Identity Security Guide

Identity Attacks: How Small Businesses Get Compromised

A plain-English guide to the account takeover paths that matter most in Microsoft 365 environments: phishing, MFA fatigue, password spraying, token theft, BEC, OAuth consent abuse, shared mailbox misuse, and admin compromise.

For most small businesses, identity is now the new perimeter. Staff open email in Microsoft 365, store files in OneDrive and SharePoint, join Teams meetings from phones, and approve payments from wherever work happens. That flexibility is useful, but it also means a stolen password or hijacked session can become a business-wide incident quickly.

Identity attacks are not only a technical problem. They affect payment approvals, client communication, legal files, patient scheduling, tax documents, and day-to-day trust inside a small office. The practical goal is to make account compromise harder, make suspicious activity visible, and make response steps clear before anyone is under pressure.

8identity attack paths
15mresponse target
4control layers
Identity
Phish
Token
Admin
BEC
Account compromise paths converging on identity controls
Estimated reading time
14 minutes
Primary systems
Microsoft 365, Entra ID, email, Teams, SharePoint, OneDrive, finance workflows
Who this guide is for
Owners, office managers, clinic administrators, law firms, accountants, consultants, and Microsoft 365 decision-makers at 5-50 employee businesses.
Last reviewed
April 2026

Who this guide is for

Microsoft 365 offices

Businesses using Exchange Online, Teams, OneDrive, SharePoint, and cloud sign-ins as the center of daily work.

Professional service firms

Law, accounting, consulting, engineering, and advisory firms where email threads often drive approvals and client work.

Clinics and regulated offices

Teams with sensitive scheduling, intake, and client or patient communication that cannot afford messy account recovery.

What identity attacks mean in plain English

An identity attack targets the account, session, or permission that proves someone is allowed to access business systems. Instead of breaking into a server first, the attacker tries to sign in as a real person, trick them into approving access, steal their session, or abuse an app permission the user granted.

That is why these attacks feel normal at first. The sign-in may be for a real user. The email may come from a real mailbox. The SharePoint access may use a real token. The defence has to look beyond “was the password correct?” and ask whether the behaviour makes sense for that user, device, location, and business process.

Real-world scenario: a small accounting firm during tax season

A bookkeeper receives a Microsoft 365 sign-in prompt after clicking what appears to be a shared document from a client. The password and MFA prompt are completed on a phishing proxy. The attacker captures the active session, searches the mailbox for invoice and payment terms, then creates an inbox rule that hides replies from the firm owner.

Nothing looks like a Hollywood breach. Email still works. The bookkeeper can still sign in. Two days later, a vendor receives updated payment instructions from the compromised mailbox. This is why identity security needs MFA, Conditional Access, mailbox auditing, payment verification, and endpoint monitoring working together.

How identity compromise usually unfolds

Most incidents we see are a chain of ordinary-looking events, not one dramatic event.

1. Lure or credential attempt
Phishing email, password spray, MFA prompt fatigue, stolen password, or malicious OAuth consent request.
2. Session or mailbox access
The attacker signs in, steals a token, adds an app permission, or enters through a legacy protocol.
3. Discovery and persistence
Mailbox searches, forwarding rules, MFA method changes, app grants, or hidden inbox rules help maintain access.
4. Business action
Invoice redirection, internal phishing, data download, password resets, or administrator takeover attempts follow.

Identity attack paths small businesses should recognize

These attacks overlap. A single incident may start with phishing, continue through token theft, and end as business email compromise.

Initial access
Credential phishing Risk areaShows up as: Fake Microsoft, DocuSign, courier, bank, or file-sharing login page. Business impact: Mailbox access, SharePoint data exposure, internal phishing. First control: MFA, phishing-resistant training, Safe Links, sign-in review.
MFA fatigue Risk areaShows up as: Repeated approval prompts until a user taps approve to make them stop. Business impact: Account access despite the password not being newly entered. First control: Number matching, Conditional Access, user reporting process.
Password spraying Shows up as: Common passwords tried slowly across many staff accounts. Business impact: One weak password becomes email or cloud file access. First control: MFA, smart lockout, legacy auth block, sign-in log monitoring.
Session abuse
Session/token theft Shows up as: User appears already authenticated from an unusual browser or device. Business impact: MFA may not re-prompt during an active stolen session. First control: Conditional Access, session controls, compliant devices, EDR.
Business impact
Business email compromise Shows up as: Inbox rules, strange sent mail, invoice changes, hidden replies. Business impact: Payment fraud, client trust issues, urgent investigation work. First control: Mailbox auditing, forwarding alerts, payment verification.
Persistence
OAuth consent abuse Risk areaShows up as: A user grants a third-party app permission to read mail or files. Business impact: Persistent access without a normal interactive login. First control: Admin consent workflow, app governance, permission reviews.
Operational blind spots
Shared mailbox abuse Risk areaShows up as: Too many users have access, or a shared workflow masks who acted. Business impact: Harder investigations and weak accountability. First control: Delegate review, audit logs, no shared passwords.
Protocol risk
Legacy authentication Shows up as: Old mail protocols keep accepting basic authentication paths. Business impact: MFA and modern sign-in controls may not apply as expected. First control: Block legacy auth and review sign-in logs.
Tenant control
Admin takeover Risk areaShows up as: Admin account sign-in from odd location or new MFA method added. Business impact: Tenant-wide control, mailbox access, data and policy changes. First control: Separate admin accounts, phishing-resistant MFA, alerts.

Deep-dive guides in this section

Guide

Password Spray Attacks

How password spray attacks work, why MFA and Conditional Access matter, and what small businesses should monitor.

Read guide
Guide

Token Theft Attacks

How attackers steal session tokens, why users may appear legitimately signed in, and how Conditional Access helps reduce risk.

Read guide
Guide

Legacy Authentication Risk

Why old authentication protocols create account takeover risk in Microsoft 365 environments.

Read guide
Guide

Business Email Compromise

How mailbox compromise leads to invoice fraud, forwarding rules, and client impersonation.

Read guide

Warning signs and red flags

Impossible travel or unfamiliar sign-ins

A user appears in Toronto and another country within minutes, or signs in from networks never used by the business.

New inbox rules or forwarding

Rules that hide replies, move messages, or forward mail externally are common in BEC cases.

Unexpected MFA changes

New phone numbers, authenticator devices, or security info changes need immediate review.

Suspicious app consent

A user authorizes an app that requests broad mailbox, files, or offline access.

Failed logins across many users

A tenant-wide pattern is more important than one account having a few failed attempts.

Payment or vendor changes by email only

Banking changes should be verified through a known out-of-band method, not the same email thread.

What to do first

Enforce MFA everywhere

Start with admins, owners, finance, and high-risk users, then cover every human account.

Turn on Conditional Access where licensed

Require stronger checks for risky sign-ins, unmanaged devices, admins, and external locations.

Disable legacy authentication

Remove POP, IMAP, and basic SMTP paths that can weaken MFA enforcement.

Review mailbox rules and app permissions

Look for external forwarding, hidden rules, and broad OAuth grants.

Protect endpoints

Token theft and browser credential theft often start on a compromised device.

Document payment verification

Make staff comfortable pausing and verifying payment changes before money moves.

Suspected account compromise runbook

Use this when an account, mailbox, MFA method, or payment thread looks wrong.

1. Contain the account

Revoke sessions, reset the password, reset MFA methods, and temporarily block sign-in if ownership is uncertain.

2. Preserve evidence

Export sign-in logs, mailbox audit records, inbox rules, forwarding settings, and suspicious messages before cleanup.

3. Hunt for persistence

Check OAuth app grants, new MFA devices, hidden mailbox rules, delegated access, external forwarding, and admin role changes.

4. Protect money movement

Warn finance and client-facing staff, verify any payment changes out-of-band, and review recent invoice or banking requests.

5. Reset affected trust

Rotate exposed credentials, review device health, remove risky app consent, and notify impacted contacts when needed.

6. Close the control gap

Document the entry path, tighten Conditional Access or mailbox controls, and add monitoring so the same path is visible next time.

Common mistakes

Assuming MFA solves every identity risk

MFA is essential, but token theft, OAuth consent, and active sessions still need monitoring and policy controls.

Leaving shared passwords in use

Shared mailbox workflows should use delegation and auditing, not one password passed around the office.

Ignoring admin accounts

Global admins should not be daily email accounts. They need stronger MFA and tighter monitoring.

Treating finance controls as “not IT”

BEC prevention requires both technical controls and a simple payment verification process.

Recommended controls

Microsoft 365 identity baseline
MFA, Conditional Access, blocked legacy auth, admin separation, mailbox auditing, alert policies, and Secure Score review.
Endpoint and browser protection
EDR or MDR, browser update management, credential theft detection, and device compliance for sensitive roles.
Email and mailbox controls
Anti-phishing policies, external forwarding restrictions, DKIM/DMARC, Safe Links, mailbox rule alerts, and user reporting.
Operational response
Know how to revoke sessions, reset MFA methods, preserve logs, review inbox rules, and communicate with affected staff.

Practical Microsoft 365 licensing path

Identity controls depend on licensing, so the right path should match risk and budget.

Security Defaults / basics

Useful for very small tenants that need MFA on quickly.

  • Enable MFA baseline coverage
  • Block obvious legacy sign-in paths
  • Review admin accounts manually

Microsoft 365 Business Premium

Best practical target for most 5-50 person professional offices.

  • Conditional Access policies
  • Intune device compliance
  • Defender for Business and stronger identity controls

Higher-risk roles

Owners, finance, admins, partners, and users handling sensitive client records.

  • Phishing-resistant MFA where practical
  • Separate admin accounts
  • Tighter alerts and session review

FAQ

Are identity attacks mostly a Microsoft 365 problem?

Microsoft 365 is a common target because email, files, Teams, and identity all meet there. The same principles apply to Google Workspace, accounting portals, CRM systems, and remote access tools.

Can MFA be bypassed?

MFA greatly reduces risk, but active session theft, phishing proxies, OAuth consent abuse, and compromised devices can still create access. That is why Conditional Access, endpoint protection, and logging matter.

What should we check first after a suspected mailbox compromise?

Revoke sessions, reset the password and MFA methods, review inbox and forwarding rules, check sign-in logs, inspect sent mail, and preserve audit logs before cleanup.

Do small businesses need separate admin accounts?

Yes. Admin accounts should be separate from daily email accounts, protected with strong MFA, and used only for administration.