Microsoft 365 Identity Protection
Your people's M365 passwords are almost certainly already on a list somewhere. We spot the moment an attacker tries to use one — and stop them before they move money, forward invoices or set silent inbox rules.
Powered by Huntress Managed ITDR — delivered by Ingenio as a Huntress Secure Partner.
Always-on monitoring, UK-based human triage, 3-minute mean-time-to-respond on confirmed identity incidents.
Talk to us about M365 identity protection
If your team logs into Microsoft 365 or Google Workspace, your biggest cyber risk now is identity — not malware. Drop your details in and we’ll call you back the same working day.
The attacker doesn't need malware any more
Your antivirus stops malicious software. Your firewall blocks unwanted traffic. Neither of them can tell you that a staff member’s Microsoft 365 password is right now being used by someone in another country to read your invoices.
Your passwords are already out there
Credential dumps from third-party breaches include passwords your team reused. Attackers don't 'hack' an account — they log in with a valid password they already have. No alert fires, because from M365's view, it's a normal login.
MFA isn't the full answer
MFA is essential, but attackers now routinely bypass it — stealing live session tokens via phishing proxies (evilginx, Tycoon), getting users to approve fatigue prompts, or abusing OAuth app consent for persistent access without ever needing the password again.
Once they're in, they move quickly
A typical BEC attack takes under an hour from compromised login to silently forwarded invoices or a fraudulent supplier-bank-change email. By the time someone spots it externally, tens of thousands of pounds have already moved.
HOW WE PROTECT YOUR IDENTITY ESTATE
Three stages, running continuously
Same three-stage model as our Security Operations Centre — applied to your Microsoft 365 identities, not your endpoints.
Detect
- Huntress ITDR streams every identity event out of your M365 or Google Workspace tenant
- Sign-ins, token activity, OAuth consents, inbox rule changes, admin actions — all monitored 24/7
- Backed by real Huntress analysts, not automated-only rules
- No premium Microsoft licensing required — works on any tier
Investigate
- Human analyst investigates real signals within minutes — not hours
- Huntress reports a 3-minute mean-time-to-respond on confirmed incidents
- Under 5% false positive rate — low alert fatigue, high signal
- Context-aware triage: who, when, from where, what was touched
Respond
- Affected accounts disabled, compromised sessions killed
- Malicious inbox rules reversed, rogue OAuth consents revoked
- Containment within the same attack window, not after the fact
- Plain-English briefing on what happened and what (if anything) you need to do
WHAT M365 IDENTITY PROTECTION ACTUALLY DOES
The four things Huntress ITDR watches for
Plain-English version of what an identity-focused SOC looks for 24/7 across your Microsoft 365 or Google Workspace tenant.
Session hijacking
Attackers steal live login tokens via phishing-proxy kits (evilginx, Tycoon). We detect the token being reused from the wrong place — a different country, a different device, a different network fingerprint — and kill the session.
Rogue OAuth apps
One of the most common silent attacks: a staff member clicks 'allow' on a malicious app, giving the attacker persistent read/send access to their mailbox without any password or MFA prompt ever again. We spot unusual consent events and remove the app.
Malicious inbox rules
The single most reliable BEC signal: an attacker quietly creates a rule that forwards or deletes invoice emails. We detect these rules the moment they're created and roll them back.
MFA bypass and impossible travel
Unusual login patterns — a successful sign-in from London and Lagos within ten minutes, an MFA prompt approved from a never-seen device, a sign-in from attacker infrastructure. Flagged, investigated, contained.
What's included as standard
Everything below is included when you add Microsoft 365 Identity Protection to your Ingenio Managed Cyber Security package.
The client we nearly lost to a month-long silent takeover
Details anonymised. The events are real and sit behind why we now offer this as a service.
Recently, a distribution business we support was hit with a phishing email. A staff member clicked the link, entered their Microsoft 365 password, and unknowingly handed it to an attacker. The password had also been reused on another site that had been breached — a password manager would have caught that, which is why we now push them so hard. But that’s a different fix.
The attacker logged into Microsoft 365 with a valid password. No alert fired. They then did what attackers always do next: set up silent email forwarding rules so every inbound email to that staff member would be copied to their external address. From the outside, everything looked completely normal.
Then they watched. For roughly a month. Learning who reported to whom, which suppliers were active, how invoicing worked, what language the client used internally, who authorised payments. They built a picture of the business using a combination of internal emails they were intercepting and publicly available information. And then they struck — with a set of business-email-compromise emails designed to redirect a large supplier payment to their own bank account.
The good news: the client had invested heavily in security awareness training. A staff member noticed something off about one of the BEC emails — the phrasing didn’t quite match the colleague it claimed to be from — and escalated it to us before any money moved. Good training, alert staff, and a lucky escape.
That incident is why we’re now a Huntress Secure Partner offering ITDR. The attack had three detectable signals from the moment it started — an unusual login, a forwarding rule created by an account that had never created one before, and a session persisting from an unfamiliar location. Huntress ITDR catches all three within minutes. A month of silent surveillance simply doesn’t happen. Our client today has ITDR running; so do their peers who asked what we learned.
The honest lesson: in 2026, the question isn’t whether your M365 passwords will end up in an attacker’s hands. It’s whether, once they’re in, you have a specialist on watch who’ll notice — and whether they’ll notice within minutes or months. Staff training is a vital last line; ITDR is the one in front of it.
WHAT OUR CLIENTS SAY
We take identity seriously because our clients do
Ingenio Technologies is a Huntress Secure Partner. Huntress is our independent specialist for identity threats — a third-party set of eyes on every Microsoft 365 tenant we manage. Below, what our clients say more generally.
ALSO WORTH KNOWING
Worried about threats beyond M365?
ITDR watches your identity layer — Microsoft 365 and Google Workspace. For threats that reach your endpoints and network (ransomware, malicious executables, lateral movement on your LAN), that’s the job of our Security Operations Centre.
Most modern attacks start with identity (phishing, credential reuse, session theft), then move to endpoints. Both cover different halves of the same attack chain. Ideally, you have both — and you do, if you’re on our full managed cyber security package.
FAQS
Questions we get asked
MFA stops an attacker with your password alone. ITDR catches what happens when MFA is bypassed — which in 2026 is a regular occurrence. Phishing-proxy kits like evilginx and Tycoon steal live session tokens after successful MFA. Rogue OAuth app grants give persistent access without ever needing MFA again. ITDR assumes MFA will eventually be bypassed, and watches for the consequences.
Managed Cyber Security is the overall package — antivirus, patching, EDR, email protection, policy, awareness training. ITDR is the always-on human layer specifically for identity threats in Microsoft 365 and Google Workspace. You get both when you have our managed cyber security.
Our Security Operations Centre watches your endpoints and network — laptops, servers, firewalls. ITDR watches your cloud identities. Most modern attacks start with identity (phishing, credential reuse, session theft), then move to endpoints. Both cover different halves of the same attack chain. Ideally, you have both.
We’re a Huntress Secure Partner because Huntress Managed ITDR is, in our assessment, the strongest commercially-available product for the SMB/mid-market identity threat space right now. They publish real, verifiable metrics (3-min MTTR, under 5% false positive), they run a real 24/7 human SOC behind the tooling, and their platform works without requiring premium Microsoft licensing. If a better option emerges, we reserve the right to change our recommendation — the commitment is to the outcome, not the vendor.
Microsoft’s native tooling is decent, but it’s one small part of a very large product family at Microsoft — not the thing they wake up every day thinking about. Huntress is an independent specialist: identity threats are their entire business, their bread and butter, their only focus. Adding a third-party specialist as an independent set of eyes across your Microsoft tenant is the same logic as having an external auditor look over your accounts — the vendor you’re reviewing shouldn’t be the only one watching. Practical benefits alongside that: Huntress runs on any M365 licensing tier (not just E5/P2), covers Google Workspace as well, and comes with a human SOC doing the triage.
Huntress ITDR supports both Microsoft 365 and Google Workspace. Setup is the same service on our side — the telemetry source just changes.
Book a callback using the form at the top of this page, or call us on 01273 806211. We’ll take 20 minutes to understand what you have today, where your identity risk sits, and whether adding ITDR to your managed cyber security makes sense. No hard sell.