Picture this: a vendor “updates” their banking details via email. Your controller gets a message that looks like it came from the CFO asking for a wire. A project manager can’t find an important thread—because it’s quietly being auto-forwarded somewhere else. Nothing looks like a dramatic “hack”… until money moves, data disappears, or trust takes a hit.
This is the modern reality of security incidents: many begin with identity, not infrastructure. Verizon’s 2025 DBIR highlights that credential abuse remains a leading initial access vector, right alongside vulnerability exploitation—based on analysis of over 22,000 security incidents and 12,195 confirmed breaches.
Identity is the new perimeter in Microsoft 365
For most organizations, Microsoft 365 isn’t just a toolset—it’s the operating system of the business. Email drives approvals and payments. Teams hosts conversations that never make it to a ticket. OneDrive and SharePoint contain contracts, customer data, and the working files people rely on every day.
That’s why identity has become the new perimeter. If an attacker gets into the right account, they often don’t need to “break into the network” to cause real damage. They can impersonate leadership, divert payments, quietly harvest sensitive data, or manipulate communication flows in ways that are hard to spot in the moment.
And when something starts going wrong—whether it’s a targeted incident or a widespread event—the difference isn’t who has the most tools. It’s who can respond clearly and quickly under pressure. We saw this during the July 19, 2024 CrowdStrike-related outage: a massive disruption where our proactive protection helped keep a long-time client online while millions of systems were impacted.
“But we have MFA.” Why that’s not the finish line.
We’re strong believers in MFA. It’s necessary.
But there’s a common misconception at the leadership level: MFA isn’t the same thing as detection and response. Even with MFA, attackers can sometimes succeed by abusing a trusted session (think: “riding along” with what your systems already believe is a legitimate login).
Microsoft’s guidance on token protection speaks directly to the reality of token theft and replay attacks—and why defending identity requires a defense-in-depth approach, not a single control.
The practical takeaway isn’t “assume MFA is useless.” It’s this: MFA reduces risk. ITDR reduces impact—because it helps you catch suspicious identity behavior early and respond fast.
What account takeovers actually look like
Most identity-driven incidents don’t announce themselves with sirens. They show up as patterns that a busy team can miss:
Pattern 1: Suspicious sign-ins and unusual access
- A login that doesn’t fit the user’s normal behavior (time, location, device, app)
- A burst of authentication prompts
- Activity that doesn’t match the person’s role (for example, sudden access to sensitive financial documents)
Pattern 2: Quiet email behavior that becomes a business problem
- Inbox rules that forward or redirect mail outside the organization
- “Invisible” mailbox manipulation (moving, deleting, or hiding messages)
- Impersonation that uses real internal context pulled from email threads
One reason this second pattern is so dangerous is that it can create a silent “side channel” out of your environment—long before anyone realizes a compromised account is in play. CISA specifically calls out suspicious email forwarding rules as something organizations should identify and remove as part of defensive countermeasures.
These aren’t abstract scenarios for us—they’re exactly the categories of identity risk our Managed ITDR offering is built to address in Microsoft 365: monitoring identities and activity to stop credential theft, session hijacking, and business email compromise, including unauthorized logins and malicious inbox rules.
What ITDR is (and what it isn’t)
ITDR stands for Identity Threat Detection & Response. In plain English, it’s the discipline of:
- Detecting risky identity behavior (not just “did the password match?”)
- Interpreting identity signals in context (what’s normal vs. what’s concerning)
- Responding quickly to contain and recover when something looks suspicious or confirmed compromised
The key idea: modern identity platforms can generate meaningful risk signals—but those signals only help if someone is consistently watching, validating, and taking action. Microsoft Entra ID Protection, for example, outlines a broad set of risk detections tied to sign-in and user risk—covering suspicious activity patterns that can indicate compromise.
In other words: the signals exist. The gap is whether they’re being turned into real outcomes.
Why “managed” ITDR matters more than most people expect
In most organizations, the failure point isn’t effort—it’s ownership.
Even with solid tools in place, alerts can be noisy, scattered across dashboards, or popping up when nobody’s around to interpret them. Identity incidents also don’t politely wait for business hours. That’s why managed coverage matters: it makes response a capability, not a hope.
This is also why we emphasize always-on support as part of what we do. If something happens after-hours—whether it’s a login anomaly, a compromised account, or a business-disrupting event—you want a real team that can triage and move toward resolution quickly. That’s the kind of model our 24/7 helpdesk is designed for: immediate response, real people, and fast triage without long waits or bots.
Managed ITDR should feel like this at a leadership level:
- fewer surprises,
- faster containment,
- clearer “what happened / what we did / what changes next” communication,
- and less disruption to the business.
What leaders should do next (without turning this into a DIY project)
This isn’t a checklist to hand your team and walk away. It’s a short set of prompts that helps you quickly identify whether identity risk is truly covered—or whether it’s currently “nobody’s job”:
- Who is actively monitoring Microsoft 365 identity risk signals today? (Not “who would check if something went wrong,” but “who is watching.”)
- If an account takeover starts at 2:00 a.m., who owns containment?
- Can our IT partner explain—clearly—how they detect and respond to suspicious sign-ins and mailbox manipulation?
- Are our highest-impact roles (finance, execs, admins) protected differently than everyone else?
- If suspicious forwarding rules were created tomorrow, would anyone notice—quickly?
If you don’t love the answers—or if you’re not sure who owns them—that’s a signal worth taking seriously.
Closing thought
If identity is the new perimeter, then protecting the business means more than “we turned on MFA.” It means having the ability to detect abnormal identity behavior early and respond quickly—before it turns into fraud, downtime, or reputational damage.
If you’re on Microsoft 365 and you’re not sure who’s watching identity risk signals and responding in real time, contact us to talk through Managed ITDR for your environment.