Automatic attack disruption in Microsoft 365 Defender uses XDR signals from different sources (endpoints, email, identity, data) to automatically contain compromised assets and stop ongoing cyber attacks, minimizing their impact on organizations.
The main objective of this feature is to achieve containment during the incident response phase. In terms of automatic disruption, there are two actions that can be taken: "device contain" by Microsoft Defender for Endpoint and "disable user" by Microsoft Defender for Identity.
Microsoft 365 Defender XDR provides coverage for the following three advanced attacks to disrupt further progression.
- Adversary-in-the-middle attacks (AiTM)
- Business email compromise (BEC)
- Human-operated ransomware attacks
Automatic attack disruption, Microsoft 365 Defender Blog
AiTM attack refers to "Adversary-in-The-Middle" phishing technique where attackers intercept communication between a user and a legitimate website, stealing passwords and session cookies to gain unauthorized access and perform fraudulent activities.
- July 12, 2022, From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
- November 16, 2022, Token tactics: How to prevent, detect, and respond to cloud token theft
- March 13, 2023, DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
- June 8, 2023, Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Business Email Compromise (BEC) is a cyberattack where attackers deceive organizations through fraudulent emails. They impersonate trusted individuals to trick employees into taking unauthorized actions, such as transferring money or revealing sensitive information. BEC attacks can lead to financial losses and reputational damage for businesses.
Human-operated ransomware attacks, also known as "hands-on-keyboard" attack, refer to a specific type of ransomware attack where skilled human attackers actively participate in various stages of the attack rather than relying solely on automated tools or malware.
- Human-operated ransomware | Microsoft Learn
- March 5, 2020, Human-operated ransomware attacks: A preventable disaster
- Automatic attack disruption in Microsoft 365 Defender
- Feb 22 2023, Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender
- Mar 08 2023, XDR attack disruption in action – Defending against a recent BEC attack
- May 17 2023, Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.