Automated attack disruption of Ransomware and BEC (Business email compromise uses high-confidence Extended Detection and Response (XDR) signals across all workloads; endpoints, identities, email, and SaaS apps, to contain the threat quickly and effectively, to stop further impact.
These 2 scenarios are common attacks and it’s really great that they are supported by the feature in Microsoft 365 Defender.
Business Email Compromise, BEC
Threat actors are impersonating executives to trick, for example, Economic department to transfer money by impersonating the CFO or the CEO.
Automatic attack disruption can help to detect these attacks and remove the access to the accounts by disabling the compromised account, limiting their ability to send fraudulent email
Human-operated ransomware, HumOR
This attack, commonly used today, is devastating for an organization. The threat actors has full control of the environment and have usually controlled the environment for some time.
The challenge from a SecOps perspective is to be fast enough to respond to the incidents and mitigate accounts and the devices fast enough.
When the threat actors has gained privileged access, things move very quick and automatic attack disruption will contain the spreader device and disable the compromised user account
Automatic attack disruption operates in 3 key stages
- Detect malicious activity and establish high confidence
- Classification of scenarios and identification of assets controlled by the attacker
- Trigger automatic response actions using the Microsoft 365 Defender protection stack to contain the active attack
First the detection will happen, which is achieved by AI, research-information etc.., to establish a high level of confidence in accurately detecting ransomware spread and encryption activity. The XDR-level capability correlates insights across endpoints, identities, email and SaaS apps to establish high-fidelity alerts.
A second stage will aggregate automatic analyze the activities like tampering, backup deletion, credential theft, mass lateral movement and many more to flag the assets included in the chain and trace the activities back to the remote execution TTP
Distrupting the attack
Response actions against the entities which are identified as compromised and in the public preview these two are the main actions:
- Disable user – If MDI is in place, it will trigger a Suspend Account which will suspend the user in AD and AAD
Remediation actions – Microsoft Defender for Identity | Microsoft Learn - Device containment, MDE onboarded devices will automatically be prevented from communicating with the compromised device
When this happens, it will be visible in the:
Incident queue
- A tag titled “Attack Disruption” next to affected incidents
If you really must exclude some user from the automatic attack disruption, then you can do it in the MDI settings
Incident page
- A tag titled “Attack Disruption”.
- A yellow banner at the top of the page that highlights the automatic action taken.
- The current asset status is shown in the incident graph if an action is done on an asset, e.g., account disabled or device contained.
Some thoughts
It’s important that prerequisites are fixed, like MDI Action Account (if not using built-in system account) and
For further reading, please visit
Automatic attack disruption in Microsoft 365 Defender | Microsoft Learn
Stay safe, Protect the world and Happy Hunting!