Your Microsoft 365 environment is where your business happens. It’s also where attackers want to be.
Most New Zealand businesses have invested in endpoint protection such as antivirus, EDR, or even MDR, but are they leaving a critical attack surface completely exposed: their identities?
Identity Threat Detection and Response (ITDR) for Microsoft 365 represents the next frontier in business security, protecting the credentials, sessions, and access patterns that traditional endpoint security tools simply cannot see.
The Identity Attack Surface
Microsoft’s Digital Defense Report 2024 reveals a staggering 600 million identity attacks every single day. These aren’t attacks against devices—they’re attacks against the people and service accounts that access your Microsoft 365 environment. That will only have inreased in the year since that report was published.
Business Email Compromise (BEC) alone represents a $50 billion problem according to the FBI’s Internet Crime Complaint Center. Yet most businesses remain focused exclusively on protecting devices while their identities remain vulnerable.
Here’s why identity attacks are so effective: they don’t need to break through firewalls or bypass antivirus. They simply use legitimate credentials to walk right through the front door.
What ITDR for Microsoft 365 Actually Does
ITDR solutions monitor your Microsoft 365 environment for identity-based threats that endpoint security tools cannot detect. These include session hijacking, credential theft, malicious inbox and forwarding rules, and account takeover attempts.
Leading ITDR platforms provide several critical capabilities:
24/7 Identity Monitoring: Continuous surveillance of all authentication attempts, login patterns, and user behavior across your Microsoft 365 environment. This includes monitoring for impossible travel scenarios (when accounts appear to log in from geographically distant locations within impossible timeframes), unusual access patterns, and legacy authentication attempts that bypass modern security controls.
Rogue Application Detection: Proactive detection and remediation of potentially malicious OAuth applications installed in Microsoft 365 environments. Attackers frequently use legitimate-looking “OAuth apps” to maintain persistent access to your environment without needing passwords.
Shadow Workflow Protection: Detection of malicious inbox rules and email forwarding configurations that attackers create to intercept sensitive communications. These attacks use Microsoft’s built-in email processing capabilities to automatically move emails containing payment information or credentials to hidden folders or external mailboxes, with users remaining completely unaware.
Session Hijacking Prevention: Identification of stolen session tokens that allow attackers to bypass multi-factor authentication entirely. Even with MFA enabled, session hijacking lets attackers impersonate legitimate users.
Human-Validated Alerts: Unlike automated systems that generate overwhelming volumes of false positives, mature ITDR platforms provide human-verified threat intelligence. Every alert is actionable, human-validated, and designed to address real threats while minimizing noise.
Rapid Incident Response: When threats are confirmed, ITDR platforms provide clear remediation guidance and can automatically disable compromised accounts to prevent further damage.
How ITDR Complements MDR
If you’re already running Managed Detection and Response (MDR) for your endpoints, ITDR isn’t a replacement. It is a critical complement. Here’s why both are essential:
MDR protects devices. ITDR protects identities. An attacker who compromises a user’s Microsoft 365 account doesn’t need to touch any endpoint device. They can access email, SharePoint, Teams, and OneDrive from anywhere in the world using stolen credentials or hijacked sessions.
MDR sees endpoint activity. ITDR sees cloud authentication and access patterns. When someone logs into Microsoft 365 from an unusual location or sets up a malicious forwarding rule, there’s no endpoint event to detect—the activity happens entirely in the cloud.
MDR stops malware. ITDR stops Business Email Compromise. BEC attacks don’t use malware. They use social engineering, credential theft, and legitimate Microsoft features weaponized for malicious purposes.
Think of it this way: MDR is your security guard watching your physical office. ITDR is your security guard watching who’s accessing your cloud workspace. You need both.
The Security Evolution: Antivirus → EDR → MDR
To understand where ITDR fits, it helps to understand the evolution of endpoint security:
Antivirus was the foundation—signature-based detection that identifies known malware by comparing files against a database of malware signatures. It effectively identifies well-known threats but struggles with more advanced, rapidly evolving attacks.
Endpoint Detection and Response (EDR) represented a significant advancement. Instead of focusing on preventing threats using known malware definitions, EDR uses technology to analyze behaviors of workstations through Artificial Intelligence. EDR can identify suspicious behavior patterns even when the specific threat is unknown.
Managed Detection and Response (MDR) adds the critical human element. While EDR relies on sophisticated technology to monitor, detect, and respond to threats, it can only operate within its programmed parameters. MDR combines the technology of EDR with human expertise and instinct.
MDR isn’t just one tool but a combination of systems including EDR, Security Operations Center (SOC), Security Information and Event Monitoring (SIEM), and Threat Intelligence Discovery.
The progression is clear: each level adds more sophisticated detection capabilities and, critically, more expert human oversight.
Why This Matters for New Zealand Businesses
Most New Zealand businesses run their operations through Microsoft 365. Email, document collaboration, customer communications, financial data all flow through this environment. Yet many businesses protect their endpoints comprehensively while leaving their Microsoft 365 identities exposed.
The strategic question isn’t whether identity attacks will target your business. It is is whether you’ll detect them when they do.
Kinetics’ 2026 Strategic Security Enhancement
Understanding this evolving threat landscape, Kinetics is currently implementing a comprehensive security upgrade across our KARE Foundation service:
All PCs upgraded to MDR (Managed Detection and Response), providing:
- Advanced behavioral detection beyond traditional antivirus capabilities
- 24/7 expert monitoring from our Security Operations Center
- Rapid threat response with human verification reducing false positives
- Comprehensive endpoint visibility across all protected devices
All users upgraded to ITDR (Identity Threat Detection and Response), delivering:
- Continuous Microsoft 365 identity monitoring for credential theft and session hijacking
- Rogue application detection catching malicious OAuth apps
- Business Email Compromise protection through inbox rule monitoring
- Human-validated threat alerts minimizing false positives while maximizing protection
This dual enhancement exemplifies the strategic approach we advocate: protecting both the devices your team uses and the identities they use to access business-critical systems. Neither layer alone provides complete protection—together, they create comprehensive coverage against modern threats.
The Strategic Security Framework
Effective modern security requires multiple layers working together:
- MDR for Endpoints: Protecting devices from malware, ransomware, and endpoint-based attacks
- ITDR for Identities: Protecting Microsoft 365 accounts from credential theft, BEC, and session hijacking
- Security Awareness Training: Reducing the human element that enables both types of attacks
- Strategic Oversight: Ensuring all security investments align with business objectives and compliance requirements
None of these layers alone provides complete protection. Together, they create a comprehensive defense against modern threats.
The Strategic Question
As identity-based attacks continue to grow in sophistication and frequency, the question for business leaders becomes: Are you protecting what attackers are actually targeting?
If your security strategy focuses exclusively on endpoints while your entire business operates through Microsoft 365, you’re securing the wrong attack surface.
ITDR for Microsoft 365 isn’t about adding another security tool—it’s about extending protection to cover the identity-based threats that endpoint security cannot see. It’s the difference between securing the devices your team uses and securing the accounts they use to access your business-critical systems.
Making Security Strategic
At Kinetics, we believe effective security requires both technical capability and strategic thinking. That’s why our security approach includes:
- Systematic assessment of where your actual vulnerabilities exist
- Layered protection addressing both endpoints and identities
- 24/7 monitoring with expert human verification
- Regular strategic reviews ensuring security investments align with business evolution
The MDR upgrade we’re implementing across KARE Foundation devices represents our commitment to systematic security enhancement—not dramatic overhauls driven by crisis, but planned improvements based on evolving threat landscapes.
Ready to assess your complete security posture—endpoints and identities? Contact Kinetics for a complimentary IT Partnership Health Check: 0800 546 384 or visit kinetics.co.nz