Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender

Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender

The ever-growing volume of advanced cybersecurity attacks challenges even the most advanced Security Operations (SOC) teams. Image 1 shows a timeline of a typical human-operated ransomware attack where the attacker encrypted hundreds of devices in just minutes. It demonstrates how quickly threat actors spread and execute attacks and highlights the criticality to quickly identify and contain high-impact attacks to limit the impact to organizations.


To help SOC teams address these challenges, we announced automatic attack disruption in Microsoft 365 Defender last year at Microsoft Ignite. This capability uses high-confidence Extended Detection and Response (XDR) signals across endpoints, identities, email, and SaaS apps, to contain active cybersecurity attacks quickly and effectively, to stop progression and limit the impact to your organization.


Today, we are excited to announce the expansion of the public preview to cover business email compromise (BEC) campaigns, in addition to human-operated ransomware (HumOR) attacks.


Image 1: Timeline device encryption during a human-operated ransomware attackImage 1: Timeline device encryption during a human-operated ransomware attack


The impact of automatic attack disruption

Automatic attack disruption is designed to contain attacks in progress by automatically disabling or restricting devices and user accounts used in an attack. Disabling credentials available to the attacker, as well as their ability to use devices that communicate over the network, limits the ability to impact additional assets and gives SOC teams more time to remediate attacks.

Unlike known protection methods such as prevention and blocking based on a single indicator of compromise, attack disruption in Microsoft 365 Defender leverages the breadth of our XDR signal to act at the incident level and takes the entire attack into account.


This game-changing capability comes built-in with Microsoft 365 Defender and limits a threat actor’s progress early on - reducing the overall impact of an attack, from associated costs to loss of productivity.



Tackling advanced attacks

Business email compromise and human-operated ransomware attacks are two common attack scenarios that are now supported by Microsoft 365 Defender’s automatic attack disruption capabilities to reduce their impact on an organization:


Business email compromise – BEC attacks commonly involve cybercriminals impersonating a company's executives or vendors to trick employees into transferring money or sensitive information - causing financial losses and reputational damage. Automatic attack disruption can help detect these attacks and remove the attacker’s access to the environment by disabling the compromised account, limiting their ability to send fraudulent email, and preventing money transfers and financial losses.


Image 2: Typical BEC attack flowImage 2: Typical BEC attack flow


Human-operated ransomware – Our analysis of dozens of ransomware cases shows that once a Threat Actor moves to deploy ransomware in a network, a SOC analyst has less than 20 minutes from deployment to effectively mitigate the attack. This narrow time frame, coupled with the high technical skills and time required to perform the analysis, makes manually responding near impossible. The attack shown in image 3 used elevation of privileges and deployed ransomware to critical data. Here, automatic attack disruption will contain the spreader device and disable the compromised user account.


Image 3: Typical human-operated ransomware attack flowImage 3: Typical human-operated ransomware attack flow


How we establish high confidence in Microsoft 365 Defender when taking automatic action

We understand that taking automatic action can come with hesitation, given the potential impact it can have on an organization. That’s why automatic attack disruption in Microsoft 365 Defender is designed to rely on high-fidelity XDR signals, coupled with insights from the continuous investigation of thousands of incidents by Microsoft’s research teams.


Automatic attack disruption operates in 3 key stages:

  1. Detect malicious activity and establish high confidence
  2. Classification of scenarios and identification of assets controlled by the attacker
  3. Trigger automatic response actions using the Microsoft 365 Defender protection stack to contain the active attack


Detection is achieved by using our research-informed, AI-driven detection capabilities and refining them with specific signals, e.g. human operated ransomware, to establish a high level of confidence in accurately detecting ransomware spread and encryption activity. The XDR-level capability correlates insights across endpoints, identities, email and SaaS apps to establish high-fidelity alerts.


The second stage consists of further aggregation and automatic analysis of the malicious activities, such as product tampering, backup deletion, credential theft, mass lateral movement, and many more. The intent is to flag the assets that are responsible for the malicious activity. Microsoft 365 Defender unravels the chain of attacks by retracing the malicious activity on a device to its remote execution TTP.


Lastly, automatic response actions are triggered against entities identified as compromised. In the current public preview, the automatic attack disruption capabilities use two key response actions to stop in-progress attacks:


  • Disable user: If onboarded to Microsoft Defender for Identity, we will automatically trigger a Suspend Account action on the user(s) delivering the attack. The action suspends the compromised user account in Active Directory and syncs this information to Azure AD.
  • Device containment: For environments using Defender for Endpoint, devices will be automatically contained to prevent any onboarded device from communicating with the compromised machine.

To ensure that automatic actions don’t negatively impact the health of a network, Microsoft 365 Defender automatically tracks and refrains from containing network-critical assets and built client-side fail safe mechanisms into the containment lifecycle. In addition, any automatic actions can be easily undone to ensure the SOC stays in full control.


Work with automatic attack disruption

When automatic disruption takes effect, we want to ensure visibility of these automatic actions, that's why the Microsoft 365 Defender user experience now includes additional visual cues across the following experiences:


Incident queue

  • A tag titled “Attack Disruption” next to affected incidents

Incident page

  • A tag titled “Attack Disruption”.
  • A yellow banner at the top of the page that highlights the automatic action taken.
  • The current asset status is shown in the incident graph if an action is done on an asset, e.g., account disabled or device contained.

Image 4: Automatic attack disruption incident view in Microsoft 365 Defender. Tags are visible in the right panel. Disabled account indication is shown in the Incident graph.Image 4: Automatic attack disruption incident view in Microsoft 365 Defender. Tags are visible in the right panel. Disabled account indication is shown in the Incident graph.


In addition, security teams can customize the configuration for automatic attack disruption and can easily revert any action from the Microsoft 365 Defender Portal, to ensure SOC teams have full control. Check out our documentation for more detail.


Microsoft 365 Defender is uniquely positioned to empower SOC teams to match the powerful techniques of adversaries and provide protection with the full context of an attack as the leading XDR natively spanning endpoint, identity, email and collaboration, and SaaS app security. Automatic attack disruption will change the game for SOC teams by limiting the impact of advanced attacks like BEC and human-operated ransomware through disruption at machine speed.



Get started

  1. Make sure your organization fulfills the Microsoft 365 Defender pre-requisites
  2. Connect Microsoft Defender for Cloud Apps to Microsoft 365.
  3. Deploy Microsoft Defender for Identity. You can start a free trial here.


Learn more

Published on:

Learn more
Microsoft 365 Defender Blog articles
Microsoft 365 Defender Blog articles

Microsoft 365 Defender Blog articles

Share post:

Related posts

Viva Glint – Data control to enable recycling or reuse of Employee IDs

Microsoft Viva has introduced a new feature called Viva Glint that allows for better management of employee IDs. By implementing a control for...

11 hours ago

Viva Pulse – Pulse series for continuous feedback supporting AI transformations and change management

Microsoft Viva has announced the introduction of new templates for Pulse series, aimed at enabling continuous feedback scenarios for high-valu...

11 hours ago

Viva Insights – Publish analyst reports to Viva Insights App

Viva Insights is making it easier for analysts to distribute their reports by allowing them to publish them directly to the Viva Insights app ...

11 hours ago

Power Platform & M365 Dev Community Call – July 18th, 2024 – Screenshot Summary

Call Highlights   SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...

1 day ago

Microsoft Viva: Viva Glint – Data control to process survey data upon receiving a delete signal

Microsoft Viva presents the new feature, Viva Glint, which gives customers the control to manage survey data processing following the receptio...

1 day ago

Microsoft Viva: Viva Pulse – New question types

Microsoft Viva's Viva Pulse introduces new question types that allow authors to create a more targeted survey experience for users. With the a...

1 day ago

Microsoft Viva: Viva Pulse – Notifications management for administrators to configure where Pulse notifications are delivered

Microsoft Viva's latest feature, Viva Pulse, offers administrators greater control over where notifications are delivered to users by enabling...

1 day ago

Microsoft Viva: Viva Learning – Copilot Academy visibility for users with Copilot SKU and VL Seeded/Premium

Microsoft Viva has announced that Copilot Academy will now be available to all users holding a Copilot for Microsoft License, as well as Viva ...

1 day ago

Microsoft Viva: Viva Pulse – Viva Pulse templates to measure Copilot readiness, adoption & impact as part of Microsoft 365 Copilot

Microsoft Viva has introduced new Viva Pulse templates specifically designed for measuring employee sentiment around M365 Copilot adoption in ...

1 day ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy