{"id":111150,"date":"2022-04-05T18:30:07","date_gmt":"2022-04-06T01:30:07","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=111150"},"modified":"2025-06-20T02:45:59","modified_gmt":"2025-06-20T09:45:59","slug":"microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/","title":{"rendered":"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">For the fourth consecutive year, <a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\">Microsoft 365 Defender<\/a> demonstrated its industry-leading protection in MITRE Engenuity\u2019s independent ATT&amp;CK\u00ae Enterprise Evaluations, showcasing the value of an integrated XDR-based defense that unifies device and identity protection with a <a href=\"https:\/\/www.microsoft.com\/security\/business\/zero-trust\">Zero Trust<\/a> approach:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Complete visibility and analytics to all stages of the attack chain<\/li>\n\n\n\n<li class=\"wp-block-list-item\">100% protection, blocking all stages in early steps<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Each attack generated a single comprehensive incident for the SOC<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Differentiated XDR capabilities with integrated identity protection<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Protection for Linux across all attack stages<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Deep and integrated Windows device sensors<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Leading with product truth and a customer-centric approach<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 Defender XDR solution <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/03\/31\/microsoft-protects-against-human-operated-ransomware-across-the-full-attack-chain-in-the-2022-mitre-engenuity-attck-evaluations\/\">displayed top-class coverage<\/a> by successfully surfacing to the security operations center (SOC) a single comprehensive incident per each of the simulated attacks. This comprehensive view provided in each incident detailed suspicious device and identity activities coupled with unparalleled coverage of adversary techniques across the entire attack chain. Microsoft 365 Defender also demonstrated 100% protection by blocking both attacks in the early stages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is the third year in which Microsoft 365 Defender showcases the power of the combined XDR suite, demonstrating coverage across devices, identities, and <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/05\/01\/microsoft-threat-protection-leads-real-world-detection-mitre-attck-evaluation\/\">cloud applications<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"demonstrated-complete-visibility-and-analytics-across-all-stages-of-the-attack-chain\">Demonstrated complete visibility and analytics across all stages of the attack chain<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 Defender demonstrated complete technique-level coverage across all the attack stages of <a href=\"https:\/\/attack.mitre.org\/groups\/G0102\/\">Wizard Spider<\/a> and <a href=\"https:\/\/attack.mitre.org\/groups\/G0034\/\">Sandworm<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/15\/ai-driven-adaptive-protection-against-human-operated-ransomware\/\">leveraging our artificial intelligence-driven adaptive protection<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"606\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-1.-Microsoft-365-Defender-providing-full-attack-chain-coverage.png\" alt=\"Diagram showing an overview of the Wizard Spider and Sandworm attack stages.\" class=\"wp-image-111255\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-1.-Microsoft-365-Defender-providing-full-attack-chain-coverage.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-1.-Microsoft-365-Defender-providing-full-attack-chain-coverage-300x227.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-1.-Microsoft-365-Defender-providing-full-attack-chain-coverage-768x582.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 1. Microsoft 365 Defender providing full attack chain coverage<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Defending against <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/03\/05\/human-operated-ransomware-attacks-a-preventable-disaster\/\">human-operated ransomware<\/a> requires a defense in-depth approach that continuously evaluates device, user, network, and organization risk and then leverages these signals to alert on potential threats across the entire attack chain. Providing detection and visibility enables defenders to evict the attackers from the network during the pre-ransom phase. It also minimizes the impact of encryption or extortion through data exfiltration activities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"technique-level-detection-coverage-in-real-time-without-delays\">Technique-level detection coverage in real time without delays<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Human-operated ransomware attacks evolve within minutes, and the time it takes for defenders to respond and prevent attackers from performing destructive actions\u2014such as encrypting devices or exfiltrating information for extortion\u2014is crucial. Organizations need real-time detections with no delays to ensure they can rapidly evict attackers before they have a chance to continue to move laterally through the infrastructure. Microsoft 365 Defender provided technique-level coverage at every attack stage in real time without any delayed detections.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"542\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-2.-Microsoft-365-Defender-providing-technique-level-coverage-in-every-step.png\" alt=\"Bar chart comparing Microsoft's technique-level coverage against other competitors. Microsoft provided 100% coverage.\" class=\"wp-image-111252\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-2.-Microsoft-365-Defender-providing-technique-level-coverage-in-every-step.png 801w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-2.-Microsoft-365-Defender-providing-technique-level-coverage-in-every-step-300x203.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-2.-Microsoft-365-Defender-providing-technique-level-coverage-in-every-step-768x520.png 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><figcaption class=\"wp-element-caption\">Figure 2. Microsoft 365 Defender providing technique-level coverage in every attack stage<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"100-protection-coverage-blocking-all-stages-in-early-steps\">100% protection coverage, blocking all stages in early steps<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 Defender provided superior coverage and blocked 100% of the attack stages, offering excellent coverage across Windows and Linux platforms. Moreover, its next-generation protection capabilities proceeded without hindering productivity by blocking benign activities or a need for user consent. &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-3.-Microsoft-365-Defender-blocking-in-every-step.png\" alt=\"Bar chart comparing Microsoft's protection coverage against other competitors. Microsoft blocked 9 out of 9 stages with no false positives.\" class=\"wp-image-111249\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-3.-Microsoft-365-Defender-blocking-in-every-step.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-3.-Microsoft-365-Defender-blocking-in-every-step-300x199.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-3.-Microsoft-365-Defender-blocking-in-every-step-768x509.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-3.-Microsoft-365-Defender-blocking-in-every-step-293x195.png 293w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 3. Microsoft 365 Defender blocking in all stages<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In real-world scenarios, blocking ransomware activities early\u2014that is, in the pre-ransom stage across all platforms and assets\u2014is crucial in protecting customers and mitigating the downstream extortion and disruption attack impact.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"each-attack-generated-a-single-comprehensive-incident-for-the-soc\">Each attack generated a single comprehensive incident for the SOC<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike many other vendors surfacing multiple alerts and multiple incidents, Microsoft 365 Defender surfaced exactly <strong>one incident per attack, <\/strong>combining all events across device and identity into a single comprehensive view of each attack.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 Defender\u2019s <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/07\/29\/inside-microsoft-threat-protection-solving-cross-domain-security-incidents-through-the-power-of-correlation-analytics\/\">unique incident correlation technology<\/a> is tremendously valuable for SOC analysts in dealing with alert fatigue. It significantly improves the efficiency in responding to threats, saving time they might have otherwise spent in manual correlations or dealing with individual alerts. It also makes triage and investigation easier and faster with a view of the full attack graph. &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-4.-Scenario-1-a-single-incident-representing-the-Wizard-Spider-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized-1024x523.png\" alt=\"Screenshot of Microsoft 365 Defender detecting the Wizard Spider simulated attack as a single incident.\" class=\"wp-image-111177\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-4.-Scenario-1-a-single-incident-representing-the-Wizard-Spider-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized-1024x523.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-4.-Scenario-1-a-single-incident-representing-the-Wizard-Spider-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized-300x153.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-4.-Scenario-1-a-single-incident-representing-the-Wizard-Spider-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized-768x393.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-4.-Scenario-1-a-single-incident-representing-the-Wizard-Spider-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized.png 1385w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 4. Scenario 1: A single incident representing the Wizard Spider simulated attack with the attack sprawl and impacted assets summarized<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"520\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0d5c3fbf-624cd0d5c3fc0Figure-5.-Scenario-1-incident-graph-for-an-at-a-glance-view-of-the-full-attack-showing-device-and-identity-assets-as-well-as-all-observed-evidence.png-1024x520.png\" alt=\"Screenshot of Microsoft 365 Defender displaying the incident graph of the Wizard Spider simulated attack.\" class=\"wp-image-111180\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0d5c3fbf-624cd0d5c3fc0Figure-5.-Scenario-1-incident-graph-for-an-at-a-glance-view-of-the-full-attack-showing-device-and-identity-assets-as-well-as-all-observed-evidence.png-1024x520.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0d5c3fbf-624cd0d5c3fc0Figure-5.-Scenario-1-incident-graph-for-an-at-a-glance-view-of-the-full-attack-showing-device-and-identity-assets-as-well-as-all-observed-evidence.png-300x152.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0d5c3fbf-624cd0d5c3fc0Figure-5.-Scenario-1-incident-graph-for-an-at-a-glance-view-of-the-full-attack-showing-device-and-identity-assets-as-well-as-all-observed-evidence.png-768x390.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0d5c3fbf-624cd0d5c3fc0Figure-5.-Scenario-1-incident-graph-for-an-at-a-glance-view-of-the-full-attack-showing-device-and-identity-assets-as-well-as-all-observed-evidence.png.png 1399w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 5. Scenario 1: Incident graph for an at-a-glance view of the entire attack, showing device and identity assets as well as all observed evidence<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0f38c840-624cd0f38c841Figure-6.-Scenario-2-a-single-incident-representing-the-Sandworm-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized..png-1024x581.png\" alt=\"Screenshot of Microsoft 365 Defender detecting the Sandworm simulated attack as a single incident.\" class=\"wp-image-111183\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0f38c840-624cd0f38c841Figure-6.-Scenario-2-a-single-incident-representing-the-Sandworm-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized..png-1024x581.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0f38c840-624cd0f38c841Figure-6.-Scenario-2-a-single-incident-representing-the-Sandworm-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized..png-300x170.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0f38c840-624cd0f38c841Figure-6.-Scenario-2-a-single-incident-representing-the-Sandworm-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized..png-768x435.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd0f38c840-624cd0f38c841Figure-6.-Scenario-2-a-single-incident-representing-the-Sandworm-simulated-attack-with-the-attack-sprawl-and-impacted-assets-summarized..png.png 1217w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 6. Scenario 2: A single incident representing the Sandworm simulated attack, with the attack sprawl and impacted assets summarized.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"unique-and-durable-detections-from-the-integrated-microsoft-defender-for-identity\">Unique and durable detections from the integrated Microsoft Defender for Identity<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 Defender\u2019s integrated identity protection capabilities uncover and durably block identity-related attacks regardless of the specific attacker technique implemented on a device, making it practically impossible for attackers to evade. Furthermore, building these protections in the identity fabric provides in-depth, context-rich signals for security teams to investigate and respond effectively. Other vendors leveraging endpoint-only signals may be more susceptible to evasion, and their detections typically have less context.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some examples representing Microsoft 365 Defender\u2019s unique identity protection capabilities in the evaluation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Step 5.A.4 \u2013 query to a security account manager (SAM) database was uncovered using Active Directory signals with detailed context on user enumeration activity. This identity-based detection approach prevents attacker evasion and provides rich investigation context for security teams. Some other vendors in the test relied on process creation telemetry to get similar visibility but lacked context and could be easily bypassed.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"518\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd10a6535f-624cd10a65361Figure-7.-SAM-database-queried-to-enumerate-users-detected-by-the-M365-Defender-Identity-workload-Defender-for-Identity.png-1024x518.png\" alt=\"Screenshot of Microsoft 365 Defender detecting a suspicious remote SAM database query.\" class=\"wp-image-111186\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd10a6535f-624cd10a65361Figure-7.-SAM-database-queried-to-enumerate-users-detected-by-the-M365-Defender-Identity-workload-Defender-for-Identity.png-1024x518.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd10a6535f-624cd10a65361Figure-7.-SAM-database-queried-to-enumerate-users-detected-by-the-M365-Defender-Identity-workload-Defender-for-Identity.png-300x152.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd10a6535f-624cd10a65361Figure-7.-SAM-database-queried-to-enumerate-users-detected-by-the-M365-Defender-Identity-workload-Defender-for-Identity.png-768x389.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd10a6535f-624cd10a65361Figure-7.-SAM-database-queried-to-enumerate-users-detected-by-the-M365-Defender-Identity-workload-Defender-for-Identity.png.png 1430w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 7. SAM database queried to enumerate users detected by the Microsoft 365 Defender Identity workload<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Step 6.A.2 \u2013 resource-access activity on a domain controller was also uncovered using our identity sensors, with details of the exposed service principal name (SPN) and the compromised related resource name. Here too, this approach provides similar detection durability and investigation details advantages.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource-1024x574.png\" alt=\"Screenshot of Microsoft 365 Defender detecting a suspicious resource access activity.\" class=\"wp-image-111192\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource-1024x574.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource-300x168.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource-768x431.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource-687x385.png 687w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource-767x431.png 767w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource-539x303.png 539w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-8.-Timeline-view-of-resource-activity-on-DC-and-SPN-exposure-attack-with-related-compromised-resource.png 1444w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 8. Timeline view of resource activity on a domain controller and SPN exposure attack with related compromised resource<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"protection-for-linux-across-all-attack-stages\">Protection for Linux across all attack stages<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 Defender continues to demonstrate excellent protection coverage on all platforms, with top-level coverage on Windows and Linux. It covered all Linux-related stages via technique-level analytics, context-rich alerts, and in-depth investigation signals.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Customers face threats from various entry points across devices, and device discovery and lateral movement to identify high-value assets are table stakes for advanced attacks like human-operated ransomware. Therefore, having excellent coverage across all platforms is crucial to protect organizations against attacks.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"513\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-9.-Microsoft-365-Defender-providing-technique-level-Linux-coverage-in-every-step.png\" alt=\"Bar chart comparing Microsoft's technique-level coverage in Linux against other competitors. Microsoft provided 100% coverage.\" class=\"wp-image-111243\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-9.-Microsoft-365-Defender-providing-technique-level-Linux-coverage-in-every-step.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-9.-Microsoft-365-Defender-providing-technique-level-Linux-coverage-in-every-step-300x192.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-9.-Microsoft-365-Defender-providing-technique-level-Linux-coverage-in-every-step-768x492.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 9. Microsoft 365 Defender providing technique-level coverage in every Linux attack stage<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For example, as seen in Figure 10 below, Microsoft Defender for Endpoint on a Linux device alerted of suspicious behavior by a web server process. The alert allowed for blocking sensitive file read and preventing further file read. The attacker then attempted to download and run a backdoor on the device. However, that was also blocked behaviorally, thus preventing subsequent compromise.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"638\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-10.Sensitive-file-read-by-a-web-server-process-detected-on-Linux-device-1024x638.png\" alt=\"Screenshot of Microsoft 365 Defender for Endpoint blocking a suspicious behavior by a web server process.\" class=\"wp-image-111201\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-10.Sensitive-file-read-by-a-web-server-process-detected-on-Linux-device-1024x638.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-10.Sensitive-file-read-by-a-web-server-process-detected-on-Linux-device-300x187.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-10.Sensitive-file-read-by-a-web-server-process-detected-on-Linux-device-768x479.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-10.Sensitive-file-read-by-a-web-server-process-detected-on-Linux-device-1536x957.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-10.Sensitive-file-read-by-a-web-server-process-detected-on-Linux-device.png 1563w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 10. Sensitive file read by a web server process detected on Linux device<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"unique-and-durable-detections-from-windows-deep-native-sensors\">Unique and durable detections from Windows deep native sensors &nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While most attack steps on devices could be observed by inspecting process and script activities, solely relying on this type of telemetry can be challenging in several aspects.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From a detection durability standpoint, attackers could easily avoid detection by obfuscating or pivoting to alternative methods. Furthermore, in terms of detection quality, relying solely on \u201csurface-level\u201d telemetry could potentially produce a higher number of false positives and overhead for security teams. Finally, this type of telemetry lacks the needed context to enable effective investigation and response.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike other solutions, Microsoft 365 Defender&#8217;s unique platform-native deep device sensors introduced signal depth, providing durable, context-rich signals for security teams to identify, investigate and respond to. Here are some examples, as seen during the evaluation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Steps 1.A.6 and 19.A.11 were uncovered via enhanced Windows Management Instrumentation (WMI) sensors, providing visibility to evasive attacker activities without relying on a process or script execution telemetry.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-1024x576.png\" alt=\"Screenshot of Microsoft 365 Defender detecting process creation via WMI.\" class=\"wp-image-111207\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-1024x576.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-768x432.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-687x385.png 687w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-1083x609.png 1083w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-767x431.png 767w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-539x303.png 539w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1af9fc79-624cd1af9fc7aFigure-11.-Process-creation-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png.png 1369w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 11. Process creation via WMI detected natively using WMI sensors, regardless of invocation method<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"512\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1c21a40b-624cd1c21a40dFigure-12.-System-shutdown-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-1024x512.png\" alt=\"Screenshot of Microsoft 365 Defender detecting system shutdown via WMI.\" class=\"wp-image-111210\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1c21a40b-624cd1c21a40dFigure-12.-System-shutdown-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-1024x512.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1c21a40b-624cd1c21a40dFigure-12.-System-shutdown-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-300x150.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1c21a40b-624cd1c21a40dFigure-12.-System-shutdown-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-768x384.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1c21a40b-624cd1c21a40dFigure-12.-System-shutdown-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png-1200x600.png 1200w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/624cd1c21a40b-624cd1c21a40dFigure-12.-System-shutdown-via-WMI-detected-natively-using-WMI-sensors-regardless-of-invocation-method.png.png 1375w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 12. System shutdown via WMI detected natively using WMI sensors, regardless of invocation method<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Step 3.A.4 was uncovered via COM sensors, providing visibility to the Microsoft Outlook COM interface and detecting an attacker\u2019s search for unsecured passwords in Outlook without relying on process command lines that attackers can easily evade by using COM interfaces directly.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration-1024x577.png\" alt=\"Screenshot of Microsoft 365 Defender detecting a suspicious Outlook COM call.\" class=\"wp-image-111213\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration-1024x577.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration-768x432.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration-1083x609.png 1083w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration-767x431.png 767w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration-539x303.png 539w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-13.-Detection-of-attackers-search-for-passwords-in-Outlook-using-our-unique-COM-interface-sensor-integration.png 1389w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">&nbsp;Figure 13. Detection of attacker\u2019s search for passwords in Outlook using our unique COM interface sensor integration<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Step 17.A.2 was uncovered via Data Protection API (DPAPI) sensors, providing visibility to credential access\u2014an extremely important activity. Other solutions monitor web browser folders for file access which is extremely prone to false positives in real-world environments.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"516\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-14.-Credential-access-visibility-via-DPAPI-sensor-integration-1024x516.png\" alt=\"Screenshot of Microsoft 365 Defender Advanced Hunting page.\" class=\"wp-image-111216\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-14.-Credential-access-visibility-via-DPAPI-sensor-integration-1024x516.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-14.-Credential-access-visibility-via-DPAPI-sensor-integration-300x151.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-14.-Credential-access-visibility-via-DPAPI-sensor-integration-768x387.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Figure-14.-Credential-access-visibility-via-DPAPI-sensor-integration.png 1409w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">&nbsp;Figure 14. Credential access visibility via DPAPI sensor integration<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-final-word-leading-with-product-truth-and-a-customer-centric-approach\">A final word: Leading with product truth and a customer-centric approach<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As in previous years, Microsoft\u2019s philosophy in this evaluation was to empathize with our customers\u2014the \u201cprotection that works for customers in the real world\u201d approach. We participated in the evaluation with product capabilities and configurations that we expect customers to use.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As you review evaluation results, you should consider additional important aspects, including depth and durability of protection, completeness of signals and actionable insights, and quality aspects such as device performance impact and false-positive rates. All of these are critical to the solution&#8217;s reliable operation and translate directly to protection that works in real customer production environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We thank MITRE Engenuity for the opportunity to contribute to and participate in this year\u2019s evaluation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For the fourth consecutive year, Microsoft 365 Defender demonstrated industry-leading protection in MITRE Engenuity\u2019s independent ATT&#038;CK\u00ae Enterprise Evaluations. These results highlighted the importance of taking an XDR-based approach spanning endpoints, identities, email and cloud, and the importance of both prevention and protection.<\/p>\n","protected":false},"author":153,"featured_media":111234,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","ms-ems-related-posts":[],"footnotes":""},"post_tag":[3909,3788],"threat-intelligence":[3727],"content-type":[3663],"job-role":[],"product":[],"topic":[3687],"coauthors":[1949],"class_list":["post-111150","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-extortion","tag-mitre-attck","threat-intelligence-attacker-techniques-tools-and-infrastructure","content-type-research","topic-threat-intelligence","review-flag-1694638265-310","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-7-1694638266-851","review-flag-8-1694638266-352","review-flag-9-1694638266-118","review-flag-artif-1694638272-22"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&amp;CK\u00ae Evaluations | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&amp;CK\u00ae Evaluations | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"For the fourth consecutive year, Microsoft 365 Defender demonstrated industry-leading protection in MITRE Engenuity\u2019s independent ATT&amp;CK\u00ae Enterprise Evaluations. These results highlighted the importance of taking an XDR-based approach spanning endpoints, identities, email and cloud, and the importance of both prevention and protection.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-06T01:30:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-20T09:45:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-part2-social-image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Tanmay Ganacharya\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-part2-social-image.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tanmay Ganacharya\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/tanmay-ganacharya\/\",\"@type\":\"Person\",\"@name\":\"Tanmay Ganacharya\"}],\"headline\":\"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations\",\"datePublished\":\"2022-04-06T01:30:07+00:00\",\"dateModified\":\"2025-06-20T09:45:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\"},\"wordCount\":1462,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg\",\"keywords\":[\"Extortion\",\"MITRE ATT&amp;CK\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\",\"name\":\"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK\u00ae Evaluations | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg\",\"datePublished\":\"2022-04-06T01:30:07+00:00\",\"dateModified\":\"2025-06-20T09:45:59+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg\",\"width\":1200,\"height\":600,\"caption\":\"Individual at work behind two computer screens.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/fa785acae88a9b0cfe278a692ce196f5\",\"name\":\"Microsoft Security Threat Intelligence\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/6da614d6e26efc7ec75a4b5a98d63c541af444fa76a10c41a66be5b3de0a63aa?s=96&d=microsoft&r=g430eaf64ccad6ceda364c6ea504461c5\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6da614d6e26efc7ec75a4b5a98d63c541af444fa76a10c41a66be5b3de0a63aa?s=96&d=microsoft&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6da614d6e26efc7ec75a4b5a98d63c541af444fa76a10c41a66be5b3de0a63aa?s=96&d=microsoft&r=g\",\"caption\":\"Microsoft Security Threat Intelligence\"},\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/v-katiemc\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK\u00ae Evaluations | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK\u00ae Evaluations | Microsoft Security Blog","og_description":"For the fourth consecutive year, Microsoft 365 Defender demonstrated industry-leading protection in MITRE Engenuity\u2019s independent ATT&CK\u00ae Enterprise Evaluations. These results highlighted the importance of taking an XDR-based approach spanning endpoints, identities, email and cloud, and the importance of both prevention and protection.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-04-06T01:30:07+00:00","article_modified_time":"2025-06-20T09:45:59+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-part2-social-image.png","type":"image\/png"}],"author":"Tanmay Ganacharya","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-part2-social-image.png","twitter_misc":{"Written by":"Tanmay Ganacharya","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/tanmay-ganacharya\/","@type":"Person","@name":"Tanmay Ganacharya"}],"headline":"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations","datePublished":"2022-04-06T01:30:07+00:00","dateModified":"2025-06-20T09:45:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/"},"wordCount":1462,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg","keywords":["Extortion","MITRE ATT&amp;CK"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/","name":"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK\u00ae Evaluations | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg","datePublished":"2022-04-06T01:30:07+00:00","dateModified":"2025-06-20T09:45:59+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/mitre-engenuity-featured-image.jpg","width":1200,"height":600,"caption":"Individual at work behind two computer screens."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/fa785acae88a9b0cfe278a692ce196f5","name":"Microsoft Security Threat Intelligence","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/6da614d6e26efc7ec75a4b5a98d63c541af444fa76a10c41a66be5b3de0a63aa?s=96&d=microsoft&r=g430eaf64ccad6ceda364c6ea504461c5","url":"https:\/\/secure.gravatar.com\/avatar\/6da614d6e26efc7ec75a4b5a98d63c541af444fa76a10c41a66be5b3de0a63aa?s=96&d=microsoft&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6da614d6e26efc7ec75a4b5a98d63c541af444fa76a10c41a66be5b3de0a63aa?s=96&d=microsoft&r=g","caption":"Microsoft Security Threat Intelligence"},"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/v-katiemc\/"}]}},"bloginabox_animated_featured_image":null,"bloginabox_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/111150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/153"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=111150"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/111150\/revisions"}],"predecessor-version":[{"id":139754,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/111150\/revisions\/139754"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/111234"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=111150"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/post_tag?post=111150"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=111150"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=111150"},{"taxonomy":"job-role","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/job-role?post=111150"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/product?post=111150"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=111150"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=111150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}