This article connects directly to What Happens During a Cyber Incident (Step-by-Step) and Why Microsoft 365 Account Takeovers Go Undetected for Weeks. Those posts explain the incident timeline and attacker behavior. This one explains why normal IT support is not the same as true incident response.
This is not a criticism of IT companies or managed service providers.
Most of them do exactly what they are supposed to do. They keep your systems running, manage your devices, handle your Microsoft 365 licenses, and make sure your email works on Monday morning.
The problem is that what they do and what incident response requires are two fundamentally different skill sets.
The gap is not usually effort. It is scope. IT support is built to keep the business running. Incident response is built to investigate, contain, preserve evidence, and remove attacker access.
What an MSP or IT Company Actually Does
A managed service provider is built around stability and availability.
Their job is to keep things running. They provision accounts, manage software updates, handle help desk tickets, configure your firewall, and respond when something breaks.
They are reactive by nature and operational by design. When your printer stops working or a new employee needs a laptop set up, your IT company is exactly who you call.
Many IT companies also provide some level of Microsoft 365 management. They set up accounts, configure basic security settings, and may handle your email filtering.
Some of the better ones have started adding security monitoring to their offerings. This is a good thing. It is not the same as dedicated incident response.
What Incident Response Actually Requires
When a Microsoft 365 account is compromised, the clock starts immediately.
Every minute the attacker remains in the environment is another minute they are reading emails, learning your business relationships, and positioning themselves to cause damage.
Effective incident response requires specific skills that most IT generalists are not trained for:
- Knowing where to look in Microsoft 365 audit logs and understanding what you are seeing
- Familiarity with attacker tactics specific to identity-based attacks, including inbox rule manipulation, session hijacking, lateral movement through shared mailboxes, and lookalike domain registration
- The ability to contain an active attacker without tipping them off prematurely
- Forensic discipline to preserve evidence for insurance claims or law enforcement
- Speed. Not ticket-queue speed. Not next-business-day speed. Minutes and hours.
The Gap in Practice
Here is what typically happens when a business with an IT company gets hit with a business email compromise.
A customer or vendor notices something wrong and calls. The business contacts their IT company. The IT company logs a ticket, remotes into a machine, resets a password, and considers the issue resolved.
The inbox rules the attacker created are still there. The attacker's session tokens may still be active. The lookalike domain registered to impersonate the business is still sending emails to vendors. The full scope of the compromise has not been investigated because the IT company does not have the tooling or training to conduct that investigation.
This is not negligence. It is a scope problem. The IT company was hired to keep things running, not to conduct forensic investigations of identity-based attacks.
Password reset does not equal containment. If sessions, inbox rules, MFA methods, application permissions, mailbox access, and attacker infrastructure are not reviewed, the attacker may still have a way back in.
The Moment It Becomes Clear
In one incident we were brought in after a law firm's IT company had already handled an account compromise.
They reset the password and closed the ticket. What they did not find was a hidden inbox rule that was still active, forwarding emails from the firm's real estate team to an external address.
The attacker continued operating for days after the password reset because the persistence mechanism was never removed. By the time we were engaged, the situation had escalated into a $7 million wire fraud attempt.
The IT company was not incompetent. They just were not doing incident response. Those are different jobs.
What the Right Structure Looks Like
Your IT company and your incident responder are not competitors.
They serve different functions and both have a role. Your IT company manages your environment day to day. Your incident responder investigates, contains, and remediates when something goes wrong.
Ideally, they have a relationship and can work together when an incident occurs.
The businesses that recover fastest from security incidents are the ones that do not try to make their IT company be something it was not designed to be. They have the right resource for the right job before they need it.
The Question to Ask Your IT Company
The question worth asking your IT company is simple:
If one of our Microsoft 365 accounts was compromised right now and the attacker had been inside for two weeks, what would your response look like?
Their answer will tell you everything you need to know about whether you have a gap.
Final Thoughts
Your IT company may be great at IT operations. That does not automatically make them an incident response team.
When an attacker is inside your Microsoft 365 environment, the business needs containment, forensic review, scope validation, evidence preservation, and remediation. That requires a different operating model than normal IT support.
The right answer is not replacing your IT company. The right answer is adding an incident response capability before the incident happens.
Need help securing your environment? Book a free 30-minute consultation. We will assess your Microsoft 365 environment and tell you where the gaps are.