For the fourth consecutive year, Microsoft 365 Defender demonstrated its industry-leading protection in MITRE Engenuity’s independent ATT&CK® Enterprise Evaluations, showcasing the value of an integrated XDR-based defense that unifies device and identity protection with a Zero Trust approach:
- Complete visibility and analytics to all stages of the attack chain
- 100% protection, blocking all stages in early steps
- Each attack generated a single comprehensive incident for the SOC
- Differentiated XDR capabilities with integrated identity protection
- Protection for Linux across all attack stages
- Deep and integrated Windows device sensors
- Leading with product truth and a customer-centric approach
Microsoft 365 Defender XDR solution displayed top-class coverage by successfully surfacing to the security operations center (SOC) a single comprehensive incident per each of the simulated attacks. This comprehensive view provided in each incident detailed suspicious device and identity activities coupled with unparalleled coverage of adversary techniques across the entire attack chain. Microsoft 365 Defender also demonstrated 100% protection by blocking both attacks in the early stages.
This is the third year in which Microsoft 365 Defender showcases the power of the combined XDR suite, demonstrating coverage across devices, identities, and cloud applications.
Demonstrated complete visibility and analytics across all stages of the attack chain
Microsoft 365 Defender demonstrated complete technique-level coverage across all the attack stages of Wizard Spider and Sandworm, leveraging our artificial intelligence-driven adaptive protection.
Defending against human-operated ransomware requires a defense in-depth approach that continuously evaluates device, user, network, and organization risk and then leverages these signals to alert on potential threats across the entire attack chain. Providing detection and visibility enables defenders to evict the attackers from the network during the pre-ransom phase. It also minimizes the impact of encryption or extortion through data exfiltration activities.
Technique-level detection coverage in real time without delays
Human-operated ransomware attacks evolve within minutes, and the time it takes for defenders to respond and prevent attackers from performing destructive actions—such as encrypting devices or exfiltrating information for extortion—is crucial. Organizations need real-time detections with no delays to ensure they can rapidly evict attackers before they have a chance to continue to move laterally through the infrastructure. Microsoft 365 Defender provided technique-level coverage at every attack stage in real time without any delayed detections.
100% protection coverage, blocking all stages in early steps
Microsoft 365 Defender provided superior coverage and blocked 100% of the attack stages, offering excellent coverage across Windows and Linux platforms. Moreover, its next-generation protection capabilities proceeded without hindering productivity by blocking benign activities or a need for user consent.
In real-world scenarios, blocking ransomware activities early—that is, in the pre-ransom stage across all platforms and assets—is crucial in protecting customers and mitigating the downstream extortion and disruption attack impact.
Each attack generated a single comprehensive incident for the SOC
Unlike many other vendors surfacing multiple alerts and multiple incidents, Microsoft 365 Defender surfaced exactly one incident per attack, combining all events across device and identity into a single comprehensive view of each attack.
Microsoft 365 Defender’s unique incident correlation technology is tremendously valuable for SOC analysts in dealing with alert fatigue. It significantly improves the efficiency in responding to threats, saving time they might have otherwise spent in manual correlations or dealing with individual alerts. It also makes triage and investigation easier and faster with a view of the full attack graph.
Unique and durable detections from the integrated Microsoft Defender for Identity
Microsoft 365 Defender’s integrated identity protection capabilities uncover and durably block identity-related attacks regardless of the specific attacker technique implemented on a device, making it practically impossible for attackers to evade. Furthermore, building these protections in the identity fabric provides in-depth, context-rich signals for security teams to investigate and respond effectively. Other vendors leveraging endpoint-only signals may be more susceptible to evasion, and their detections typically have less context.
Here are some examples representing Microsoft 365 Defender’s unique identity protection capabilities in the evaluation:
- Step 5.A.4 – query to a security account manager (SAM) database was uncovered using Active Directory signals with detailed context on user enumeration activity. This identity-based detection approach prevents attacker evasion and provides rich investigation context for security teams. Some other vendors in the test relied on process creation telemetry to get similar visibility but lacked context and could be easily bypassed.
- Step 6.A.2 – resource-access activity on a domain controller was also uncovered using our identity sensors, with details of the exposed service principal name (SPN) and the compromised related resource name. Here too, this approach provides similar detection durability and investigation details advantages.
Protection for Linux across all attack stages
Microsoft 365 Defender continues to demonstrate excellent protection coverage on all platforms, with top-level coverage on Windows and Linux. It covered all Linux-related stages via technique-level analytics, context-rich alerts, and in-depth investigation signals.
Customers face threats from various entry points across devices, and device discovery and lateral movement to identify high-value assets are table stakes for advanced attacks like human-operated ransomware. Therefore, having excellent coverage across all platforms is crucial to protect organizations against attacks.
For example, as seen in Figure 10 below, Microsoft Defender for Endpoint on a Linux device alerted of suspicious behavior by a web server process. The alert allowed for blocking sensitive file read and preventing further file read. The attacker then attempted to download and run a backdoor on the device. However, that was also blocked behaviorally, thus preventing subsequent compromise.
Unique and durable detections from Windows deep native sensors
While most attack steps on devices could be observed by inspecting process and script activities, solely relying on this type of telemetry can be challenging in several aspects.
From a detection durability standpoint, attackers could easily avoid detection by obfuscating or pivoting to alternative methods. Furthermore, in terms of detection quality, relying solely on “surface-level” telemetry could potentially produce a higher number of false positives and overhead for security teams. Finally, this type of telemetry lacks the needed context to enable effective investigation and response.
Unlike other solutions, Microsoft 365 Defender’s unique platform-native deep device sensors introduced signal depth, providing durable, context-rich signals for security teams to identify, investigate and respond to. Here are some examples, as seen during the evaluation:
- Steps 1.A.6 and 19.A.11 were uncovered via enhanced Windows Management Instrumentation (WMI) sensors, providing visibility to evasive attacker activities without relying on a process or script execution telemetry.
- Step 3.A.4 was uncovered via COM sensors, providing visibility to the Microsoft Outlook COM interface and detecting an attacker’s search for unsecured passwords in Outlook without relying on process command lines that attackers can easily evade by using COM interfaces directly.
- Step 17.A.2 was uncovered via Data Protection API (DPAPI) sensors, providing visibility to credential access—an extremely important activity. Other solutions monitor web browser folders for file access which is extremely prone to false positives in real-world environments.
A final word: Leading with product truth and a customer-centric approach
As in previous years, Microsoft’s philosophy in this evaluation was to empathize with our customers—the “protection that works for customers in the real world” approach. We participated in the evaluation with product capabilities and configurations that we expect customers to use.
As you review evaluation results, you should consider additional important aspects, including depth and durability of protection, completeness of signals and actionable insights, and quality aspects such as device performance impact and false-positive rates. All of these are critical to the solution’s reliable operation and translate directly to protection that works in real customer production environments.
We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.