If there’s one pattern I keep seeing while working with small and mid-sized businesses, it’s this:
“We have MFA enabled, so we’re secure.”
Unfortunately, that assumption is still leading to breaches — and in many cases, the entry point is legacy authentication.
I’ve reviewed enough environments to say this confidently:
legacy auth remains the #1 breach vector for SMBs today.
What SMBs Think Is Protected (But Isn’t)
Most SMBs I talk to have done something right:
Microsoft 365 is in place
MFA is enabled (at least for admins)
Password policies exist
But here’s the problem:
legacy authentication completely bypasses MFA.
If legacy protocols are allowed, attackers don’t need to defeat MFA — they simply avoid it.
What Legacy Authentication Really Means
Legacy authentication refers to older sign-in methods that don’t support modern security controls, including:
MFA
Conditional Access
Risk-based detection
Common examples I still see enabled:
IMAP / POP
SMTP AUTH
Older Outlook and Office clients
Basic authentication scripts
From an attacker’s point of view, this is the path of least resistance.
Why SMBs Are Targeted First
Large enterprises usually:
Enforce Conditional Access everywhere
Monitor sign-in logs 24/7
Have dedicated security teams
SMBs?
Limited IT staff
Shared admin accounts
“Set it and forget it” configurations
Attackers know this.
They don’t need sophistication — they need consistency, and SMB tenants provide exactly that.
The Real-World Attack I See the Most
This is the most common scenario I encounter:
Attacker runs a password-spray attack
Targets legacy protocols (IMAP, SMTP)
MFA never triggers
One mailbox gets compromised
Inbox rules hide replies
Business email compromise (BEC) follows
By the time the SMB notices, money is already gone or data has already been accessed.
“But Microsoft Is Secure by Default” — Not Quite
Microsoft provides great tools, but security is not automatically enforced.
I still see:
Security Defaults disabled
Conditional Access partially configured
Legacy auth left enabled “just in case”
Security gaps don’t cause breaches immediately —
they wait patiently.
Why This Is Still Happening in 2026
In my experience, SMB breaches continue because:
No one reviews sign-in logs
Legacy auth is never explicitly blocked
Old devices and scripts are forgotten
IT changes happen without security validation
And once attackers discover a working pattern, they repeat it — at scale.
What I Do Differently as an MSP
When onboarding a new SMB, this is one of my first controls:
Identify all legacy authentication usage
Block it using Conditional Access
Validate no business-critical workflows break
Monitor sign-in attempts post-block
It’s a low-cost change with a massive security payoff.
The Bottom Line for SMB Owners
If legacy authentication is still enabled in your Microsoft 365 tenant:
MFA is not fully protecting you
Your risk exposure is higher than you think
Attackers already know this
This isn’t about buying more tools.
It’s about closing the doors you didn’t realize were still open.
Final Thoughts
Every serious breach conversation I’ve had with SMB owners starts the same way:
“We didn’t think anyone would target us.”
They were wrong — and legacy authentication made it easy.
If you’re running Microsoft 365 and haven’t explicitly blocked legacy auth,
now is the time.
Written by:
Jaspreet Singh
Founder & CEO – Accelerate IT Services Inc
Author – MSPinsights.ca
Cybersecurity & Identity Engineer