Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR
Published May 17 2023 10:03 AM 28.1K Views

UPDATE: As of July 4th, 2023, the expansion of the automatic attack disruption capability in Microsoft 365 Defender to include adversary-in-the-middle (AiTM) attacks is now generally available (GA).


Microsoft has been on a journey to harness the power of artificial intelligence to help security teams scale more effectively. Microsoft 365 Defender correlates millions of signals across endpoints, identities, emails, collaboration tools, and SaaS apps to identify active attacks and compromised assets in an organization’s environment. Last year, we introduced automatic attack disruption, which uses these correlated insights and powerful AI models to stop some of the most sophisticated attack techniques while in progress to limit lateral movement and damage.  


Today, we are excited to announce the expansion of automatic attack disruption to include adversary-in-the-middle attacks (AiTM) attacks, in an addition to the previously announced public preview for business email compromise (BEC) and human-operated ransomware attacks.


AiTM attacks are a widespread and can pose a major risk to organizations. We are observing a rising trend in the availability of adversary-in-the-middle (AiTM) phishing kits for purchase or rent.


During AiTM attacks (Figure 1), a phished user interacts with an impersonated site created by the attacker. This allows the attacker to intercept credentials and session cookies and bypass multifactor authentication (MFA), which can then be used to initiate other attacks such as BEC and credential harvesting. 


Automatic attack disruption does not require any pre-configuration by the SOC team. Instead, it’s built in as a capability in Microsoft’s XDR.

Figure 1. Example of an AiTM phishing campaign that led to a BEC attackFigure 1. Example of an AiTM phishing campaign that led to a BEC attack


How Microsoft’s XDR automatically contains AiTM attacks

Similarly to attack disruption of BEC and human-operated ransomware attacks, the goal is to contain the attack as early as possible while it is active in an organization’s environment and reduce its potential damage to the organization. AiTM attack disruption works as follows:


  1. High-confidence identification of an AiTM attack based on multiple, correlated Microsoft 365 Defender signals.
  2. Automatic response is triggered that disables the compromised user account in Active Directory and Azure Active Directory.
  3. The stolen session cookie will be automatically revoked, preventing the attacker from using it for additional malicious activity.

Figure 2. An example of a contained AiTM incident, with attack disruption tagFigure 2. An example of a contained AiTM incident, with attack disruption tag


To ensure SOC teams have full control, they can configure automatic attack disruption and easily revert any action from the Microsoft 365 Defender portal. See our documentation for more details.


Get started

  1. Make sure your organization fulfills the Microsoft 365 Defender pre-requisites
  2. Connect Microsoft Defender for Cloud Apps to Microsoft 365.
  3. Deploy Defender for Endpoint. A free trial is available here.
  4. Deploy Microsoft Defender for Identity. You can start a free trial here.

Learn more

Version history
Last update:
‎Jul 05 2023 11:07 AM
Updated by: