Home/ Services/ Managed ITDR
SERVICE · IDENTITY

Identity is
the new
perimeter.

Managed Identity Threat Detection & Response (ITDR) for UK SMBs

Your endpoints have EDR. Your firewall has IPS. But the attacker doesn't need malware — they need a token. Managed Identity Threat Detection and Response (ITDR) watches Entra ID and Microsoft 365 for the behaviour MFA can't stop on its own.

Deploy ITDR Incident walkthrough
Huntress Entra ID Token & session theft Auto-revoke
01 / WHAT'S INCLUDED

What ITDR
actually watches.

Six surfaces attackers abuse when they can't get malware onto a device.

01

Sign-in anomalies

Impossible travel, unfamiliar locations, atypical sign-in times. Correlated against the user's normal behaviour, not a global average.

02

MFA fatigue & AiTM

Push-bombing, repeated prompts, adversary-in-the-middle proxies like Evilginx. Token session theft caught at the session level.

03

OAuth consent abuse

Malicious app consent, risky delegated permissions, suspicious publishers. Enterprise-app grants reviewed and revoked.

04

Mailbox persistence

Inbox rules hiding BEC activity, auto-forwarders to external, rogue delegates. The quiet, weeks-long fraud vectors.

05

Admin role changes

Role assignments, Conditional Access policy tampering, unused Global Admin accounts reactivating. The blast-radius moves.

06

Shadow tenancies

Rogue tenants, guest account abuse, B2B invitations that shouldn't exist. The back doors nobody checks.

02 / WHAT AN INCIDENT LOOKS LIKE

Token stolen.
Session killed.
User asleep.

A real pattern of adversary-in-the-middle phishing, reconstructed from a typical ITDR timeline.

  1. T+00:00

    User signs in on a phish

    Convincing "review document" email. User enters credentials and approves MFA. The proxy captures the session token. User sees their document, unaware anything happened.

    • AiTM phish
    • Session token stolen
    • MFA "passed"
  2. T+00:47

    Attacker replays token

    Attacker uses the stolen token from a datacentre IP in a different country. User's normal sign-in pattern is London office + home. New location, new user agent, same token. ITDR flags it.

    • Impossible travel
    • Unfamiliar ASN
    • Token reuse detected
  3. T+01:12

    SOC auto-contains

    All active sessions revoked. Account disabled. Inbox rules audited and removed. OAuth grants reviewed. Forensic export taken. Total time, detection to containment: under two minutes.

    • Sessions revoked
    • Account disabled
    • Persistence removed
  4. T+02:00

    Morning brief

    User wakes up to a plain-English summary: you were phished, we stopped it, here's what you need to do (change password, re-enrol MFA, verify no mail was sent). You get the same brief.

    • Plain-English brief
    • Remediation steps
    • Evidence archived
03 / WHY IT MATTERS

MFA is not
the finish line.

Most SMBs think MFA means "we're secure". Modern attackers sidestep it with session theft, consent phishing, and infrastructure nobody in-house looks at. ITDR watches the identity layer the way EDR watches endpoints — continuously, automatically, and with a human SOC on the other end.

  • Catches what MFA can'tSession tokens, OAuth grants and persistence mechanisms survive MFA entirely.
  • BEC stopped earlyInbox rules, forwarders and rogue delegates surface within hours, not weeks.
  • Auto-responsePre-authorised session revoke and account disable — no waiting for a human to wake up.
  • Evidence for insuranceEvery event logged, exportable, mapped to MITRE ATT&CK for the post-incident report.
SIGN-IN MAP · 24H LONDON ANOMALY · NL NORMAL PATTERN · OUTLIER FLAGGED
04 / FAQ

Questions
we hear a lot.

How is ITDR different from EDR?

EDR protects devices. ITDR protects identities. A stolen token or abused OAuth grant doesn't touch a device — it's pure cloud. ITDR watches Entra ID, Microsoft 365 and Conditional Access for behaviour that endpoint tools can't see.

Do we still need MFA if we have ITDR?

Yes. ITDR is defence-in-depth, not a replacement. MFA stops most attacks; ITDR catches the ones that slip past — MFA fatigue, token theft, AiTM phishing, OAuth abuse.

Which platforms does ITDR cover?

Primary focus is Microsoft 365 and Entra ID. We also monitor identity providers like Okta and Google Workspace where deployed. Signal is correlated with EDR and email security in one SOC view.

What happens when a threat is detected?

SOC confirms, revokes active sessions, disables the account, resets credentials and kills persistence (OAuth tokens, inbox rules, forwarders). You're notified in parallel with a plain-English brief.

Does it work alongside Conditional Access?

Yes. ITDR complements Conditional Access by catching behaviour CA policies don't cover — post-authentication session anomalies, OAuth grant abuse, insider threats.

Will users notice it?

No. ITDR is passive — it reads sign-in logs, audit logs and Graph activity. The only time a user notices is when they are the compromised account, at which point they're glad we noticed.

RELATED SERVICES

Often runs with.

01

Managed EDR

ITDR for identities, EDR for devices. Same SOC, one correlated view of an incident.

Read more 02

Microsoft 365 MDR

Deeper tenancy-level detections for M365 — mailbox rules, risky apps, OAuth grants, suspicious forwarders.

Read more 03

24/7 SOC

The humans on the other end. Triage, auto-response, incident reporting.

Read more
NEXT STEP

Audit your identity
attack surface.

Free 30-minute review of your Entra ID tenancy. We'll show you the OAuth grants, risky sign-ins and persistence mechanisms you probably don't know about.

Book the review hello@techzura.com
REVOKE
< 2 min
COVERAGE
M365 · Entra
SOC
24/7