UPDATE: As of July 4th, 2023, the expansion of the automatic attack disruption capability in Microsoft 365 Defender to include adversary-in-the-middle (AiTM) attacks is now generally available (GA).
Microsoft has been on a journey to harness the power of artificial intelligence to help security teams scale more effectively. Microsoft 365 Defender correlates millions of signals across endpoints, identities, emails, collaboration tools, and SaaS apps to identify active attacks and compromised assets in an organization’s environment. Last year, we introduced automatic attack disruption, which uses these correlated insights and powerful AI models to stop some of the most sophisticated attack techniques while in progress to limit lateral movement and damage.
Today, we are excited to announce the expansion of automatic attack disruption to include adversary-in-the-middle attacks (AiTM) attacks, in an addition to the previously announced public preview for business email compromise (BEC) and human-operated ransomware attacks.
During AiTM attacks (Figure 1), a phished user interacts with an impersonated site created by the attacker. This allows the attacker to intercept credentials and session cookies and bypass multifactor authentication (MFA), which can then be used to initiate other attacks such as BEC and credential harvesting.
Automatic attack disruption does not require any pre-configuration by the SOC team. Instead, it’s built in as a capability in Microsoft’s XDR.
Figure 1. Example of an AiTM phishing campaign that led to a BEC attack
How Microsoft’s XDR automatically contains AiTM attacks
Similarly to attack disruption of BEC and human-operated ransomware attacks, the goal is to contain the attack as early as possible while it is active in an organization’s environment and reduce its potential damage to the organization. AiTM attack disruption works as follows:
High-confidence identification of an AiTM attack based on multiple, correlated Microsoft 365 Defender signals.
Automatic response is triggered that disables the compromised user account in Active Directory and Azure Active Directory.
The stolen session cookie will be automatically revoked, preventing the attacker from using it for additional malicious activity.
Figure 2. An example of a contained AiTM incident, with attack disruption tag
To ensure SOC teams have full control, they can configure automatic attack disruption and easily revert any action from the Microsoft 365 Defender portal. See our documentation for more details.