Microsoft 365 Defender is getting a new update that enables customers to detect and block adversary-in-the-middle (AiTM) attacks. The company explained that the AiTM protection feature builds on top of the existing automatic attack disruption (XDR) capabilities that launched in February 2023.
Adversary-in-the-Middle (AiTM) is a phishing technique that enables threat actors to hijack session cookies by bypassing multifactor authentication (MFA). It intercepts communications between the victim and the service to steal sensitive information like credit card data and login credentials. It’s comparatively challenging to detect AitM attacks because it doesn’t rely on a spoofed email or website.
How Microsoft’s XDR automatically contains AiTM attacks?
Microsoft claims that the security feature allows Microsoft 365 Defender customers to detect AiTM campaigns with “high confidence” based on various Microsoft 365 Defender signals. The tool will automatically take necessary actions to disrupt the attack, including blocking the compromised account or revoking stolen session cookies.
According to Microsoft, IT admins will be able to view details about the contained AiTM incident on the Microsoft 365 Defender incident page. They will see a dedicated attack disruption tag that appears next to affected incidents.
The automatic attack disruption feature helps organizations to block lateral movement within enterprise networks at the initial stages. This should make it easier for the security teams to investigate and mitigate the AiTM attacks.
Licensing requirements
Microsoft notes that the new AiTM feature will be available as a part of its automatic attack disruption capability for Microsoft 365 Defender subscribers. Meanwhile, automatic attack disruption requires Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, or Defender for Office 365 Plan 2 subscriptions as well as Microsoft 365 E5 licensing.