Most CPA firms rely on multi-factor authentication as the primary safeguard for Microsoft 365. That made sense a few years ago. Today, it’s no longer enough.
Business email compromise (BEC) remains one of the most financially damaging cybercrimes, with the FBI reporting more than $20 billion in cybercrime losses in 2025. While phishing is still part of the problem, the tactics behind these attacks have evolved significantly.
Attackers are no longer forcing their way in. In many cases, they are signing in, observing normal activity and waiting for the right moment to act.
What’s changed
Business email compromise has not gone away, but it has become more sophisticated.
In many cases, attackers are no longer relying on a stolen password alone. Instead, they take advantage of what happens after a user successfully logs in. Session tokens can be captured and reused, allowing access without triggering another MFA prompt. Over time, attackers observe inbox activity, learn communication patterns and time their actions carefully.
According to Verizon’s Data Breach Investigations Report, attackers increasingly rely on stolen credentials and valid account access rather than traditional intrusion methods.
At that point, the attacker does not look like an attacker. They look like your staff.
Why this matters for CPA firms
For CPA firms, the impact goes well beyond a single compromised account.
In many firms, email is the system of record for client communication, approvals and financial coordination. When that channel is compromised, the attacker is inserted directly into the flow of business.
We have seen cases where attackers monitor inbox activity for days before sending a single message that triggers a fraudulent wire transfer.
Attackers can intercept or alter wire instructions, access tax documents and financial records, and communicate directly with clients from a trusted account. Because these actions originate from a legitimate user account, they often bypass traditional email security controls.
IBM reports that the cost of a data breach continues to rise across industries, with financial and reputational consequences that extend well beyond the initial incident. For CPA firms, the longer-term impact is often tied to client trust, which is far harder to rebuild.
Where traditional protections fall short
Most firms have done the right things. MFA is in place, email filtering is active and staff have been trained. In practice, most defenses are still built around phishing and email-based attacks.
The problem is, these controls were designed for a different threat model. Business email compromise in CPA firms has evolved well beyond the initial email.
Industry reporting continues to show that credential abuse and misuse of valid access remain among the most common attack vectors. In other words, attackers are not always breaking in. They are using access that appears legitimate.
The visibility gap
The real issue is not just who logs in, but what happens next.
Without visibility into user behavior across Microsoft 365, suspicious activity can blend in with normal operations, such as a login from a known location, an email sent in a familiar tone or a request that matches past behavior.
This is where many CPA firms have a blind spot. The signals are there, but they are easy to miss without continuous monitoring and context.
What proactive identity monitoring looks like
Addressing this gap requires a shift in approach.
Instead of focusing only on keeping attackers out, firms need visibility into how accounts are actually being used. That means monitoring identity activity across Microsoft 365, identifying behavior that deviates from normal patterns and responding before an issue escalates.
The goal is not more alerts, but clarity on which activity actually matters and the ability to act before it reaches clients.
Most firms don’t have this level of visibility into their Microsoft 365 environment today. Without it, identity-related risks are often only discovered after there is client impact.
A clearer view of identity activity makes it possible to identify suspicious behavior and address it before it escalates.
Take the next step
If you want to understand what’s happening in your environment, the best place to start is with a 30-day identity monitoring trial.
This approach provides visibility into identity activity across your Microsoft 365 environment, surfaces potential exposure points and delivers initial findings early in the process, with continued insight over time.
There is no upfront cost to get started. Submit a request and our team will connect with you to understand your Microsoft 365 environment and walk through how the trial works and what to expect.