The Attack That Doesn't Look Like an Attack: Account Takeover and Why We Added ITDR

The attack that doesn’t look like an attack

For years, the advice was simple: don’t click suspicious links, and don’t trust the email from the “Nigerian prince.” That advice is now out of date.

Today’s most successful attacks don’t come from a stranger. They come from a trusted colleague whose account has already been hacked. The attacker uses that real account to send a real-looking message — a shared document, an invoice, a quick request — and because it comes from inside a domain you trust, it slides right past spam filters and email security. Your team is far more likely to click, because everything about it looks legitimate.

The numbers are not subtle:

• More than 90% of cyberattacks start with a phishing email. (CISA)
• Between 2013 and 2023, business email compromise (BEC) drove more than $55 billion in global exposed losses — that figure counts attempted and intercepted dollars as well as actual theft. (FBI IC3)
• In 2023, the average reported BEC loss was about $137,000; the median was closer to $50,000, because a handful of very large incidents pull the average up. (FBI IC3 / Verizon DBIR)
• An organization with fewer than 1,000 employees has roughly a 70% chance of seeing at least one BEC attempt in any given week. (Abnormal Security, 2024)

BEC has been one of the two costliest categories of cybercrime the FBI tracks for years — it was the single largest category by reported losses in 2020 and 2021, and today it ranks second only to investment fraud. And this stopped being an enterprise-only problem a while ago. Attackers automate, so company size doesn’t protect you — as the weekly-attempt number above shows, small businesses are squarely in scope.

Why your existing tools miss it

Two assumptions trip most businesses up.

“Our email security catches phishing.” Modern attacks arrive from a hacked-but-legitimate account, often carrying a Microsoft-laundered link to a shared file or an invoice request. There’s nothing for a filter to flag. The sender is real. The link points to real Microsoft infrastructure. It gets through.

“We have MFA, so we’re covered.” MFA is necessary, but it’s no longer sufficient. Microsoft observed a 146% jump in adversary-in-the-middle (AiTM) phishing — the kind purpose-built to defeat MFA — in 2024. In one security firm’s incident-response caseload, nearly 80% of BEC victims had MFA correctly enabled. The reason usually isn’t that someone typed their code into a fake page (though that happens). It’s that modern phishing kits proxy the real login and steal the session token after MFA has already succeeded — then ride that valid, already-trusted session. To Microsoft 365, nothing looks wrong. On top of that, attackers increasingly log in from U.S. residential IP addresses specifically so they don’t look “foreign” to a simple location check.

And once they’re in, they move fast — these attacks are heavily automated. The attacker goes straight for the crown jewels — invoices, financial statements, payroll, legal documents — reads and exfiltrates what matters, sets up hidden inbox rules, and starts sending fraud from your domain. Every minute counts, and the damage breaks down into three buckets:

This is the gap we wanted to close, and it’s specifically a Microsoft 365 identity problem — not something one more email filter solves.

What we did about it: we added an ITDR layer

We added ITDR — Identity Threat Detection and Response — to our managed security stack. ITDR is a different job than antivirus or email filtering. Antivirus watches the device. Email security watches the inbox. ITDR watches the identity — the account itself and everything it does across Microsoft 365: Entra ID sign-ins, Exchange, SharePoint, OneDrive, and Teams. It’s built for exactly the attack described above: the one that already got past the filter and past MFA, and is now logged in and looking around.

A good ITDR layer does three things native Microsoft 365 doesn’t do well on its own:

• It catches compromises in minutes, not days — by watching what an account does after login (mail rules, file access, app grants), not just where it logged in from. That’s how it flags the residential-IP, post-MFA, valid-session attack that location rules wave through.
• It responds automatically. When a compromise is confirmed, the account is locked, sessions are killed, and the things attackers leave behind get cleaned up too — malicious inbox rules, rogue OAuth apps, attacker-added MFA methods. For a business without a 24/7 security team, automatic containment is the part that actually changes the outcome.
• It doesn’t lock out your traveling employees. The good tools use behavioral analytics rather than a blunt “unusual location” rule, so your CFO logging in from a hotel doesn’t get locked out — but the attacker on a residential IP still does.

We don’t lock clients into one ITDR product — we’re candid about that. There are three we like most, and the right fit depends on what you already run: Petra (a surgical, MSP-first Microsoft 365 identity tool with the fastest automated remediation and two-click deployment), Huntress (managed ITDR backed by a 24/7 SOC, with humans in the loop), and Blumira (a SIEM-style approach with visibility well beyond Microsoft 365, strong for compliance reporting). We dig into how they compare in our Petra ITDR review and ITDR comparison. The point isn’t the logo on the dashboard — it’s that you have some ITDR coverage, and that it fits your stack, your compliance needs, and your budget.

Why this matters for our regulated clients

If you operate under HIPAA, CSBS, or another compliance regime, an account compromise isn’t just a cost — it’s a reportable event, and the documentation burden afterward is real. Fast detection shrinks the blast radius, and the forensic record a good ITDR tool produces — a clear, timestamped account of what the attacker touched, plus an executive-friendly report — is exactly the kind of evidence an examiner or an incident-response process wants to see. For our vCISO engagements, that combination is the point.

How to find out if you’re already exposed

Here’s the uncomfortable thing about account compromise: most businesses don’t know they have one. Attackers can sit quietly in a mailbox for weeks or months, reading and waiting for the right invoice to tamper with.

So rather than ask you to take our word for it, we’d rather show you. We can run a free scan of your Microsoft 365 environment. It works with your existing licensing, takes minutes to set up, and looks back through your logs to answer one question: is anyone already in here that you don’t know about? If the answer is no, you get a clean report and some peace of mind. If the answer is yes, you’ll be very glad you asked.