If you’re an SMB owner, this might surprise you: Most identity attacks hitting your Microsoft 365 tenant don’t come from your city, your province, or even your country. They come from places your business will never legitimately sign in from. As an MSP, we almost always start by blocking high-risk countries as a security control. We do this not because it’s popular, but because it actually works.
What “Risky Countries” Actually Means
Let’s clear something up. Blocking risky countries isn’t about politics or geography. It’s based on attack data. Microsoft, along with every major security vendor, sees consistent patterns:
- Certain regions generate massive volumes of password spray attacks (Massive Botnet Targets Microsoft 365 Accounts Worldwide, 2025)
- Others are heavily associated with bot-driven MFA fatigue attempts (Microsoft Digital Defense Report 2024, n.d.)
- Some countries almost never have real SMB sign-ins, but they still account for thousands of failed logins. (Alerts, 2022)
If your business only operates in Canada or the US, a login attempt from another part of the world should not be allowed and monitored.
It should be blocked outright.
What We See in Real SMB Tenants
Here’s what we routinely observe before country restrictions are enabled:
- Thousands of failed sign-ins per week
- Continuous legacy authentication attempts
- MFA prompts triggered at odd hours
- Service accounts are being probed repeatedly
- Users receiving “Approve sign-in?” notifications they didn’t request (2025 Annual Threat Report, n.d.)
And here’s what happens after risky countries are blocked:
- Noise drops immediately
- MFA fatigue attempts largely disappear
- Sign-in logs become readable again
- Security alerts become meaningful instead of overwhelming (Weinert, 2022)
This is one of the highest ROI security controls an SMB can deploy. (Nechaeva, 2025)
“But What If Someone Travels?”
This is the most common concern, but it’s usually overestimated.
Here’s how we handle it as an MSP:
- Allow sign-ins only from known business regions
- Use temporary access or exclusions only when needed
- Combine country restrictions with MFA and device checks
- Remove exceptions once travel ends
Security should be intentional, not left permanently open just in case.
Why SMBs Are a Prime Target
Attackers don’t start with enterprises.
They start with SMBs because:
- Fewer conditional access policies
- Default configurations left untouched
- Legacy protocols still enabled
- Over-trust in MFA alone
Blocking risky countries immediately removes entire attack classes from the equation. (Extortion and ransomware drive over half of cyberattacks, 2025)It doesn’t make you bulletproof, but it does drastically reduce your attack surface.
This Is Not an Advanced Security Feature
One of the biggest myths is that geo-blocking is “enterprise-only security.
It’s not.
If you’re using Microsoft 365 Business Premium or higher, you already have the tools. The problem isn’t licensing—it’s configuration.
Most breaches we investigate didn’t occur because of zero-day exploits.
They happened because basic controls were never enabled. (Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers, 2025)
Our Default MSP Stance
At MSPinsights.ca, our stance is simple:
If your business doesn’t operate in a country, it shouldn’t be authenticating from there.
Blocking risky countries is:
- Practical
- Low maintenance
- Immediately effective
- Proven in real environments
And yes, we enable it by default.
Final Thought for SMB Owners
Security doesn’t start with expensive tools.
It starts with removing unnecessary exposure. If your tenant still lets the entire world try to sign in, you’re giving attackers unlimited chances to get lucky. And they only need to succeed once.
Jaspreet Singh is an MSP owner and the Founder & CEO of Accelerate IT Services Inc, writing practical, real-world IT and security insights at MSPinsights.ca.
References
(February 23, 2025). Massive Botnet Targets Microsoft 365 Accounts Worldwide. Quorum Cyber. https://www.quorumcyber.com/threat-intelligence/massive-botnet-targets-microsoft-365-accounts-worldwide/
(n.d.). 2025 Annual Threat Report. https://em360tech.com/sites/default/files/2025-09/brand-672600-2025-annual-threat-report-final-8.pdf
(n.d.). Microsoft Digital Defense Report 2024. https://www.microsoft.com/security/blog/2024/11/01/microsoft-digital-defense-report-2024/
Alerts, S. (March 8, 2022). Sharp rise in SMB cyberattacks by Russia and China. Help Net Security. https://www.helpnetsecurity.com/2022/03/09/saas-security-events-smbs/
Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677
Nechaeva, I. (2025). Microsoft Entra Suite delivers 131% ROI by unifying identity and network access. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2025/08/04/microsoft-entra-suite-delivers-131-roi-by-unifying-identity-and-network-access/?msockid=31ffaa8702766a501d64bcd703356b55
(October 15, 2025). Extortion and ransomware drive over half of cyberattacks. Microsoft News Centre Europe. https://news.microsoft.com/europe/2025/10/16/extortion-and-ransomware-drive-over-half-of-cyberattacks/
(July 19, 2025). Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers. The Hacker News. https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html