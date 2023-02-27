Microsoft said last year that Microsoft 365 Defender would incorporate an automatic attack disruption tool to assist enterprises with cybersecurity risks.

This capability uses high-confidence Extended Detection and Response (XDR) signals across endpoints, halting progression and minimizing the impact on your organization.

Microsoft stated this week that the service is now available for public preview and will handle commercial e-mail infiltration operations as well as human-operated ransomware (HumOR) attacks.

More about automatic attack disruption

Microsoft demonstrated a typical human-operated ransomware operation in which the attacker encrypted hundreds of devices in minutes. It displays how quickly threat actors distribute and execute attacks, emphasizing the importance of quickly identifying and containing high-impact attacks.

Automated attack disruption is intended to control ongoing attacks by removing or restricting devices and user accounts engaged in an attack. Unlike traditional protection approaches such as prevention and blocking based on a single indicator of compromise, attack disruption in Microsoft 365 Defender acts at the incident level and considers the complete attack.

Microsoft 365 Defender will now assist in the event of a business email breach or a human-operated ransomware attack.

Business email compromise

BEC attacks sometimes include cybercriminals impersonating a company’s executives or vendors in order to dupe employees into transferring money or sensitive information. Automated attack disruption can aid in the detection of these attacks and the removal of the attacker’s access to the environment by disabling the compromised account, restricting the attacker’s capacity to send fake email, and blocking money transfers which would end up causing financial loss.

Human-operated ransomware

According to Microsoft’s examination of dozens of ransomware cases, once a threat actor decides to spread ransomware in a network, a SOC analyst has fewer than 20 minutes to effectively mitigate the attack. Because of the short time constraint, as well as the high technical skills and time required to do the study, manually handling this very crucial task is nearly impossible.

When automatic disruption is activated, Microsoft 365 Defender shows the user some visual cues.

How to use Microsoft 365 Defender automatic attack disruption?

Make sure your organization fulfills the Microsoft 365 Defender pre-requisites.

Connect Microsoft Defender for Cloud Apps to Microsoft 365.

Deploy Microsoft Defender for Identity. You can start a free trial here.