Identity Threat Detection & Response

The attack that got past your filters is sitting in your inbox right now.

Account takeover is now one of the costliest ways a business loses money to cybercrime — and it slips past both your email filter and your MFA. Brivy IT watches your Microsoft 365 around the clock, catches compromises in minutes, and shuts them down before they cost you money, data, or your clients' trust.

Run a free M365 scan Talk to John

CREDENTIALS & CERTIFICATIONS

90%+

of cyberattacks start with a phishing email (CISA)

$55B+

global BEC exposed losses, 2013–2023 (FBI IC3)

146%

rise in MFA-bypass (AiTM) phishing in 2024 (Microsoft)

70%

weekly BEC-attempt odds for orgs under 1,000 staff (Abnormal, 2024)

Account compromise is now one of the costliest cybercrimes

For years the advice was simple: don’t click suspicious links, and don’t trust the email from a stranger. That advice is out of date. Today’s most damaging attacks come from a trusted colleague whose account has already been hacked — and because the message comes from inside a domain you trust, it slides past spam filters and your team is far more likely to act on it.

Business email compromise (BEC) has been one of the two costliest categories of cybercrime the FBI tracks for years. It was the single largest category by reported losses in 2020 and 2021, and today it ranks second only to investment fraud, with more than $55 billion in global exposed losses logged between 2013 and 2023. And it stopped being an enterprise-only problem long ago — attackers automate, so company size is not protection. Even an organization with fewer than 1,000 employees has roughly a 70% chance of at least one BEC attempt in any given week (Abnormal Security, 2024).

Past your email filter. Past your MFA.

“Our email security catches phishing.”

Today's attacks come from a real, hacked colleague's account, often with a Microsoft-laundered link to a shared file or invoice. The sender is trusted and the link points to legitimate Microsoft infrastructure — there is nothing for a filter to flag, and your team is far more likely to click.

“We have MFA, so we're fine.”

Microsoft saw a 146% jump in MFA-bypass (AiTM) phishing in 2024. In one security firm's incident-response caseload, nearly 80% of BEC victims had MFA correctly enabled — because modern kits steal the session token after MFA succeeds and ride a valid session. MFA is necessary, but no longer sufficient.

Three ways a compromise hurts you

Financial risk

Fraudulent invoices to your clients, tampered banking details, diverted payroll. The average reported BEC loss is about $137,000 per incident (FBI IC3); the median runs closer to $50,000.

Data risk

Sensitive emails and files — invoices, financials, passwords, legal documents — accessed and exfiltrated, then often sold on the dark web or reused in the next attack.

Reputational risk

Attackers use your compromised account to phish your clients. Those emails bypass security because they come from your domain. If a client loses money, you may be held legally or contractually liable.

ITDR, watching your identity layer 24/7

Antivirus watches the device. Email security watches the inbox. ITDR watches the identity — the account itself and everything it does across Entra ID, Exchange, SharePoint, OneDrive, and Teams. It’s built for the attack that already beat your other tools and is now logged in and looking around.

Detect in minutes, not days

We watch the raw Microsoft identity signals and flag a takeover while the attacker is still in reconnaissance — before the wire goes out. Containment is measured in seconds to a couple of minutes, not hours.

Remediate automatically

On a confirmed compromise: lock the account, kill active sessions, and clean up what the attacker left behind — malicious inbox rules, rogue OAuth apps, attacker-added MFA methods. The alert is the end of the work, not the start.

No lockouts for real employees

Behavioral analytics, not blunt location rules. Your CFO on hotel Wi-Fi and a VPN keeps working; the attacker on a residential proxy gets shut down.

Clear forensics and reports

A timestamped record of exactly what the attacker touched, plus an executive-ready report — the evidence your incident-response process and your auditors actually want.

A layer, not a replacement

ITDR sits alongside what you already run. It does not replace MFA, email security, or endpoint protection — it covers the gap they leave.

Control	What it watches	Catches the post-login takeover?
Email security / spam filter	Inbound mail	No — the attacker is already inside
MFA	The login challenge	No — modern BEC rides a valid, already-MFA'd session
Endpoint / antivirus	The device	No — this is a cloud-identity attack
ITDR (Petra)	The Microsoft 365 identity, 24/7	Yes — that is the whole job

Why we run our ITDR on Petra

We evaluated the field and built our managed ITDR service on Petra Security. It’s purpose-built for Microsoft 365 and for providers managing multiple client tenants. What sold us:

Built for M365 identity attacks — BEC, token theft, AiTM phishing, and session hijacking specifically, across Entra ID, Exchange, SharePoint, OneDrive, and Teams.
Fast, automatic response — one-click and automated lockdown, plus cleanup of attacker persistence (inbox rules, rogue OAuth apps, attacker-added MFA).
Behavioral detection — evaluates roughly 20–30 signals per user, so travel and VPNs don’t cause lockouts while genuine attacks still get caught.
Works with your licensing — Microsoft 365 Business Basic and up; no Entra ID P1/P2 required.
Minutes to deploy — installs as a Microsoft enterprise OAuth app approved in two clicks, with no agent and no long tuning period.
Fits our stack — integrates with the PSA and RMM tooling Brivy already runs.
Compliance-ready — SOC 2 Type II certified, HIPAA compliant, with 12 months of searchable M365 telemetry.
No lock-in — month-to-month.

We also help clients who want to choose for themselves: we don’t lock anyone into a single tool, and we’re happy to compare Petra against alternatives like Huntress and Blumira. See our ITDR review and comparison for that breakdown.

Find out if someone’s already in your tenant

Most businesses with an active compromise don’t know it — attackers can lurk quietly for weeks or months, waiting for the right invoice to tamper with. So we’ll show you instead of telling you. Our free Microsoft 365 scan:

Works with your existing Microsoft 365 licensing
Sets up in minutes as an enterprise app
Reviews your historical logs for active or past compromises
Gives you a clear report either way

A clean result is peace of mind. If we find something, you’ll be very glad you looked.

ITDR & Microsoft 365 account protection FAQs

What is ITDR?

Identity Threat Detection and Response — monitoring your accounts and identity activity (sign-ins, mailbox actions, file access, app grants) to detect and stop account takeovers, then automatically respond by locking the account, revoking sessions, and removing the attacker's persistence. It's distinct from antivirus (which watches devices) and email security (which watches inbound mail).

How is this different from the MFA and email filtering we already have?

Those stop many attacks, but the most damaging ones are designed to beat both — modern BEC steals a valid session token after MFA has already succeeded. ITDR catches the attacker after they're logged in, which is precisely where the other tools stop looking.

Do we need a specific Microsoft 365 license?

No. Petra works with Microsoft 365 Business Basic and above. Richer licenses add more data, but there's no Entra ID P1/P2 requirement.

How long does setup take?

Minutes. It deploys as a Microsoft enterprise OAuth app approved in two clicks and begins monitoring immediately — no agent, no long tuning period.

Will it lock out our employees when they travel?

No. It uses behavioral analysis instead of blunt location rules, so legitimate travel and VPN use don't trigger lockouts, while genuine attacks still do.

Can you check whether we're already compromised?

Yes — that's the free scan. It reviews your existing Microsoft 365 logs and tells you whether there's an active or past compromise you didn't know about.

Today's attacks hit your Microsoft 365. We watch it so they don't win.

We'll run a free identity threat scan and tell you whether anyone is already in your tenant — no obligation.

Run a free M365 scan (385) 200-7323