Imagine an attacker has your employee’s username and password. Maybe it was lifted through a phishing email. Maybe it was reused across accounts and exposed in an unrelated breach. Either way, they have it.
They open a browser, type in your employee’s Microsoft 365 login page, and sign in. Your antivirus doesn’t fire, your email filter doesn’t flag anything, and your monitoring tools show no alerts.
From the perspective of your existing tools, a legitimate user just logged in. And now that attacker is sitting quietly inside your environment, reading emails, watching financial conversations, and waiting for the right moment to strike.
This is the scenario most businesses have not built a cybersecurity defense for. And it is happening regularly across organizations of all sizes.
The Tools You Have Were Built for a Different Problem
Antivirus software is excellent at catching malware. Email filtering stops a lot of phishing attempts before they reach your inbox, and multi-factor authentication (MFA) adds a meaningful barrier to unauthorized access.
These are all worthwhile investments. But none of them answer the question: what happens after someone logs in with credentials they shouldn’t have?
That’s not a design flaw. It’s simply not what those tools were built to do. They’re prevention layers, working hard to stop an attacker from getting in. But once someone has valid login credentials, the attacker looks exactly like a regular user. The tools that got you this far have no way to tell the difference.
That gap is real and significant. For businesses running on Microsoft 365, the gap is being exploited.
What Identity Threat Detection and Response Actually Does
Identity Threat Detection and Response (ITDR) is a security layer that monitors what happens inside your Microsoft 365 environment after authentication. Rather than focusing on whether someone logged in, it focuses on what they’re doing once they are in.
ITDR watches for the behavioral patterns that legitimate users don’t usually exhibit:
- Logins from unusual or unexpected locations.
- New inbox rules created shortly after a sign-in.
- Changes to account privileges or permissions.
- Access to files and data outside of normal working patterns.
- Connections to third-party applications that weren’t there before.
Most employees do not log in at 2 AM from an IP address in Eastern Europe. They also do not immediately create a rule to forward emails containing the word “invoice” to an external address or quietly access the finance folder. But attackers do. ITDR recognizes those patterns and acts on them.
It Doesn’t Just Alert, It Fixes
One of the biggest limitations of traditional security monitoring is that it tells you something has gone wrong without doing much about it. By the time a human reviews an alert, interprets it, and takes action, significant time has passed.
The ITDR solution we deploy works differently. When suspicious activity is detected, the response is immediate and automatic.
Within minutes of detection, the account is locked, active sessions are terminated, and any malicious inbox rules are reversed. The attacker is cut off before they can redirect a payment, exfiltrate data, or use your email domain to target your clients.
That distinction matters. In a real account compromise, minutes count. The faster the response, the less disruption to your business continuity.
Business Email Compromise: The Risk That Lands Hardest
The most common reason attackers want inside a Microsoft 365 account is financial. Business email compromise (BEC)—where an attacker uses a compromised account to redirect payments, alter invoice details, or impersonate a trusted contact—is now the second costliest form of cybercrime reported to the FBI.
According to the FBI’s IC3 2025 Annual Report, BEC resulted in close to $2.8 billion in losses. What makes these attacks particularly damaging is how convincing they are.
The email doesn’t come from a suspicious-looking address or contain the telltale signs of a scam. It comes from a real account, used by a real employee your contacts already trust, because that’s exactly what the attacker is using.
Spam filters don’t catch it, and recipients don’t question it. But ITDR addresses this by intercepting the compromise at the point of account takeover, not after the fraudulent message has already been sent.
Who Needs This Layer of Protection?
ITDR is most valuable for organizations that:
- Run their business operations primarily through Microsoft 365.
- Handle sensitive financial communications, contracts, or client data.
- Have users who are frequently targeted by phishing attempts.
- Need to satisfy growing cyber insurance requirements around identity security.
- Want stronger protection without creating friction or complexity for everyday users.
In practice, this describes most growing businesses.
Credential theft is not an enterprise-only problem. Attackers automate their reconnaissance and target organizations of all sizes. The sophistication of the attack doesn’t change based on how many employees you have.
The Bigger Picture
Layered security works best when each layer covers what the others can’t. Email filtering, antivirus, and MFA all serve a purpose. ITDR fills the gap that sits behind all of them—the space between a successful login and the moment damage is done.
For businesses running on Microsoft 365, that gap is worth closing.
At Anderson Technologies, our consultancy approach shows you exactly how identity threat detection works in practice, what a real response looks like, and what it would mean for your specific environment.
Get in touch to understand how identity threat detection would work in your environment.
FAQs
- What is Identity Threat Detection and Response (ITDR)?
ITDR is a security layer that monitors user behavior inside platforms like Microsoft 365 after login. It detects anomalies like unusual access patterns, new inbox rules, and privilege changes, that indicate an account may have been compromised and responds automatically to contain the threat. - Does MFA protect against account compromise?
MFA significantly raises the bar for attackers, but it doesn’t eliminate the risk entirely. Many modern attacks are designed to bypass MFA by prompting the user to approve a fraudulent authentication request. Once that approval is given, the attacker has a valid session. ITDR monitors what happens after that point. - What is business email compromise (BEC)?
Business email compromise is a form of attack where a cybercriminal uses a legitimate employee email account to conduct financial fraud, typically by altering payment details or impersonating trusted contacts. It’s one of the most financially damaging cybercrimes reported to the FBI, and it almost always begins with an account being compromised. - How does ITDR work with the security tools I already have?
ITDR doesn’t replace your existing tools—it extends them. Antivirus, email filtering, and MFA all focus on preventing unauthorized access. ITDR covers what comes after authentication, detecting and responding to threats that have slipped past those first lines of defense. - Is ITDR only relevant for large businesses?
Attackers increasingly use automation to target organizations of all sizes. Any business running sensitive operations through Microsoft 365—particularly those handling financial data or client communications—has meaningful exposure to identity-based attacks.
