Microsoft 365 Defender has expanded its automatic attack disruption capabilities to include Adversary-in-the-middle (AiTM) attacks, in addition to BEC (business email compromise) and human-operated ransomware attacks. This feature does not require any pre-configuration by a security operations center (SOC) team and is built in as a capability in Microsoft's XDR.
Adversary-in-the-middle (AiTM) attacks are a serious threat to organizations, as they allow attackers to intercept and manipulate network communications between users, devices, and servers. By creating fake websites that impersonate legitimate ones, attackers can steal credentials, session cookies, and other sensitive information from unsuspecting users. These attacks can also bypass multifactor authentication (MFA) and enable further attacks such as business email compromise (BEC) and credential harvesting.
Microsoft has developed a powerful solution to automatically disrupt AiTM attacks using its extended detection and response (XDR) platform, Microsoft 365 Defender. The tool already correlates millions of signals across endpoints, identities, emails, collaboration tools, and SaaS apps to identify active attacks and compromised assets in an organization's environment.
It also uses artificial intelligence (AI) models to stop some of the most sophisticated attack techniques while in progress and limit lateral movement and damage. Combining the power of Microsoft 365 Defender with the existing automatic attack disruption capabilities can protect organizations from AiTM attacks.
How Does Automatic Detection of AiTM Attacks Work?
In its blog post, Microsoft details how the detection system works and then prevents cyberattacks from happening:
- High-confidence identification of an AiTM attack based on multiple, correlated Microsoft 365 Defender signals.
- Automatic response is triggered that disables the compromised user account in Active Directory and Azure Active Directory.
- The stolen session cookie is automatically revoked, preventing the attacker from using it for additional malicious activity.
The SOC team can configure automatic attack disruption and easily revert any action from the Microsoft 365 Defender portal. They can also see the details of the contained AiTM incident, with an attack disruption tag.
This feature helps organizations protect themselves from AiTM attacks and reduce their potential impact. It also demonstrates Microsoft's commitment to harnessing the power of AI to help security teams scale more effectively.