Cyber criminals no longer need to break through a firewall or deploy malware to get into your business. Increasingly, they simply log in. A stolen session token, a phished password, or a malicious application granted access through a routine-looking consent prompt is often all it takes to gain a foothold inside a Microsoft 365 environment, and from there, inside your email, your files and your Teams conversations.
For non-technical leaders, this can feel like a problem that belongs to IT. In reality, identity has become the primary attack surface for most UK SMEs, and account compromise is now one of the most common routes into a business, ahead of the network-level attacks that traditional security tools were built to catch. If an attacker gains control of the right Microsoft 365 account, the consequences show up as financial fraud, data exposure and operational disruption, not as a technical alert nobody sees.
This article breaks down why identity has overtaken the network as the main point of compromise, the specific attack patterns we see most often against Microsoft 365 environments, and the practical steps that reduce the risk without adding friction to how your teams work day to day.
Why Identity Has Become the Primary Attack Surface
Traditional security tools were built to watch devices and networks: firewalls at the edge, antivirus on the endpoint. Attackers have adapted. Rather than fighting through those layers, they go after the one thing that grants access to everything behind them, which is the user's identity.
Modern attackers focus on user identities, Microsoft 365 accounts, privileged administrators, email systems and the third-party applications users grant access to. Once an attacker has a legitimate identity, whether through a stolen password, a hijacked session or a malicious application, they can often operate for weeks inside a business without detection, reading email, downloading files and quietly preparing the next stage of the attack.
Recent threat intelligence backs this up. CrowdStrike's most recent research found that the majority of detections involved no malware at all, just stolen credentials and legitimate administrative tools used the way a genuine employee would use them. Verizon's latest breach data attributes around a third of Microsoft 365 breaches to stolen session tokens rather than stolen passwords. That is precisely the kind of activity a firewall or antivirus product was never designed to catch, and precisely why identity monitoring has become essential rather than optional.
Common Identity Threats Facing UK SMEs on Microsoft 365
Most identity-based incidents fall into a small number of recurring patterns. The specifics vary, but the underlying mechanics are consistent across the businesses we work with.
Account Takeover Through Stolen Credentials
An attacker obtains a username and password, usually through phishing, a data breach on an unrelated site where the same password was reused, or infostealer malware on a personal device. If multi-factor authentication is not enforced, or the attacker has a way around it, they log in directly, exactly as the genuine user would.
Session Hijacking and Token Theft
This is the attack method causing the most concern among security teams at the moment. Rather than stealing a password, an attacker uses an adversary-in-the-middle phishing kit to sit between the user and the real Microsoft login page. The user enters their password and completes MFA exactly as normal, and Microsoft issues a valid session token. The attacker's proxy intercepts that token in transit and replays it from their own device. To Microsoft 365, the attacker now looks exactly like the legitimate user, already past the MFA check, because the token itself has become the credential that matters. MFA remains essential, but on its own it no longer stops this category of attack.
Rogue and Over-Privileged Applications
Attackers register malicious applications and trick users into granting them access through a consent prompt that looks routine. Once granted, that access commonly persists even after the user changes their password, because it was never tied to the password in the first place. Monitoring application consent activity is one of the more overlooked parts of identity security, and one of the most effective.
Business Email Compromise
Once inside a mailbox, either through a compromised account or a convincing impersonation, attackers commonly redirect invoice payments by altering bank details on a genuine-looking email, or divert payroll by impersonating an employee to HR. Losses from individual incidents in the UK regularly run into five and six figures, and because there is often no malware involved, standard endpoint protection has nothing to detect.
Suspicious Mailbox Rules and Hidden Persistence
A common way attackers cover their tracks is a mailbox rule that quietly forwards every email containing the word "invoice" to an external address, or one that deletes incoming replies from a bank confirming a payment change. These rules are simple to create and, without active monitoring, easy to miss for months. Our glossary entry on Exchange Online covers how mailbox configuration and mail flow rules work within Microsoft 365, including where these kinds of attacker-created rules typically hide.
The Monitoring and Visibility Challenge
Many SMEs struggle with identity security because they cannot clearly answer three questions:
- Who has signed in to our Microsoft 365 tenant recently, from where, and does that pattern look normal?
- What third-party applications have been granted access to our data, and by whom?
- How would we know if an account had been compromised, rather than finding out weeks later when a payment goes missing?
Microsoft 365 generates a large volume of sign-in logs and security signals, but having the data is not the same as having visibility. Without a clear approach to monitoring, important events get missed, or teams get overwhelmed by alerts that do not translate into action. Base-tier Microsoft licensing typically covers authentication events but very little post-authentication monitoring, which is exactly the gap that session hijacking and token theft are designed to exploit.
This is where continuous identity monitoring helps, by correlating sign-in activity, mailbox behaviour, application consent and administrative changes so that a suspicious pattern, not just a single isolated event, gets flagged and investigated. A sign-in from an unfamiliar country is not necessarily concerning on its own. Followed by a new mailbox rule and a change to a supplier's bank details, it is a different picture entirely. This kind of correlation is central to what our glossary describes as Managed Detection and Response, applied specifically to identity.
Building an Identity Threat Detection and Response Capability
Detection on its own is only useful if something happens with the result. A monitoring tool that generates alerts nobody reviews outside office hours provides very little practical protection. A properly resourced approach combines continuous monitoring with the human judgement needed to act on it.
- 24/7 monitoring, watching identity activity across Microsoft 365 continuously, including outside business hours, when many account takeover attempts actually happen.
- Human-led investigation, with suspicious activity reviewed by security professionals to separate genuine risk from noise, rather than leaving your team to triage raw alerts themselves.
- Threat validation, focusing on confirmed risks instead of generating thousands of low-value alerts.
- Incident response guidance, giving clear, specific remediation steps when a genuine threat is identified, so it can be contained quickly.
- Regular reporting, so you have ongoing visibility into what has been detected, what action was taken, and where risk remains.
Strong identity hygiene should sit alongside this monitoring, not replace it. Enforcing multi-factor authentication, applying conditional access policies through Microsoft Entra ID, and removing unnecessary administrative rights all reduce the number of genuine incidents that reach the monitoring stage in the first place. Getting the foundational controls right, and having Cyber Essentials certification in place, remains the single highest-impact starting point for most SMEs. You can read more about that process on our Cyber Essentials Certification page.
How We Build a Proactive Identity Security Strategy
As a Microsoft Solutions Partner, our role is to make identity security practical, measurable and sustainable for UK SMEs, not just another dashboard nobody has time to watch. We typically start by establishing a clear view of your current identity posture: who has access to what, where MFA gaps exist, and which third-party applications already hold access to company data.
From there, a proactive strategy usually includes baseline identity controls such as MFA and conditional access, continuous monitoring that correlates sign-in activity with mailbox and application behaviour, and a clear incident response process so that when something genuine is flagged, your team knows exactly what happens next. Many organisations already have much of this capability sitting unused inside their existing Microsoft 365 licensing. When it is configured and actively managed, rather than left switched off by default, it can meaningfully change how quickly a compromise is caught.
Find Out Whether Your Microsoft 365 Tenant Is Actually Being Watched
Most businesses have some security controls in place. Far fewer have somebody actively looking for the specific signs of identity compromise: suspicious sign-ins, rogue application consent, mailbox rule abuse, unusual administrative activity. Advantage helps UK SMEs understand where their identity risk really sits, then puts practical, prioritised monitoring and controls in place. If you want a clear, business-focused view of your Microsoft 365 identity security, speak to our team.
Contact Advantage today or call 020 3004 4600.
Read more about our Cyber Security services or explore Cyber Essentials Certification.
Related Resources
Glossary: Phishing
Microsoft Entra ID: MFA and Conditional Access
Glossary: Managed Detection and Response
Glossary: Exchange Online
Cyber Essentials Certification