Executive Summary
Modern phishing attacks can bypass Multi-Factor Authentication (MFA), leaving businesses exposed even when they believe they are secure. To address this growing risk, Get Support rolled out Breach Detection & Response (BDR), powered by Huntress ITDR, as a trial starting 17 December 2025. Today, BDR protects 1,250 user identities across multiple Microsoft 365 tenants. Since launch, it has stopped two real-world breach attempts before any harm was done. The first detection happened on 7 January 2026, and the second on 12 January 2026. This article explains what happened, why it matters, and what this means for Microsoft 365 security in 2026.
Introduction: Why This Matters Now
Cyber security is no longer just an IT issue. It is a board-level concern because the cost of a breach goes far beyond technical recovery. It impacts reputation, customer trust, and operational continuity. Microsoft 365 is at the heart of most businesses, making it a prime target for attackers. While MFA has been a strong defence for years, attackers have evolved. Today, phishing kits can bypass MFA, and traditional security tools often fail to spot these attacks because they look like legitimate logins.
This is why Get Support introduced Breach Detection & Response (BDR). It is designed to detect and contain identity-based attacks quickly, before they turn into costly incidents. In this blog, we share real-world proof that BDR works.
The Problem: Why Modern Phishing Beats MFA
For years, MFA was considered the gold standard for account security. It adds a second layer of protection, making it harder for attackers to log in with stolen passwords. But attackers have adapted. Modern phishing kits can trick users into approving MFA prompts, giving criminals full access despite MFA being enabled.
Here is how these attacks typically work:
- The attacker sends a convincing email that looks like it comes from someone the user knows.
- The email contains a link to what appears to be a legitimate Microsoft 365 file.
- Clicking the link redirects the user to a fake login page that looks identical to Microsoft’s real page.
- The only difference is the URL, which most users will not notice.
- The user enters their email and password, then approves the MFA prompt.
- At that point, the attacker has valid credentials and a valid MFA session. The login succeeds.
From a traditional security perspective, nothing looks wrong. The credentials are correct, and MFA was approved. This is why identity-focused detection is now essential.
What We Rolled Out: GetSupport BDR (Powered by Huntress ITDR)
To address this gap, Get Support deployed Huntress ITDR under the name Breach Detection & Response (BDR). ITDR stands for Identity Threat Detection and Response. It focuses on spotting suspicious behaviour after login, not just blocking failed attempts. This is critical because modern attacks often involve valid credentials and approved MFA.
Our trial began on 17 December 2025. Today, BDR protects 1,250 user identities across multiple client environments. The goal is simple: prove that identity-focused detection works in the real world. And it does.
What Happened on 7 January 2026
The first confirmed detection came on 7 January. Here is what happened, in plain English.
A user received a phishing email that looked like it came from someone they knew. The email linked to what appeared to be a legitimate Microsoft 365 file. Clicking the link redirected them to a login page that looked exactly like Microsoft’s. The only difference was the URL, which most people would never notice.
The user entered their email and password, then approved the MFA prompt. At that point, the attacker had valid credentials and a valid MFA session. The login succeeded. From a traditional security perspective, nothing looked wrong.
What Was Detected and Why It Mattered
Huntress ITDR flagged the login as suspicious. Why? Because it came from known malicious infrastructure and used a user agent called axios/1.13.2. A user agent is a small piece of information that identifies the software making the connection. This one is strongly linked to automated phishing kits.
The login also came from a data centre environment, not a normal end-user device. In short, everything about the behaviour screamed automation and abuse, even though the credentials and MFA were correct.
What Happened Automatically Within Minutes
Within minutes, Huntress acted:
- All active sessions for the compromised user were revoked. The attacker was logged out immediately.
- The user account was disabled to prevent further abuse.
This stopped the attacker from:
- Accessing the mailbox
- Sending phishing emails from the client’s domain
- Setting up malicious mailbox rules
- Stealing data or moving laterally inside the organisation
The attack ended before the attacker could act. What could have been a major breach became a minor security event.
What the Business Avoided
By stopping the attack early, the business avoided:
- Full incident response and forensic investigation
- Mailbox cleanup and message recalls
- Outbound phishing to customers, suppliers, or staff
- Fraud risk, downtime, and recovery effort
- Reputational damage from malicious emails sent from a trusted domain
- Knock-on risk to other organisations in the contact chain
In short, a breach attempt became a non-event. That is the difference automated containment makes.
The Second Stopped Attempt on 12 January 2026
Today, 12 January 2026, BDR stopped a second breach attempt. Details differ, but the outcome was the same: detection and containment before any harm occurred. Two real-world attacks stopped in less than a month of trial deployment.
Industry Context: Why Identity Attacks Are Rising
According to recent industry reports, over 70% of breaches now involve compromised credentials. Attackers know that businesses rely on Microsoft 365, and they exploit that trust. Phishing-as-a-Service kits make it easy for criminals to launch sophisticated attacks at scale. These kits mimic Microsoft login pages perfectly and even handle MFA prompts.
This trend means businesses cannot rely on perimeter security or MFA alone. Identity is the new battleground, and detection after login is critical.
Comparison: MFA Alone vs MFA + ITDR
| Feature | MFA Alone | MFA + ITDR |
| Stops password-only attacks | Yes | Yes |
| Stops MFA bypass phishing | No | Yes |
| Detects malicious behaviour after login | No | Yes |
| Automated containment | No | Yes |
Best Practices for Businesses
- Keep MFA enabled. It still stops basic attacks.
- Train staff to spot phishing emails, but assume mistakes will happen.
- Add identity-focused detection like BDR to catch attacks that slip through.
- Review login alerts and unusual behaviour regularly.
- Have an incident response plan, even if automation reduces the need.
Future Outlook: Microsoft 365 Security in 2026
Identity security will dominate in 2026. Attackers will continue to innovate, and businesses must move beyond static defences. Automated detection and response will become standard because speed matters. The faster you act, the less damage occurs.
This trial proves the value of BDR. That is why Get Support is rolling it out more widely.
Call to Action
If you use Microsoft 365 and want to protect your identities against modern phishing, let’s talk. We will help you understand the risks and how BDR can keep your business secure.
FAQs
Yes. MFA is still one of the best ways to stop basic attacks. But it is not foolproof. Modern phishing kits can trick users into approving MFA prompts. That is why detection after login is critical.
ITDR stands for Identity Threat Detection and Response. It monitors logins and behaviour to spot suspicious activity, even when credentials and MFA are correct. It then acts automatically to contain the threat.
No. BDR looks for patterns linked to malicious activity, not normal user behaviour. It uses context and threat intelligence to avoid false positives.
Deployment is straightforward. We can integrate BDR with Microsoft 365 quickly, with minimal disruption. The goal is to protect identities without slowing down your business.
No. BDR complements your existing security measures. It adds a critical layer focused on identity threats, which traditional tools often miss.