fully "manage" an employee's personal phone. You can enforce rules like:

  • Requiring a PIN or biometric (FaceID) to open the Outlook app.
  • Blocking "Save As" for company files to personal storage (like iCloud or Dropbox).
  • Preventing the copying and pasting of company data into personal apps.

If you have not already migrated your policies, now is the time to work with Cubit Cyber to implement these modern controls. This ensures your staff remain productive on the go while your sensitive data remains within your control.

Patch Tuesday: High Risk Office Vulnerabilities

Beyond policy changes, March has brought several critical security patches that every Australian business owner should be aware of. The most concerning are vulnerabilities in Microsoft Office (specifically Word and Excel) that allow for "Remote Code Execution".

How the Attack Works

A "Remote Code Execution" (RCE) flaw is exactly what it sounds like: a hacker can run code on your computer from a remote location. In this case, the attack is usually delivered via a phishing email. An employee receives a file that looks like a legitimate invoice or report. When they open that file in Word or Excel, the malicious code runs silently in the background.

The hacker can then install ransomware, steal login credentials, or monitor everything the employee does on their computer.

The 48 Hour Patch Rule

At Cubit Cyber, we recommend a strict 48 hour rule for critical security patches. This means that within 48 hours of Microsoft releasing a fix, every device in your business should have it installed.

Hackers are incredibly fast at reverse engineering these patches to find out how to exploit the vulnerability. If you wait weeks to update your staff laptops, you are leaving a door wide open for an easy attack.

Why Managed IT is No Longer Optional

The changes we have seen this month in Microsoft 365 highlight a broader trend: cyber security is no longer a "set and forget" task. Microsoft is constantly moving the goalposts to keep up with hackers, and your business must move with them.

Relying on an "IT person" who only shows up when something breaks is a recipe for disaster. By the time something breaks in a security context, the damage is already done. You need proactive management that monitors these policy changes, audits your customisations, and ensures your patches are applied the moment they are released.

How Cubit Cyber Secures Your Microsoft Environment

We take the complexity out of Microsoft 365 security. Our managed services include:

  • Continuous Policy Monitoring: We ensure your environment always meets the latest Microsoft security baselines.
  • Managed Patching: We handle the updates for you, ensuring your team is always protected against the latest RCE flaws.
  • Data Protection: We implement advanced App Protection Policies to secure your data on any device, anywhere.
  • Expert Guidance: When Microsoft changes a major policy like SharePoint CSP, we are there to guide you through the transition without downtime.

Don't wait for a broken portal or a ransomware alert to find out your security is out of date.

Get a free security audit for your Microsoft 365 environment today.

Free Download

The 10-Point Security Checklist for Australian SMEs

Based on real findings from 100+ cyber incidents. Check where your business stands.

Get the Free Checklist →

Stay sharp

Get practical security tips, monthly.

Plain English. No jargon. No spam. Unsubscribe any time.

Ready to protect your business?

Get a free, no-obligation security assessment quote tailored to your business.

Get a Free Quote →Book a Free 15-Min Call