A marketing agency in Bellevue lost access to their Adobe Creative Cloud, Microsoft 365, and QuickBooks on the same morning last fall. Not ransomware. An attacker had logged in through the owner's credentials, changed recovery emails, enabled MFA on the newly compromised accounts, and locked the legitimate users out. The owner's password had been correct. It just wasn't his anymore. The initial entry point was credential reuse—same email and password combination the owner had used on a forum site that got breached two years earlier. From there, the attacker moved laterally through every service that shared authentication. No malware. No phishing email that morning. Just an opportunistic login that looked completely legitimate to every system that mattered.
This is the actual threat model for small businesses in the Pacific Northwest right now. Not Advanced Persistent Threats. Not nation-state operators interested in your strategic IP. Credential-based account takeover executed by someone who bought a password list and a residential proxy service.
What identity management actually means here
When we talk about identity management for a thirty-person firm, we are talking about the authentication layer between your users and the SaaS applications that run your business. That layer is almost certainly one of three things: Google Workspace, Microsoft 365, or a patchwork of individual logins across Slack, Xero, Salesforce, Gusto, and whatever vertical-specific platform your industry runs on.
The question is not whether you have identity management. You do. The question is whether that system would prevent the Bellevue scenario.
Most small businesses I work with have the following in place: passwords, maybe MFA on some accounts, maybe a password manager if someone pushed for it. What they do not have: enforced MFA across all critical services, conditional access policies that block logins from unexpected geolocations, any logging or alerting when a user's account exhibits unusual behavior.
That gap is not a compliance problem. You are not violating a regulation by lacking those controls. It is a security problem, meaning: an attacker can move through that gap successfully.
The endpoint is the entry point
The Bellevue agency could have prevented that takeover with enforced MFA and conditional access rules. But the conversation does not end there. Because the next question is: what happens when an attacker compromises the endpoint itself?
MFA fatigue attacks work like this: attacker has your username and password, tries to log in, MFA prompt goes to your phone, you deny it. Attacker tries again. And again. And again. Thirty push notifications in ten minutes. You are in a meeting. You are tired. You assume it is a glitch. You approve one to make it stop. Now the attacker has a valid session token.
This is MITRE ATT&CK technique T1621, multi-factor authentication request generation. It is not theoretical. It was used against Uber in 2022 and we have seen variations in SMB compromises in Portland and Seattle.
The mitigation is not more MFA. It is number matching or FIDO2 hardware keys that cannot be fatigued. And logging that fires when someone generates fifteen failed MFA attempts in five minutes.
But the deeper issue is the endpoint. If an attacker has access to the user's laptop—through malware, through a stolen device, through a family member who borrowed it at a coffee shop—MFA becomes less helpful. The session token is already there. The browser has saved credentials. The attacker is inside the perimeter.
This is why endpoint security and identity management are the same conversation. You cannot secure identity if the device requesting authentication is compromised. You cannot secure the endpoint if valid credentials let an attacker in regardless of device posture.
What compliance does not tell you
If you are subject to compliance requirements—HIPAA, PCI-DSS, SOC 2—you have probably implemented some version of endpoint detection and response, password policies, MFA. That documentation satisfies an auditor. It does not necessarily stop the attack I just described.
Compliance frameworks measure whether you have a control in place and whether you can produce evidence of it. Security measures whether the control actually fires when the threat condition occurs.
I have reviewed security policies for firms that were compliant on paper and trivially compromised in practice. The password policy required twelve characters and ninety-day rotation. The MFA policy said it was required for all users. Neither policy was enforced in the identity provider settings. So users set eight-character passwords, never rotated them, and skipped MFA setup.
The distinction matters because you can be compliant and breached at the same time.
Implications for firms in this region
You are not too small. You are profitable enough. You have payroll data, client lists, financial records, and access to your clients' systems if you operate in a service industry. That is sufficient.
The attacks we are seeing do not require sophisticated tooling. They require a password list, a proxy, and patience. The defenses that actually work are not exotic: enforced phishing-resistant MFA, conditional access rules, endpoint detection that alerts on credential dumping, logging that someone actually reviews.
If you would like to talk through what that looks like for your specific environment and user base, reach out to us at craftworkgrp.com/contact.