For years, multi factor authentication (MFA) has been positioned as the answer to account compromise. And while MFA is still important, it is no longer enough on its own.
Attackers have shifted their focus. They are no longer trying to break into networks. They are going after users and identities.
According to industry research, identity-based attacks now account for roughly 30% of all intrusions. That number continues to grow because cloud platforms like Microsoft 365 have removed the traditional network perimeter. Once an attacker controls an identity, they often do not need malware, exploits, or sophisticated tools. They simply sign in.
This is why identity protection has become one of the most important parts of modern cybersecurity.
Imagine This Scenario
Imagine one of your employees receives what looks like a normal Microsoft 365 sign-in alert. The page looks real, the branding is correct, and nothing about it feels unusual. They enter their credentials and complete MFA, then go back to their work without a second thought.
What they do not see is that the page was fake. The attacker does not just capture the password. They steal the active session itself. That means they do not need to sign in again. From the system’s point of view, they already are the user.
A few minutes later, that same account signs in from another country, then another location. Files start getting accessed, mailbox rules get created, invoices get redirected, and new applications get authorized. In many environments, basic safeguards like impossible travel detection or conditional access policies may flag or even block this activity. However, when attackers operate within the bounds of existing sessions, trusted locations, or incomplete policy coverage, this behaviour can still blend in as legitimate user activity unless identity monitoring is configured beyond baseline controls.
From the security system’s perspective, this is a real user doing real things. And that is exactly what makes modern identity attacks so dangerous.
Why MFA Alone No Longer Stops This
If you think back to the scenario above, the problem was not that MFA failed outright. The employee followed a familiar sign-in flow and approved what appeared to him as a legitimate request. From their perspective, the experience matched what they had been trained to expect.
This is what makes modern attacks so uncomfortable. The mistake is not always carelessness. Attackers are very good at making the wrong action look normal.
In March 2025, Troy Hunt, the creator of Have I Been Pwned, publicly shared that he himself fell victim to a phishing attack. This is someone who has spent his career teaching people how to avoid these exact traps. Even experts can get caught at the wrong moment.
In the scenario above, the attacker was not trying to steal just a password. They were after the session token (an active logged-in session that does not require signing in again). Once that session was captured, MFA no longer mattered. As far as Microsoft 365 was concerned, the attacker was already a trusted user.
That is why so many breaches now happen in environments where MFA is already enabled everywhere. Nothing looks broken. Nothing looks obviously compromised. The attacker is simply using a valid session, and traditional security controls have very little reason to stop them.
What Is ITDR, and Why Does It Exist
ITDR, or Identity Threat Detection and Response, is a cybersecurity discipline focused on protecting user identities and identity systems from attack.
Instead of watching devices, ITDR watches how identities behave.
It detects and responds to threats like credential theft, token abuse, privilege misuse, and lateral movement. These are the types of attacks that often look legitimate on the surface and easily bypass traditional security controls.
An ITDR system monitors identity activity and infrastructure across the environment. It tracks logins, authentications, identity providers, access requests, and directories like Active Directory or Entra ID. It compares this activity to a normal baseline and flags meaningful deviations as threats.
Examples include:
- Impossible travel scenarios where a user appears to sign in from two distant countries within minutes
- Abnormal session behaviour
- Risky sign-in patterns that do not match historical usage
This is not just alerting. Modern ITDR systems can automatically contain threats by disabling accounts, revoking sessions, and blocking further access while the incident is reviewed.
Why Speed Is Now the Difference Between an Incident and a Crisis
If you think back to the scenario earlier, the most dangerous part was not how the attacker got in, but how long they could stay in without being noticed. In identity-based attacks, time works against you. On average, it takes organisations about 181 days to identify a data breach and another 60 days to contain it. That is months of quiet access, exploration, and damage before the problem is fully under control.
This is where identity-focused monitoring changes the outcome. When unusual sign-in or access behaviour is detected quickly, action can happen immediately. Sessions can be cut off, accounts can be paused, and the window for damage becomes much smaller. That difference in response time is often what separates a contained incident from a major business disruption.
“In a world where attackers move in minutes, ‘alerting’ isn’t enough. Your defence has to be faster than a human can think.” — Glenn Kemp, Managing Partner at Convergence Networks
How ITDR Complements Your Existing Security Tools
Organisations already use many security tools, and it is easy to assume identity risk is already covered somewhere in that mix. Systems like IAM (Identity and Access Management) are focused on managing who gets access and what they are allowed to do. PAM (Privileged Access Management) is designed to tightly control high privilege accounts. EDR (Endpoint Detection and Response) watches what happens on devices, and XDR (Extended Detection and Response) helps correlate signals across multiple security layers, often feeding into MDR (Managed Detection and Response) services for investigation and response. All of these play important roles. However, they rely on the signals they receive. None of them are built specifically to continuously assess whether a trusted identity is being used in a way that still makes sense in real time. That is the gap ITDR fills. It does not replace these tools or MDR. It strengthens them by providing dedicated visibility into identity behaviour, which is where many modern attacks now begin and often remain hidden.
Why ITDR and DNS Protection Work Better Together
DNS protection reduces how often users are exposed to dangerous destinations in the first place. It works at the earliest point in an attack by controlling where devices and users are allowed to connect on the internet. When someone clicks a phishing link, is redirected to a fake Microsoft 365 login page, or unknowingly follows a malicious URL, DNS protection can stop that connection before the page ever loads.
This matters because many identity-based attacks begin long before an account is compromised. They start with a moment of exposure. By preventing access to known malicious, deceptive, or high-risk domains, DNS protection removes a large portion of the attack surface that leads to stolen credentials and session tokens.
ITDR assumes that eventually something will get through and focuses on what happens next. It watches for signs that an identity is being misused and moves quickly to contain the situation before it turns into something larger. Together, DNS protection and ITDR address both sides of the problem. One reduces the chance of exposure, and the other limits the impact if an identity is ever compromised.
The Bigger Shift Most Organizations Are Facing
For a long time, security strategy was built around protecting networks and devices. In cloud-first environments, the real control point is the identity.
When someone can sign in, they do not need to break anything. They can simply use what is already there.
This is why identity has become such a high value target and why so many modern incidents look nothing like the breaches of the past. There is no obvious break in. There is just a trusted account doing things it should not be doing.
That shift is forcing organisations to rethink what real protection looks like. It is no longer just about keeping attackers out. It is about watching what happens after access is granted and being able to react fast when something no longer makes sense.
Final Thought
MFA is still an important layer, but it is no longer the finish line. As the scenarios in this article show, attackers are no longer trying to break in the old way. They are trying to sign in and blend in. When identities become the main target, security has to move beyond simply verifying a login and start paying attention to how access is being used after the fact.
In this reality, organizations need to focus on reducing exposure, detecting misuse, and responding fast enough that small mistakes do not turn into major incidents. That is exactly the gap ITDR and DNS filtering are designed to close.
