A number of advanced Microsoft 365 Defender features first announced last year as a means of stopping and business email compromise (BEC) attacks, have now reached public preview, the company has announced.
The features, called “automatic disruption” use “high-confidence Extended Detection and Response (XDR) signals across endpoints, identities, email, and SaaS apps”, Microsoft explained, saying they’ll help contain active security attacks “quickly and effectively”.
They’ll work by automatically disabling, or restricting, devices and user accounts that the threat actors have compromised and are actively using in an attack.
Limited impact
By shutting off this access, Microsoft hopes the attackers won’t be nearly as effective as they should be, and at the same time, SOC teams get more time to deploy additional countermeasures.
As a result, ransomware and BEC attacks should have a more limited impact on the target organization, the company claims.
Automatic attack disruption operates in three stages. In the first stage, the attack is detected, and “high confidence” is established. In the second stage, different scenarios are classified, as well as assets that the attackers are currently controlling. Finally, in the third stage, automatic response actions are triggered via Microsoft 365 Defender, containing the attack and minimizing its impact.
As the name suggests, the activity of these new features is automatic, which might not sit well with some cybersecurity professionals. Microsoft seems to be aware of this fact, stating that the number of signals used should ease anyone’s anxiety around automation:
“We understand that taking automatic action can come with hesitation, given the potential impact it can have on an organization,” the company said. “That’s why automatic attack disruption in Microsoft 365 Defender is designed to rely on high-fidelity XDR signals, coupled with insights from the continuous investigation of thousands of incidents by Microsoft’s research teams.”
Ransomware continues to be one of the most disruptive forms of cybercrime out there. Businesses are advised to train their employees on the dangers of phishing and to make sure they set up a robust backup solution. An antivirus, a (opens in new tab), and multi-factor authentication are also considered best practices.