ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Security • Modern Cyber Risk

Cyber Security Is Not Just Antivirus

For years, many organisations viewed cyber security as a simple checklist: install antivirus, update Windows occasionally and hope for the best.

In 2026, that mindset still exists more often than many people realise.

“We have antivirus installed, so we are secure.”

It sounds familiar. It sounds comfortable. It also belongs to a much older threat landscape.

Modern attacks target identities, sessions, cloud services, email trust, user behaviour and weak configuration. Many of the most important signals are not obvious malware alerts at all. They are hidden in Microsoft 365, Entra ID, Defender XDR, Sentinel and the logs most businesses rarely review.

Discuss your environment Back to briefings
Agent Foskett modern cyber security investigation beyond antivirus
Briefing summary

Antivirus still has a role, but it is no longer the whole security story. GEMXIT investigates the modern risks that sit beyond traditional malware detection: identity compromise, email spoofing, token abuse, cloud access, misconfiguration and weak visibility.

Move beyond antivirus-only thinking
Review identity, email and cloud signals
Understand what dashboards miss
🚨 “We installed antivirus” is not a complete cyber security strategy in 2026.
Modern security is about visibility, identity, behaviour, cloud controls and understanding the signals behind security events.
Book a security review →

The old mindset

The traditional view of cyber security was built around stopping viruses on computers. That mattered then. It still matters now. But the environment around it has changed completely.
Install antivirusMany businesses still believe endpoint antivirus is the main defensive layer, rather than one part of a wider security model.
Patch occasionallyUpdates are important, but occasional patching does not answer identity risk, cloud exposure, email trust or session abuse.
Hope nothing happensHope is not monitoring. If nobody reviews the signals, the business may not know what happened until after the damage is done.

What changed?

Attackers no longer need to behave like old-fashioned viruses. They can sign in, reuse sessions, abuse OAuth consent, spoof email, move through cloud services and use legitimate tools already present in the environment.
Identity became the perimeterMicrosoft 365, Azure, SaaS apps and remote work mean identity is now one of the most valuable attack paths.
Email trust is abusedDMARC failures, spoofed domains and lookalike senders can create business risk long before a traditional malware alert appears.
Telemetry mattersThe important evidence is often spread across sign-in logs, email events, URL clicks, device activity and Conditional Access results.
Legitimate tools are usedPowerShell, rundll32, mshta, browsers and admin portals can all appear normal unless someone understands the context.
Low severity is not no riskSome investigations start with quiet indicators that never look dramatic in a dashboard.
Configuration is securityWeak Conditional Access, poor device trust, missing DMARC enforcement and unmanaged accounts can create exposure without malware.

First hunt: endpoint protection is only one signal

Endpoint security products are important, but an inventory of installed protection does not prove the whole environment is secure. It simply tells you one piece of the story.
endpoint-security-inventory.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
DeviceTvmSoftwareInventory
| where SoftwareName has_any ("defender", "norton", "symantec", "mcafee", "sophos", "trend")
| summarize Devices = dcount(DeviceId),
            ExampleDevices = make_set(DeviceName, 5)
            by SoftwareName, SoftwareVendor, SoftwareVersion
| order by Devices desc
What to reviewWhich devices have protection installed, which versions are present and whether there are gaps across servers, laptops and unmanaged endpoints.
Why it mattersAntivirus presence is a control check. It is not proof that identity, email, cloud and user behaviour risks are understood.
Best next pivotMove from installed software inventory into alerts, sign-ins, email events, device activity and Conditional Access outcomes.

Second hunt: identity signals beyond malware

Many modern incidents begin with a sign-in, not a virus. Review authentication behaviour, locations, client applications, device details and whether MFA was required or simply satisfied silently.
identity-risk-signals.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
SigninLogs
| where TimeGenerated > ago(7d)
| project TimeGenerated,
          UserPrincipalName,
          AppDisplayName,
          IPAddress,
          Location,
          ClientAppUsed,
          ConditionalAccessStatus,
          AuthenticationRequirement,
          DeviceDetail
| order by TimeGenerated desc
What to reviewLook for unfamiliar locations, unmanaged devices, unusual applications, legacy clients or access that was allowed without the expected challenge.
Why it mattersA user can be compromised without a traditional malware file ever landing on the device.
Best next pivotReview Conditional Access, MFA methods, sign-in frequency, session controls and account risk events.

Third hunt: email trust and spoofing signals

Business email compromise often starts with trust. A message can look normal to a user while the underlying authentication details show something very different.
email-authentication-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(7d)
| where AuthenticationDetails has "dmarc=fail"
      or ThreatTypes has "spoof"
| project Timestamp, SenderFromAddress, SenderMailFromAddress,
          RecipientEmailAddress, Subject,
          DeliveryAction, ThreatTypes, AuthenticationDetails
| order by Timestamp desc
What to reviewMessages where DMARC failed, spoofing was detected, the sender domains do not align or delivery still occurred despite authentication concerns.
Why it mattersA clean endpoint does not protect a user who trusts the wrong email at the wrong time.
Best next pivotReview SPF, DKIM, DMARC policy, anti-phishing settings, user reporting and URL click evidence.

The modern security reality

Cyber security in 2026 is not one product. It is a layered understanding of how people, identities, devices, applications and cloud services behave together.
Security is identityAccounts, MFA, sessions, Conditional Access, device trust and privilege are now central to modern defence.
Security is email trustPhishing, spoofing, DMARC failure and malicious links remain some of the most practical business risks.
Security is visibilityIf nobody reviews the telemetry, the organisation is trusting dashboards to understand everything automatically.
Security is configurationThe wrong setting can quietly undo the protection a business thought it had purchased.
Security is investigationThe important question is often not “Did an alert fire?” but “What story do the signals tell?”
Security is cultureUsers, managers and IT teams need to understand that convenience decisions often become security decisions.

What businesses commonly say

These statements sound harmless, but each one can hide a gap in visibility, control or accountability.
“We have antivirus.”Good. But who is reviewing identity risk, email authentication, cloud access, application permissions and risky sessions?
“MFA is enabled.”Excellent. But are sessions reviewed, token risks understood and Conditional Access policies actually enforcing the right controls?
“Nothing has happened.”Maybe. Or maybe nobody has looked deeply enough at the signals to know.

What should organisations do?

The answer is not to throw away endpoint protection. The answer is to stop treating it as the finish line.
Review the whole Microsoft environmentLook across Microsoft 365, Entra ID, Defender XDR, Sentinel, Exchange Online, SharePoint, OneDrive and endpoint telemetry.
Validate identity controlsMFA, Conditional Access, sign-in frequency, session controls, device compliance and privileged access need practical review.
Harden email securitySPF, DKIM, DMARC, anti-phishing policies, Safe Links, user reporting and spoofing investigations all matter.
Threat hunt regularlyUse KQL to review weak signals across sign-ins, email, URL clicks, device processes and cloud activity.
Ask better questionsDo not only ask whether a product is installed. Ask what it sees, what it misses and who understands the output.
Build practical security habitsSecurity improves when teams regularly review real evidence, not just settings pages and marketing promises.

How GEMXIT helps

At GEMXIT, we help organisations move from “we have security tools” to “we understand what our environment is telling us.”
We review Microsoft security postureIdentity, email, endpoint, cloud, Conditional Access, Defender XDR and Sentinel visibility are reviewed as connected parts of the same story.
We interpret the telemetryDashboards matter, but investigation requires context, correlation and practical understanding of the signals.
We reduce real business riskThe goal is not fear. The goal is practical security improvement before a weak signal becomes a 2 am emergency.
Cyber security has moved far beyond “install antivirus and hope for the best.”
GEMXIT helps organisations review Microsoft 365, Entra ID, Defender XDR, Sentinel and cloud security controls to understand the signals behind the events.
Contact GEMXIT

Final thought

Antivirus can stop malware. It cannot explain every risky sign-in, every spoofed email, every trusted session, every misconfiguration or every weak signal hiding in the noise.
At GEMXITWe help organisations review Microsoft 365, Entra ID, Defender XDR, Sentinel and KQL hunting signals to improve visibility and reduce practical cyber risk.
Agent Foskett mindsetThe important question is not only “Do we have antivirus?” It is “Do we understand what our environment is trying to tell us?”

Continue the investigation with the DMARC Failed But Delivered briefing, MFA Session Hijacking, The Session Token Never Expired, Microsoft Security and GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Cyber Security Is Not Just Antivirus in 2026

This Agent Foskett briefing explains why modern cyber security has moved beyond installing antivirus and now requires identity security, email authentication, Microsoft 365 visibility, cloud controls, Defender XDR and KQL threat hunting.

Microsoft Security, Defender XDR and KQL Threat Hunting

GEMXIT helps organisations review Microsoft 365, Entra ID, Defender XDR, Sentinel, Conditional Access, email security, endpoint telemetry and practical cyber security risks across modern cloud environments.

Beyond Antivirus: Identity, Email, Cloud and Visibility

Example investigation areas include suspicious sign-ins, MFA behaviour, session risk, DMARC failures, spoofed domains, URL clicks, endpoint inventory, device trust, PowerShell activity, cloud access and signals that dashboards may miss.