Book a free consultation call with an expert today!

Microsoft 365 vs Office 365 – which is better for small law firms?

By virtuoso


May 8, 2022

Here at Virtuoso we spend a lot of time talking about Microsoft 365 and Office 365. In fact they make up the foundation of many of the services we provide to our customers.  

Despite the obvious similarities in their name, it’s important to realise that while there are some overlaps, these flagship products are not the same thing. This week’s blog aims to shed some light on what the similarities and differences actually are and why smaller law firms with less than 10 staff should give very careful consideration to Microsoft 365. 

The confusion 

Consistency in product names has always been something companies (particularly in the technology world) have struggled with and Microsoft is no exception. Here is the short version. 

  • Microsoft 365 is a bundle of existing products under one licence, geared towards businesses. 
  • Office 365 is a cloud-based suite of productivity apps like Outlook, Word, PowerPoint, and more.  

To muddy the waters bit more  Microsoft 365 actually includes Office 365. 
Confused? Well, let’s deal with the easy one first, Office 365.   

Office 365

Office 365 is a cloud-based suite of apps and services centered around business productivity and includes apps most people are already familiar with like Outlook, Word, PowerPoint and Excel. Most plans also include apps and services like Skype, SharePoint, OneDrive and Yammer.  Recently Microsoft made Teams available free of charge to all Office 365 users, so it is even better value. It includes much, much more of course, robust productivity, collaboration, and security features.  

Office 365 is a monthly, per-user subscription. There are a variety of plans to choose from depending on your specific needs and plans can be mixed and matched. 

Microsoft 365

Microsoft 365 is a bundle of services that, as mentioned earlier, includes Office 365. But it also includes Windows 10 Enterprise, Enterprise Mobility + Security (EMS), and machine learning functionality.  

Where EMS comes in is underpinning Microsoft 365 with the Microsoft Intelligent Security Graph which offers real-time threat detection, response, and remediation. Remember that digital transformation is dissolving network boundaries and expanding the attack surface to include new devices, users, applications and platforms. 

The ‘Secret Sauce’ 

That phrase real-time is important and what it really means is real in “machine time”.  The key thing about cyber-attacks is that they generally happen without warning and the attacks evolve very rapidly, much faster than humans can respond.   

But the machine learning that underpins the Intelligent Security Graph uses advanced analytics to link a massive amount of threat intelligence and security data from Microsoft, and partners, to combat cyberthreats. Insights from the Intelligent Security Graph power real-time threat protection in Microsoft products and services. Microsoft 365 offers more security than is available with Office 365 including Advanced Threat protection, remote wiping capability, App protection which prevents saving or copying confidential data to mobile apps and much more. 

Like Office 365, there are multiple plans to choose from depending on your needs (though not quite as many!). The services included in Microsoft 365 are also available as separate licenses. If you can’t find a plan that fits your needs, you can still achieve close to the same results by buying licenses for all the components though you will miss out on some of the machine learning benefits which would be a real pity. 

Which one is right for my business?

Deciding whether Office 365 or Microsoft 365 is the best option for your business can be challenging. If you’re already using all the separate pieces, then switching over to the combined Microsoft 365 would undoubtedly be the best option. If you’re not already using all the separate components of Microsoft 365, it can hard to figure out if it’s worth it and if so, which plan is most advantageous. 

But for small law firms there are other considerations 

Firstly, smaller law firms usually do not have a permanent IT support person on site or even on call Often, they are dependent on a local IT provider or perhaps even a member of staff with an interest in IT. Internal systems are unlikely to be state of the art especially as regards data integrity (which includes compliance with the GDPR) and, especially, security.   

Information Technology is constantly changing and every few years it takes a step-change, a fundamental shift as it were in the rules of the game.  And we are in such a time now. Secondly, law firms are very attractive targets for cyber criminals. I wrote a blog about this a few months ago on Supply Chain Risk so be sure to give that a read too. 

A summary of why law firms are such an attractive target for cyber criminals is that even a small law firm can have in its files all the information needed by someone wishing to profit from merger and acquisition, for copyright or intellectual property, planning applications changes and rezoning. 

Here’s also an interesting blog from Microsoft Secure, their security practice, from September.  

It’s a bit technical and is focused on the US experience but there is a reason every law firm, perhaps especially every small law firm, should consider the message it conveys. And because it is very detailed and technical I will try and summarise for a non-technical reader 

Less is more?

Cyber criminals are always looking for new ways to rob people and most law firms now are familiar with email spoofing and Friday conveyancing frauds and the like. In the past cyber criminals cast as wide a net as possible to increase the pool of potential victims.  But large-scale attacks attract publicity and counter measures.  Cyber thieves know that companies like Microsoft and others are watching so they have varied their tactics.  In the last year there has been a growing trend (picked up first in the US) for small-scale localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.  

In the Microsoft Secure blog the new malware campaign targeted small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in locations where the businesses are located. Here’s how the attack was orchestrated… 

Malicious, macro-enabled documents were delivered as email attachments to target small businesses. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business.  

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. So for example if your firm is based in West London you would get an attachment from a local business in London postal code W1 (the local business would probably not be compromised in any way).   

The intended effect is for recipients to get documents from local, very familiar business or service providers. It’s part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.  When recipients open the document, they are shown a message that tricks the person into enabling the macro.  Something like this below: 


In this case documented by Microsoft the payload was Ursnif, info-stealing malware. 

And in this example, Microsoft machine learning stopped the attack. Machine learning and artificial intelligence power Windows Defender Antivirus to detect and stop new and emerging attacks before they can wreak havoc. And this includes the millions of  distinct, first-seen malware. The under the radar approach of the hackers can’t fool the various algorithms that make up the machine learning powered defences of the Microsoft Intelligent Security Graph.   

Microsoft 365 protects against a wide range of threats: from massive malware campaigns to small-scale, localized attacks.  Do you think your law firm would benefit from this security? Not to mention all the increased functionality, ease of collaboration and mobile working. 

Next steps

The first question should always be, do you need everything included in Microsoft 365? My suggestion is that if you are a small law firm the answer is yes. 

Unless you’re starting from scratch, moving to either Office 365 or Microsoft 365 doesn’t happen overnight. There are setup and migration requirements involved for both and time and costs considerations too. If you’re feeling brave you may be able to handle this internally, but chances are your best option is to work with a Microsoft Partner, like Virtuoso, who has extensive experience of migrating businesses to Office 365, implementing EMS and setting up machines with Windows 10 Enterprise. 

We help our customers navigate an increasingly complex IT environment.   

Want to know more about Microsoft 365 and Office 365?

We hope this insight into both packages will help you think about how Microsoft 365 or Office 365 will benefit your business. If you would like to speak with a Office 365 expert that understands how it could work for your business then please contact us