blog

Multi-stage identification (MFA) alone will not keep your business safe

jari-pekka@vahti.ai (Jari-Pekka Hyyppä) — Mon, 04 May 2026 07:15:41 GMT

Many organisations still think like this:
"We have multi-factor authentication in place, so user accounts are secure."

The idea is understandable, as MFA has been and still is one of the single most effective ways to protect user accounts. However, the threat landscape has changed and companies are required to have a better understanding of security.

The fact is that today, MFA alone no longer provides the level of security that is often expected.

Attacks are not only targeting passwords - but also people

In the past, an attacker's goal was simply to crack or steal a password.
Now the goal is different.

Today's attacks do not necessarily try to circumvent the MFA technically, but exploit the user himself. The attacker wants the user to log in as normal - but on behalf of the attacker.

A common example of this is the so-called Adversary-in-the-Middle attack. The user is redirected to a login page that looks genuine, enters their credentials and accepts the MFA request as usual. Most of the time, everything seems normal to the user, but the login session ends up in the hands of the attacker.

The multi-factor authentication worked technically exactly as it was supposed to, but it did not prevent the attack.

MFA fatigue is a real phenomenon

Another widespread phenomenon is the so-called MFA bombing. An attacker triggers login attempts repeatedly, resulting in constant requests for approval to the user's phone.

Eventually, the user will either:

accidentally accept the request
or accepts it in order to stop the notifications

As a reader, you may feel that no one would really fall for such an obvious scam. In reality, such a mistake can happen to a user in a hurry, when tired, or just by accident.

You yourself may, for example, have sometimes just "acknowledged a notification" from your phone in the middle of a meeting. Unfortunately, for the less alert user, an MFA alert may be just one distraction among others.

Even in this case, the MFA is not "broken". The problem is that the system does not understand the context and the user does not always stop to think about why the request came at that particular moment.

The real problem is not the MFA. The problem is what is missing around it

When people say "MFA alone is not enough", it is sometimes misinterpreted. It is not that the MFA is unnecessary or outdated.

On the contrary, MFA is still a very viable cornerstone for protecting user logins - even though other methods, such as passkey, have become more common.

The problem arises if:

logins are not continuously monitored
abnormal behaviour is not detected
risks are not responded to quickly
the environment is viewed in terms of individual settings rather than the whole

Modern identity attacks do not stop at a single layer of protection. Therefore, defences should not be based on a single attribute either.

What is really needed beyond MFA?

If the goal is a truly protected Microsoft 365 environment, MFA is only the starting point. Around it, you need an entity that lives and reacts.

In practice this means, for example:

Continuous monitoring
Suspiciouslogins, anomalous changes and risk signals are detected while they can still be reacted to.

Understanding the context
Not all anomalies are threats. The key is to distinguish normal activity from genuine risk.

Clear policies
When something happens, it should be clear what to do next - without everyone having to be a security expert.

The big picture
A single alert doesn't tell you much. It's only by combining multiple signals that you can see what's really going on in the environment.

Why is continuous identity monitoring so important in a Microsoft 365 environment?

Microsoft 365 is the most business-critical platform for many organisations: email, files, Teams conversations and management rights all go through the same identity.

This makes user accounts an attractive target for attackers, but at the same time it also offers the potential for better protection if the environment is actively monitored. By looking at login credentials, anomalous signals and user behaviour as a whole, threats can be identified before they can cause damage.

This is where continuous monitoring and contextual understanding come into play: they turn individual events into a controlled whole, supporting both security and business continuity.

Why are MFA attacks often detected too late?

In many organisations, identity-related anomalies are only discovered after the fact - if at all.

One reason for this is that logins are often viewed as individual events, rather than as part of a broader behavioural picture. A single successful login may not attract attention, even if it is preceded by an unusual location, a new device or an unusual time.

With MFA in place, it is easy to assume that all logins that are accepted are also correct. This mindset leaves room for the attacker to operate in peace.

Without constant monitoring, an attack can continue for days or weeks before the first clear signs appear. This is precisely why identity security is not just about blocking logins, but about understanding what kind of logins are involved and reacting in time when something no longer looks normal.

Summary

MFA remains an important and necessary part of identity security, but on its own it can give a false sense of security.

Real protection only comes from continuous monitoring of authentication, users and the environment as a whole, and from the ability to react in a timely manner to identified risks.

Security in an M365 environment is not a single setting or feature. It is an ongoing process.

Why Microsoft 365 security requires constant monitoring

jari-pekka@vahti.ai (Jari-Pekka Hyyppä) — Mon, 04 May 2026 07:14:31 GMT

In many companies, Microsoft 365 security is seen as a project.

You do amapping, get the settings right and deploy MFA. Then they think it's done and move on with their lives without security concerns and worries.

While this is a good start, the reality is that security is not a one-off project. The security environment in which we live is constantly changing and therefore constant monitoring of the Microsoft 365 environment is absolutely essential.

Often, information about risks is already present in the Microsoft 365 environment but is not systematically exploited.

The security environment is constantly changing, even if you may not realise it

The security environment, like your Microsoft 365 environment, is never static.

Your company's Microsoft 365 environment is constantly changing:

users come and go
permissions are added and removed
applications are integrated
settings are modified
Microsoft makes updates

And the security environment in which we live is changing:

attacks come in waves - sometimes more, sometimes less
attack methods evolve
the level of security of the applications you use may change
artificial intelligence makes attacks more effective

Constant monitoring of security is absolutely essential in today's world. Today, a properly configured environment will not remain secure forever - especially if risk signals are not constantly monitored.

Without monitoring, risks emerge unnoticed

Changes to the Microsoft 365 environment are easily hidden

Most security risks do not arise from one big mistake, but from small, everyday changes. A new user is given slightly too many permissions, an old one is not removed, or a new application gains access to data without stopping to assess the whole picture.

Individually, these may not seem significant. The problem arises because no one sees the big picture. Changes accumulate slowly, while the level of risk in the environment rises without being noticed.

Many companies rely on the idea that "once the regulations are in place, they are in place". In reality, the level of security is constantly evolving with the environment and without monitoring there is no certainty about what the situation looks like today.

Events also indicate risk - if they are monitored

However, not all risks are related to settings alone. Some of them are visible as events: suspicious logins, anomalous behaviour or changes that may indicate an ongoing attack.

These signals are constantly being generated, but without active monitoring they can easily go unnoticed or get buried with other data. Often the data is there, but no one is looking at it at the right time - or understanding what is relevant.

Another real challenge is that the data on events is large and quite fragmented. Interpreting and using it without proper tools is very difficult or at least laborious.

Continuous monitoring makes Microsoft 365 security manageable and predictable

By continuously monitoring security, you move from reactive to predictable security.

It's no longer about one-off checks or reports, but a continuous understanding of where you are right now and where the environment is heading.

Watchdog provides a clear structure for this. It continuously monitors the status and events in your Microsoft 365 environment, identifying the relevant risks and highlighting the issues that really need to be addressed. Instead of having security scattered across different views and logs, you get a single, holistic view of the state of security.

In practice, this means that you can see:

where risks currently exist in your environment
how these risks have arisen
what to do about them next

But it's not just visibility that matters, it's the fact that something is being done about it. Watch is not just a reporting tool, it guides you to concrete action - in a clear and understandable way, without deep technical knowledge.

Microsoft 365 security changes even when you do nothing

jari-pekka@vahti.ai (Jari-Pekka Hyyppä) — Mon, 04 May 2026 07:13:14 GMT

You might think that your Microsoft 365 environment will remain unchanged if you don't touch it. But when logins work, users do their work as normal and no alerts appear, everything is probably fine.

But over time, the Microsoft 365 environment lives on in ways that you don't notice at all in everyday life. It's these imperceptible changes that are one of the biggest reasons why the true state of the environment drifts away over time from what was originally thought to be secure.

Microsoft 365 is constantly updating and evolving

The first and often underestimated force for change is Microsoft itself.

Microsoft 365 is a constantly evolving service. Microsoft releases new features, updates existing features and develops the services in the background. These changes can include how a particular setting works, what security options are available, or what aspects of the environment are visibly reported in general.

A single change usually requires no action and does not cause problems. But over time, these individual changes accumulate and affect how the environment behaves compared to the moment it was originally defined as safe.

Users and patterns of use change, even if policies do not

The second major change is in the company's own operations - often completely unnoticed.

Even if security policies remain the same on paper, the day-to-day life around them is constantly changing. People change roles, ways of working change and the pressure to make changes to the way things are done is under pressure to make things run more smoothly. Access rights are "temporarily" increased, new tools are introduced and access rights are extended as needed.

These changes are business as usual and often necessary. The challenge only arises when no one is monitoring the overall impact of the changes on security.

Without a complete picture, it is easy to think that nothing has changed, when in reality the environment is constantly evolving.

What used to be the exception is now the norm

The third change relates to what is considered normal.

In a Microsoft 365 environment, logins, file sharing, application access and automated activities are constantly taking place. Over time, patterns of behaviour change.

In concrete terms, this means that, for example, remote logins, file sharing with outsiders or the introduction of a new application, which were rare in the past, may have been interpreted as anomalies in the past. These attracted attention and were examined separately. Today, these things happen so often and so smoothly in everyday life that they are hardly noticed.

This means that the "normal state" of the environment is not constant. It evolves with the users. Risks do not necessarily appear as sudden deviations, but are gradually integrated into everyday activities.

Without a constant snapshot of the situation, it is difficult to perceive at what point the normal starts to slip into the risk zone.

Apparent stability can be misleading

One of the misconceptions associated with Microsoft 365 is that a calm everyday life means stability. When there are no alerts and the service is up and running, everything seems to be under control.

In reality, many changes happen so slowly and imperceptibly that they go unnoticed. The environment does not suddenly "break down". It gradually drifts into a state where no one is quite sure whether it is still as good as they think it is.

At this stage, a report or a single inspection often gives only a partial picture - it tells of that fleeting moment, not of the actual trend.

The most recent check is a reflection of the past

If a Microsoft 365 environment is only occasionally checked, the moment of the check quickly becomes history. After that, the environment moves on: changes accumulate, usage changes and services evolve.

Without continuous monitoring, a company does not really know when the environment has changed significantly. Often this is only discovered when something no longer works as expected or when a risk materialises.

The detection of attacks is often delayed

It is often the case that even serious cyber-attacks go undetected for long periods of time. In the vast majority of cases, an attacker can be active on systems for several weeks or even months before being detected.

For example, according to IBM's 2025 Data Breach Report, it takes an average of 204 days to detect an attack, with a further 73 days for remediation. This shows that a momentary check is not enough, and continuous monitoring is essential. Source: IBM Cost of a Data Breach Report 2025.

Finally,

The Microsoft 365 environment changes even when you do nothing. This is not a bad thing, in fact it is quite the opposite. M365 is constantly evolving to become a more secure and efficient way to improve everyday life. Problems only arise when these changes are ignored or not acknowledged.

As the pace of change in the environment is understood, the whole mindset of information security changes. It is not a question of whether everything was fine once, but of what is happening in the environment now and in what direction it is evolving.