Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise 

By Tanmay Ganacharya, Partner Director, Security Research, Microsoft 365 Defender

For the fifth consecutive year, Microsoft 365 Defender demonstrated industry-leading extended detection and response (XDR) capabilities in the independent MITRE Engenuity ATT&CK® Evaluations: Enterprise. The attack used during the test highlights the importance of a unified XDR platform and showcases Microsoft 365 Defender as a leading solution, enabled by next-generation protection, industry-first capabilities like automatic attack disruption, and more.  

Microsoft 365 Defender demonstrated 100 percent visibility and complete coverage across all stages of the attack and achieved 100 percent protection across both Windows and Linux, showcasing the strong multiplatform capabilities of the solution. These results demonstrate that Microsoft’s XDR provides organizations with industry-leading visibility and protection in a world of evolving threats.  

A diagram showing the level of coverage Microsoft provided across each step in the attack.

Figure 1. Microsoft 365 Defender providing full attack chain coverage.

These results are only possible with continuous innovations built on the feedback of our customers. In just the last 12 months, Microsoft 365 Defender strengthened its endpoint protection with capabilities such as automatic attack disruption, which uses AI to suspend in-progress ransomware attacks, the release of a unified device settings management experience, and expanded identity protection to include Active Directory Certificate Services (AD CS). 

This year’s ATT&CK® Evaluations emulated the Turla threat group, tracked by Microsoft Threat Intelligence as Secret Blizzard. They are a Russian-based activity group that has been primarily targeting government organizations worldwide since the early 2000s. They employ extensive resources to remain on a target network in a clandestine manner, making detection more challenging for traditional security products.    

Let’s take a closer look at how Microsoft 365 Defender once again achieved industry-leading results in this year’s MITRE evaluation and how Microsoft’s AI breakthroughs are shaping the future of security to respond to threats like Turla.  

Microsoft 365 Defender

Elevate your defenses with unified visibility, investigation, and response across the kill chain with Microsoft’s extended detection and response (XDR) solution.

Learn more 

a man sitting in front of a laptop

100 percent visibility across all stages of the attack chain in real-time 

In the face of a rapidly evolving threat carried out by adversaries like Turla, the speed of response makes a significant difference in a security team’s effectiveness in mitigating an attack. A single delay can mean the difference of your organization’s devices getting encrypted or not. Microsoft 365 Defender’s XDR platform accelerates the security team’s ability to respond by providing real-time, unparalleled breadth and depth of understanding an attack, starting with 100 percent visibility in real-time. This unique breadth of Microsoft’s XDR extends across endpoints, network, hybrid identities, email, collaboration tools, software as a service (SaaS) apps, and data with centralized visibility, powerful analytics, and automatic attack disruption.  

Figure 2. Microsoft 365 Defender provides 100 percent visibility without delay in every attack stage.  

100 percent ATT&CK technique-level detections at every attack stage without delay 

As an attack unfolds, security teams need to know what they’re up against the moment it’s happening. Delayed and incomplete detections make it difficult for analysts to understand the attack in full, providing attackers an opportunity escalate their campaign by moving laterally, stealing credentials, or executing other malicious activities. With Microsoft 365 Defender’s 100 percent real-time ATT&CK technique-level coverage, analysts immediately receive relevant details within the alert that describe the attacker’s approach, equipping them with the knowledge to effectively and rapidly respond.

Figure 3. Microsoft 365 Defender delivers ATT&CK technique-level detections at every attack stage without delay.

100% protection for every attack stage across Windows and Linux 

This is the third year that MITRE has included a protection scenario as part of the evaluation, and for the third year running, Microsoft 365 Defender successfully blocked 100 percent of the attack stages across Windows and Linux platforms. Microsoft’s AI-powered next-generation protection blocked each attack attempt across 13 steps, representing complete prevention of any malicious activity. This outcome showcases the strong multiplatform capabilities of the solution, independent of the device’s operating system.  

A bar chart showing the effectiveness of  MITRE evaluation participants in blocking the attack across major steps.

Figure 4. Microsoft 365 Defender blocks every attack stage across Windows and Linux.  

Deep visibility into Linux devices 

With the prevalence of increasingly complex attacks, visibility into low-level protocols is critical for security teams to protect against sophisticated network sniffing and drive-by compromise attacks. Microsoft 365 Defender provides that visibility through ingestion of raw socket operations as well as into script content on Linux devices. It also takes action on script content that is obfuscated or encrypted, as well as suspicious network and other protocol behaviors.

A screenshot of the Microsoft 365 Defender portal showing detection of traffic signaling and network sniffing.

Figure 5. 9.A.12: Traffic Signaling (T1205) and 9.A.13: Network Sniffing (T1040).

Eliminated blind spots with network detection and response 

Several stages of the Turla emulation involved network-based techniques. They are an increasingly popular way of infiltrating and moving across systems laterally as they leave minimal traces on source and target devices. Security teams gain full visibility into network traffic with Microsoft 365 Defender’s network detection and response capabilities. As a result, analysts receive high-confidence, context-rich alerts to hunt down and block these sophisticated attacks early in the kill chain. In addition, analysts can discover both managed and unmanaged devices, identify blind spots, and reduce their attack surface to increase their security posture. 

A screenshot of the Microsoft 365 Defender portal showing the product identifying beaconing behavior.

Figure 6. Sub-step 11.A.5 identifies beaconing behavior determining it to be a command-and-control type activity based on process and network frequency analysis.  

Deep visibility into each stage of lateral movement 

Adversaries wage increasingly sophisticated campaigns by moving across hosts in a domain. The test involved significant lateral movement with a total of 6 steps, which is more than 30 percent of the total steps. Microsoft’s XDR solution provides visibility into each stage of lateral movement, whether access is gained through brute force (5.A.3), valid accounts (14.A.3), pass the hash (17.A.1) or any other technique. When tools are being transferred laterally (sub-steps 5.A.6, 18.A.3), Microsoft’s XDR shows the full context of what was transferred, from which host to which destination. Whether the execution on the target host happens through masqueraded PsExec (17.A.1), plink.exe (9.A.5), or WMI (18.A.5), we provide detection and visibility. 

A screenshot of the Microsoft 365 Defender portal showing tools being transferred across hosts.

Figure 7. Sub-step 5.A.6 Microsoft 365 Defender portal showing tools being transferred across hosts.

Identity threat detection and response spanning the cloud to on-premises 

Part of the MITRE evaluation emulated one of the fastest-growing threat vectors—identity-based attacks where malicious actors seek to exploit identities in the cloud and on-premises, or the underlying infrastructure and policies governing them. Microsoft XDR has native endpoint and identity protection to counter these types of attacks by providing security teams with high-fidelity, contextual signals that other vendors either lack entirely or require a separate integration for. Throughout the attack, Microsoft 365 Defender provided visibility on all identity-related attack steps like sensitive group enumeration, password spraying, and creation of accounts and unusual additions to sensitive groups.  

Screenshot of the Microsoft 365 Defender portal showing details on a suspected brute-force attack.

Figure 8. Sub-step 5.A.3: Our identity sensors on Active Directory revealed the utilization of the Password Spraying technique, providing information about the users whose login attempts failed and number of such attempts. 

Screenshot of Microsoft 365 Defender portal showing signals from Active Directory indicating the creation of suspicious accounts, aimed at establishing persistence.
Screenshot of the Microsoft 365 Defender portal showing a signal of unusual additions to a sensitive group, aimed at establishing persistence.

Figures 9 and 10. Sub-step 17.A.5: Active Directory signals revealed the creation of accounts and unusual additions to sensitive group, all aimed at establishing persistence.   

Security in the era of AI 

The MITRE ATT&CK evaluation focused on detection and prevention in the case of one type of attack, for which Microsoft effectively blocked at the earliest step at every attack stage. In real world scenarios where millions of attacks are waged every day, sometimes adversaries can breach the security perimeter. With AI breakthroughs introduced by Microsoft, security teams have already seen first-hand how they can scale their defenses against breaches and respond in novel ways that challenge the assumption of an asymmetric battlefield.  

Announced in November 2022, Microsoft 365 Defender’s unique, industry-first automatic attack disruption stops the most sophisticated attack campaigns at machine speed like this Turla attack, spanning ransomware, business email compromise, and adversary-in-the-middle. This capability combines our industry-leading detection with AI-powered enforcement mechanisms to block threats early in the kill chain and contain their advancement. Analysts have a powerful tool against human-operated attacks while leaving them in complete control of investigating, remediating, and bringing assets back online. 

Microsoft Security Copilot, first announced at Microsoft Secure in March 2023, is the industry’s first generative AI security product that allows security teams to move at machine speed. It combines OpenAI’s GPT-4 generative AI model with Microsoft’s security-specific model informed by our unique global threat intelligence and more than 65 trillion daily signals. Security teams benefit from Security Copilot by simplifying complex tasks with capabilities like guided response actions, and gaining intuitive, actionable insight across the threat landscape such as summarized incidents in natural language. As a result, organizations can detect threats earlier and outpace adversaries. Security Copilot is currently in private preview and in the nomination period for an early access program. The single best way to prepare to realize the benefits of Microsoft Security Copilot is by adopting and deploying Microsoft 365 Defender today.  

Customer reality is core to Microsoft’s testing approach 

As the threat landscape rapidly evolves, Microsoft is committed to empowering defenders with industry-leading, cross-platform XDR. Our evaluation philosophy is to reflect the real world by configuring the product as customers would in line with industry best practices. For instance, our configuration used the most updated OS versions to test the latest protection available to customers. In the MITRE Evaluations, as with all simulations, Microsoft 365 Defender achieved industry-leading visibility without manual processing or fine-tuning and can be run in customer environments without generating an untenable number of false positives. Microsoft’s commitment to protection while minimizing false positives is reflected in regularly occurring public evaluations.  

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation. 

Learn more

Learn more about Microsoft 365 Defender.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

About MITRE Engenuity ATT&CK® Evaluations  

ATT&CK® Evaluations is built on the backbone of MITRE’s objective insight and conflict-free perspective. Cybersecurity providers turn to the Evaluations program to improve their offerings and to provide defenders with insights into their product’s capabilities and performance. Evaluations enable defenders to make better informed decisions on how to leverage the products that secure their networks. The program follows a rigorous, transparent methodology using a collaborative, threat-informed, purple-teaming approach that brings together providers and MITRE experts to evaluate solutions within the context of ATT&CK. In line with MITRE Engenuity’s commitment to serve the public good, Evaluations results and threat emulation plans are freely accessible. ATT&CK Evaluations | MITRE Engenuity (mitre-engenuity.org) 

About MITRE Engenuity 

MITRE Engenuity, a subsidiary of MITRE, is a tech foundation for public good. MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. MITRE Engenuity brings MITRE’s deep technical know-how and systems thinking to the private sector to solve complex challenges that government alone cannot solve. MITRE Engenuity catalyzes the collective R&D strength of the broader U.S. federal government, academia, and private sector to tackle © 2023 MITRE Engenuity, LLC. Approved for Limited Release to MITRE Engenuity ATT&CK® Evaluations: Enterprise 2023: Turla Participants. national and global challenges, such as protecting critical infrastructure, creating a resilient semiconductor ecosystem, investing in pandemic preparedness, accelerating use case innovation in 5G, and democratizing threat-informed cyber defense. 

Introducing credit monitoring and privacy protection for Microsoft Defender

by Jorn Lutters

Staying safer online in a modern world

Where there once was a clear distinction between our online identities and our offline selves, today they are increasingly intertwined. Similarly, where people were previously occasionally offline, today we’re living in a world of constant connectivity.

This has brought with it many innovations and improvements to our lives but have also made the risks of cyber attacks seriously disrupting our lives a lot more real.


A thriller like 1995’s “The Net” might’ve seemed like a far-fetched scenario when that movie came out nearly 30 years ago, but today people are living the realities of identity theft on a daily basis. According to identitytheft.org, the FTC received 1.4 million identity theft related reports in 2023 to date.

In today’s security landscape, the emphasis of attackers is much more on the person using the device then the person’s devices, requiring modern security solutions to look past the device boundaries to help address these concerns.


Microsoft knows this, and it’s exactly why we launched our first identity theft monitoring functionalities for Defender last year (https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-identity-theft-m…) to help our users keep tabs on leaks affecting their personal data.

Today, we’re excited to announce the expansion of this functionality with two crucial additions to Defender’s security arsenal coming soon to the US: credit monitoring and privacy protection.

thumbnail image 1 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Introducing credit monitoring and privacy protection for Microsoft Defender

Credit monitoring

We’re proud to announce we are expanding our identity theft monitoring capabilities with new credit monitoring functionality1. Where identity theft monitoring users already got real time alerts and insights into leaks containing up to 64 of their identity assets online2, credit monitoring helps them stay ahead of any potential impacts of such leaks by continuously monitoring their credit file and credit activities for signs of malicious behavior.

All too often breaches have a delayed fuse; A breach happens, you get alerted about it by the affected party (hopefully), you check your accounts, and life goes on. Right?
The reality is that this breached data is often compiled into big archives that trade hands on the dark web to the highest bidder. And now, five months after the breach happened, you’re noticing you are suddenly getting a lot more spam calls then you used to. That’s the delayed fuse.

And while it’s annoying to have to deal with spam callers, things can get really painful, really quickly when attackers manage to get a hold of credit information or identity details that enable them to access your credit file and impersonate you (such as a Social Security Number). Sometimes you’re lucky and you’ll notice a weird transaction when your credit card statement arrives at the end of the month.

Often times though, these attacks go entirely unnoticed for months or years when malicious individuals will attempt to take out credit in their victim’s names and the affected individual only finds out when they want to take out a new loan or remortgage their house.

This is where credit monitoring comes in. It constantly monitors your credit and will alert you as soon as it sees any activity that might be malicious, from something as small as an unexpected credit activity increase, to credit inquiries, authentication attempts, address changes, and even new credit accounts being opened in your name.

By giving you access to this information as it happens, credit monitoring allows you to take action immediately, and help stop any malicious activity while it is occurring. From contacting the lender involved in the activity to report a fraudulent attempt, or placing a credit freeze, to contacting our 24/7 restoration experts for advice on how to deal with the issue at hand.

And (as is the case for all Defender identity theft monitor subscribers) users of credit monitoring are also covered by identity theft insurance3 up to USD $1 million, and lost funds recovery up to USD $100,000 for added piece of mind.

Together with the existing dark web scanning functionalities in identity theft monitoring, the new credit monitoring functionality helps you and your family stay safer by knowing what data is out there and alerting you if anyone attempts to maliciously use this information for financial gain.

thumbnail image 2 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Introducing credit monitoring and privacy protection for Microsoft Defender

Privacy protection

In today’s interconnected world, where the internet plays an integral role in our daily lives, safeguarding our digital security and privacy has become more crucial than ever. We want to be always connected, anytime, and any place. We want to keep our family member’s connections safer. Enter Microsoft Defender’s Privacy protection4, a security feature designed to shield your sensitive data from threats when you are connected via open and public Wi-Fi networks.

When you connect to a public Wi-Fi network, such as at a coffee shop, airport or hotel, you can expose your data to anyone who might be snooping on the same network. Privacy protection reduces online tracking and protects against hackers on unsecured networks. With privacy protection, you can hide your IP address and location from websites, apps, and advertisers that may attempt to track your online activity and collect your personal data.

This feature also encrypts your internet traffic and data through a virtual private network (VPN), making it unreadable and inaccessible to anyone who may try to intercept it, such as hackers, internet service providers (ISPs), or government agencies. At the heart of privacy protection is a commitment to preserving your privacy.

Microsoft holds firm in our promise never to utilize this feature to track, log, or sell your online activities. We believe that your internet usage should remain your business alone. By choosing Defender’s privacy protection, you opt for a service that places your privacy at the forefront, providing you with a genuine sense of online security.

Get Microsoft Defender today

Start using the protections available today by signing into the Microsoft Defender web portal at mydefender.microsoft.com.
Sign-in with the personal Microsoft account (@gmail, @outlook, etc.) linked to your Microsoft 365 Personal or Family subscription or start your 1-month Microsoft 365 Family trial5.

You can download the app from the Microsoft StoreGoogle Play Store, and Apple App Store or as a direct download for MacOS. (if you haven’t already)!

Start using credit monitoring and privacy protection on October 2 2023.

To get started with credit monitoring and privacy protection, visit https://mydefender.microsoft.com, sign-in with the personal Microsoft account (@gmail, @outlook, etc.) linked to your Microsoft 365 subscription, find the identity theft monitoring card on the dashboard, and select “Get started.” 

For privacy protection, download the app and select “Get started” on the privacy protection tile.1

  1. Feature available in the United States and US territories. Credit score is a single bureau VantageScore 3.0 provided by Experian®. The monthly credit report is provided by Experian® using single bureau data. For users under the age of 18 or those without a credit history, credit score not included. Family organizers will not have the ability to onboard, view, and receive alerts related to family member credit monitoring. Your device’s primary display language must be set to English.
  2. A one-time parent or legal guardian verification is required to receive alert details for children. If the organizer’s family member is under 13, consent is not required to create and/or monitor a child’s identity or credit. Consent is required to create and/or monitor identity or credit status of family members over 13 years of age.
  3. The identity theft insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. Review the Summary of Benefits.
  4. Available on Android devices in the United States and US territories. Some streaming services are excluded. After 10 GB per month, data transfer speeds may be limited.
  5. Subscription automatically renews. Cancel any time to stop future charges. After your 1-month free trial, Microsoft 365 Family is $99.99 per year. Credit card required. Cancel any time to stop future charges.