Microsoft 365 Defender Now Automatically Disrupts Adversary-in-the-Middle Attacks

Microsoft 365 Defender now can automatically detect and disrupt "adversary-in-the-middle" (AiTM) attacks, Microsoft announced on Wednesday.

Such attacks might entail a phishing attempt that diverts a victim over to an attacker-controlled site to "intercept credentials and session cookies and bypass multifactor authentication." The phishing attempt might be done as a prelude to additional attacks, such as business e-mail compromise (BEC) fraud, the announcement explained.

In such cases, Microsoft asserts that its AiTM protection in Microsoft 365 Defender, part of its automatic attack disruption capability, is capable of detecting the attack with "high confidence." It will automatically take certain actions, such as disabling a compromised account and revoking stolen session cookies.

The idea is to block lateral movement by an attacker at an early stage. Meanwhile, an organization's security operations center team will have "complete control of investigating, remediating, and bringing assets back online," Microsoft contended, in this document on the automatic attack disruption feature.

Organizations wanting to use the new AiTM capability in the automatic attack disruption feature are going to need top-of-the-line Microsoft 365 Defender licensing to use it. Microsoft 365 Defender itself is a top product line consisting of multiple Microsoft security services for enterprises.

The automatic attack disruption feature in Microsoft 365 Defender specifically requires having licensing for Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps and Defender for Office 365 Plan 2, along with E5-type Microsoft 365 licensing, according to this document.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube