Microsoft's decision to reduce security capabilities in free nonprofit Microsoft 365 licensing is creating real security risks for nonprofits across the world.
On May 14, 2025, Microsoft officially discontinued its longstanding donation of 10 free Microsoft 365 Business Premium and E1 licenses for eligible nonprofits. This change forces organizations to downgrade to the more limited Business Basic plan unless they can afford the discounted ~$5.50/user/month rate for Business Premium.
At Good Heart Tech, we've recently seen three successful OAuth-based attacks against nonprofit organizations that no longer had access to Microsoft 365 Business Premium licensing. Without Business Premium, these organizations were forced to rely on Microsoft Security Defaults instead of advanced protections like Conditional Access policies.
For many nonprofits, that created major security gaps.
Why This Matters
Most nonprofits do not have dedicated cybersecurity staff or large IT budgets.
Email systems power nearly every part of nonprofit operations:
- Donor communication
- Financial approvals
- Volunteer coordination
- Grant applications
- Internal operations
When an attacker gains access to a Microsoft 365 account, the damage can spread quickly across the organization and its community.
What Is an OAuth Attack?
Unlike a traditional phishing attack that steals a password, an OAuth attack tricks a user into approving access to a malicious application.
The user may see what looks like a legitimate Microsoft login or permission request. Once they click "Accept," the attacker can gain persistent access to:
- Contacts
- Calendars
- OneDrive files
- Teams data
In many cases, multi-factor authentication does not stop this because the user technically approved the access themselves.
What Attackers Usually Do Next
One of the most common post-compromise actions is creating hidden inbox rules.
Attackers often:
- Hide security alerts
- Delete warning emails
- Forward copies of messages externally
- Conceal evidence of malicious activity
This allows them to quietly monitor conversations and send phishing emails from a trusted nonprofit account.
Because the emails come from a legitimate organization, donors, volunteers, and staff are much more likely to trust them.
How Conditional Access Could Have Helped
Microsoft 365 Business Premium includes Conditional Access features that can help block or reduce these attacks by:
- Restricting risky logins
- Blocking suspicious authentication attempts
- Limiting access from unfamiliar locations
- Enforcing stronger identity protections
Organizations that lost access to these tools were often left relying only on Microsoft Security Defaults, which provide a much more limited baseline.
What Good Heart Tech Is Doing
At Good Heart Tech, we're working to help fill these gaps for our nonprofit partners through:
- Automated alerting and suspicious activity detection
- Automated account lockout workflows
- Monitoring for malicious inbox rules and OAuth abuse
- Partnerships with security-focused organizations providing free protections
- Nonprofit-focused security education and response assistance
The Bigger Issue
Thousands of nonprofits are now operating without security protections that were previously available to them through Microsoft's nonprofit licensing.
Many smaller organizations cannot afford enterprise-grade security tools on their own, leaving them increasingly vulnerable to attacks that could have otherwise been prevented.
Cybersecurity is no longer optional infrastructure for nonprofits. Removing critical security protections from organizations with limited resources has real-world consequences for the communities they serve.