9 Out of 10 SMBs Have a Compromised User Right Now

Eighty-nine percent of small and mid-sized businesses have at least one employee with confirmed credential compromise at any given time. That finding comes from the 2026 Guardz State of MSP Threat Report, which analyzed real-time threat data across thousands of SMBs. The report identifies four attack vectors that have shifted significantly in the past year, and the common thread is that the security stack most businesses deployed in 2023 or 2024 is no longer keeping up.

Your Employees’ Credentials Are Already Circulating

The 89% figure isn’t a survey or a projection. Guardz measured it by scanning for active credential exposure across their monitored customer base. At any given point, nearly nine out of ten businesses had at least one user whose email and password appeared in a breach database or dark web marketplace.

The attack chain this enables is straightforward. Attackers buy compromised credential lists in bulk and run automated tools that test them against corporate login portals, VPNs, and cloud platforms like Microsoft 365. When an employee reuses their work password on a personal site that gets breached, the company becomes a target without anyone knowing it. We covered this kill chain in detail in our post on credential theft and password reuse.

Dark web credential monitoring addresses this gap by continuously scanning breach databases and underground marketplaces for your company’s email addresses and passwords. When a match surfaces, your IT team or managed security provider can force a password reset before the attacker ever logs in. Without this monitoring, you’re relying on employees to self-report that they reused their work password somewhere, and that conversation never happens. Given that 89% of businesses have active exposure, credential monitoring is no longer a nice-to-have. It’s a baseline requirement.

Session Hijacking Is Up 23% and Bypasses MFA

Most business owners assume MFA closes the credential theft problem. The Guardz report shows that attackers have moved past it. Session hijacking surged 23% year-over-year, and these attacks bypass MFA entirely.

The attack works by placing a proxy between your employee and the real login page. The employee enters their username, password, and MFA code as normal. Everything passes through to the real service, but the proxy captures the authenticated session token. The attacker now has a fully valid session and can access the account without authenticating again. From your logs, it looks like a normal, successful login.

The only way to catch this is to monitor what happens after authentication: logins from unexpected locations, multiple concurrent sessions for the same user, or impossible-travel patterns where someone appears to log in from Dallas and then Eastern Europe minutes apart.

A SOC team watching your Microsoft 365 environment can catch the session hijacking indicators that automated tools alone miss. Beyond obvious impossible-travel alerts, human analysts reviewing the pattern of failed logins around a successful authentication, sudden forwarding rule changes after login, or sessions that persist far longer than normal are what identify the more targeted attacks. Automated rules flag the obvious. Analyst review catches the rest.

Attackers Are Weaponizing Your IT Management Tools

Remote monitoring and management (RMM) tools like ConnectWise ScreenConnect and AteraAgent are standard in managed IT. Every MSP uses them to patch systems, push updates, and troubleshoot issues remotely. The Guardz report found that RMM tool abuse now accounts for 26% of all endpoint detections.

Attackers install unauthorized copies of these same tools on compromised endpoints to maintain persistent access. Because the software is legitimate with valid code signatures, antivirus and endpoint protection platforms don’t flag it. The attacker gets the same remote access capabilities your IT provider has: remote desktop, file transfer, and command execution. The security tools on the endpoint treat all of it as normal activity.

The defense requires deliberate policy, not better antivirus. Your IT provider should maintain a strict allowlist of approved RMM tools and actively monitor for unauthorized installations. If ScreenConnect is your MSP’s tool, the appearance of AteraAgent or AnyDesk on an endpoint is an immediate red flag that endpoint detection and response (EDR) should catch and block. RMM access itself should follow least-privilege principles: technician access limited to systems they’re actively working on, sessions time-limited and logged, and every remote connection auditable. We covered how attackers exploit legitimate IT tools more broadly in our post on living-off-the-land attacks.

Non-Human Identities: The Attack Surface Nobody Audits

The Guardz report found that non-human identities outnumber human users 25-to-1 in Microsoft 365 environments. These include service accounts, app registrations, API keys, and OAuth tokens created when you connect third-party applications to your tenant. Every time someone authorizes a scheduling app, a CRM integration, or a document signing service, a non-human identity is created with specific permissions to your data.

Most businesses have no inventory of these identities and no process for reviewing or revoking them. A marketing tool authorized two years ago and forgotten still has read access to your SharePoint. A former employee’s personal app registration still holds mail.read permissions. Each one is a potential entry point that doesn’t require a password and isn’t covered by MFA.

Cleaning this up starts with an audit. Your IT team should enumerate every app registration, service principal, and OAuth consent in your Microsoft 365 tenant, then revoke anything that isn’t actively needed. Going forward, restrict who can consent to new app permissions and require admin approval for any application requesting high-privilege access like mail or directory reads. Our post on Microsoft 365 security settings SMBs commonly get wrong covers several of these configuration gaps.

Five Questions to Ask Your IT Provider This Week

The Guardz report makes clear that credential compromise, session hijacking, RMM abuse, and non-human identity sprawl are measured conditions affecting the majority of SMBs right now. Combined with business email compromise losses now ranging from $140,000 to $1.5 million per incident (up from roughly $40,000 in early 2025) and a 190% surge in ransomware behavioral detections, the cost of inaction is concrete and growing.

If your IT provider can’t answer these questions clearly, that’s a signal to act:

1. Are you monitoring the dark web for our employees’ compromised credentials? If credentials appear in a breach database, you need to know and force a reset before an attacker uses them. With 89% of SMBs showing active exposure, this is a baseline capability.

2. How are you detecting session hijacking and token theft? MFA alone is not sufficient. Your provider should be monitoring for anomalous session behavior, impossible-travel logins, and unauthorized email forwarding rules after authentication.

3. What RMM tools are authorized on our endpoints, and how do you detect unauthorized ones? If an attacker installs a second remote access tool, your provider should catch it immediately through allowlisting and automated alerting.

4. Have you audited our non-human identities in Microsoft 365? If your provider doesn’t know how many app registrations and service principals exist in your tenant, you have an unmonitored attack surface that outnumbers your employees 25 to 1.

5. Are you using AI-assisted threat detection? The Guardz report found that AI-driven detection achieves 92.4% accuracy compared to 67% for human analysts working alone. Ask whether your provider uses behavioral analytics and AI models to supplement human review.