The math
Microsoft has published the same finding for years: MFA stops the overwhelming majority of automated account-compromise attacks. Even basic SMS-based MFA — the weakest version — defeats the bulk of credential-stuffing and phishing-driven sign-ins. Stronger versions raise the bar further. The point is that no MFA is functionally an open door.
The five-minute setup most owners delay for years
Microsoft 365 makes MFA enforcement a single tenant-wide setting. Conditional Access policies refine it — block sign-ins from foreign geographies, require MFA on every new device, exempt office IPs if you must. The setup takes minutes per user. The benefit compounds for the life of the tenant.
The phishing-resistant version (when MFA isn't enough)
The weakest MFA — codes texted to your phone — is bypassable by attackers who have the patience to social-engineer the user. Phishing-resistant methods (hardware keys, passkeys, Windows Hello) close that gap. For executives, finance staff, and IT admins, those should be the default.
"We don't need it, we're small" is the wrong instinct
Attackers don't aim at companies; they aim at credentials. Small businesses get caught in the same automated nets that catch large ones. The shop with no IT department is exactly the demographic with the least MFA — which is exactly why it's targeted.