Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.

Importantly, Microsoft takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default both Microsoft 365 and Office 365 support multi-factor authentication (MFA) and passwordless sign-in. Consumers can also go passwordless with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.

Attack overview

Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last few years, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.

Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:

• Files with restricted access: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service—be it Dropbox, OneDrive, or SharePoint—or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.
• Files with view-only restrictions: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to ‘view-only’ mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.

An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Initial access

The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.

While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:

• Familiar topics based on existing conversations
  • For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”.
• Familiar topics based on current context
  • If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as “IT Filing Support 2024”, “Forms related to Tax submission”, or “Troubleshooting guidelines”.
• Topics based on urgency
  • Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like “Urgent:Attention Required” and “Compromised Password Reset”.

Defense evasion techniques

Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you”. To evade detections, the threat actor deploys the following additional techniques:

• Only the intended recipient can access the file
  • The intended recipient needs to re-authenticate before accessing the file
  • The file is accessible only for a limited time window
• The PDF shared in the file cannot be downloaded

These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.

Identity compromise

When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:

Next, an OTP is sent from no-reply@notify.microsoft[.]com. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the “View my message” access link.

This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.

Recommended actions

Microsoft recommends the following mitigations to reduce the impact of this threat:

• Enable Conditional Access policies in Microsoft Entra, especially risk-based access policies. Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP address location information, and device status, among others, are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, Azure trusted IP address requirements, or risk-based policies with proper access control. If you are still evaluating Conditional Access, use security defaults as an initial baseline set of policies to improve identity security posture.
• Implement continuous access evaluation.
• Implement Microsoft Entra passwordless sign-in with FIDO2 security keys.
• Turn on network protection in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses.
• Implement Microsoft Defender for Endpoint – Mobile Threat Defense on mobile devices used to access enterprise assets.
• Leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign, and Microsoft Defender for Office 365 to detect and block malicious emails, links, and files. Monitor suspicious or anomalous activities in Microsoft Entra ID Protection. Investigate sign-in attempts with suspicious characteristics (such as the location, ISP, user agent, and use of anonymizer services). Educate users about the risks of secure file sharing and emails from trusted vendors.

Appendix

Microsoft Defender XDR detections

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

• Risky sign-in after clicking a possible AiTM phishing URL
• User compromised through session cookie hijack
• User compromised in a known AiTM phishing kit

Hunting queries

Microsoft Defender XDR 

The file sharing events related to the activity in this blog post can be audited through the CloudAppEvents telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks: 

Automated email notifications and suspicious sign-in activity

By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.

let usersWithSuspiciousEmails = EmailEvents
    | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
    | where isnotempty(RecipientObjectId)
    | distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

Files share contents and suspicious sign-in activity

In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: Alex shared “Password Reset Mandatory.pdf” with you). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.

let usersWithSuspiciousEmails = EmailEvents
    | where Subject has_all ("shared", "with you")
    | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
    | where isnotempty(RecipientObjectId)
    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
    | where RecipientCount >= 10
    | mv-expand RecipientList to typeof(string)
    | distinct RecipientList;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

BEC: File sharing tactics based on the file hosting service used

To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.

OneDrive or SharePoint: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.

let securelinkCreated = CloudAppEvents
    | where ActionType == "SecureLinkCreated"
    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
    | where isnotempty(ObjectName)
    | distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20

Dropbox: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.

CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20

Microsoft Sentinel

Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:

The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:

let OperationName = dynamic(['SecureLinkCreated', 'AddedToSecureLink']);
OfficeActivity
| where Operation in (OperationName)
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SourceFileName has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password", "paycheck", "bank statement", "bank details", "closing", "funds", "bank account", "account details", "remittance", "deposit", "Reset")
| summarize CountOfShares = dcount(TargetUserOrGroupName), 
            make_list(TargetUserOrGroupName), 
            make_list(ClientIP), 
            make_list(TimeGenerated), 
            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload
| where CountOfShares > 10

Considering that the attacker compromises users through AiTM,  possible AiTM phishing attempts can be detected through the below rule:

• Possible AiTM Phishing Attempt

In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:

• Signins From VPS Providers
• Signins from Nord VPN Providers
• Successful Signin From Non-Compliant Device

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

The key to fighting ransomware at scale is Microsoft’s unwavering commitment to simplifying, automating, and augmenting security analyst workstreams to meet the demands of today’s and tomorrow’s cyberthreat environment. We are excited to announce that Gartner has named Microsoft a Leader in the 2024 Gartner^® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time. We believe this announcement reflects Microsoft’s continued progress in helping organizations protect their endpoints against even the most sophisticated attacks, while driving continued efficiency for security operations center (SOC) teams.

Microsoft Defender for Endpoint is an endpoint security platform that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT) devices. It is core to Microsoft Defender XDR and built on global threat intelligence—informed by more than 78 trillion daily signals and more than 10,000 security experts—empowering security teams to fend off sophisticated threats.²

Our customers and partners have been an invaluable part of this multiyear journey, and we are grateful for both their business and their partnership. Read the complimentary report providing more details on our positioning as a Leader.

Microsoft Defender for Endpoint is built from the ground up with operational resilience in mind. It starts with our agent architecture that follows best practices for Windows by limiting its reliance on kernel mode while protecting customers in real-time. It does not load content updates from files in the kernel mode driver. As an added safeguard, we deliver updates to customers applying Microsoft’s long-established safe deployment practices (SDP) model. Customers have full control over how these updates are delivered and how controls are applied to their device estate. This model of shared control helps provide security and resiliency. 

Over the last 12 months, Microsoft has delivered significant innovations that have helped defenders gain the upper hand against cyberthreats including: improved attack disruption, Microsoft Copilot for Security, a new Linux agent, simplified settings management, the unified security operations platform and Microsoft Defender Experts for XDR.

Automatic attack disruption, unique to Microsoft, is a self-defense capability that stops in-progress cyberattacks by analyzing the attacker’s intent, identifying compromised assets, and isolating or disabling assets like users or devices at machine speed. For example, in July 2024 we discovered the CVE-2024-37085 vulnerability. Numerous ransomware operators exploited it to encrypt the entire file system and move laterally in the network. Attack disruption fends off such sophisticated ransomware attempts by blocking lateral movement and remote encryption in a decentralized way across all your device estate—in just three minutes on average.³ This is a capability that Microsoft continues to invest in to disrupt more scenarios even earlier in the cyberattack chain.  

Microsoft Copilot for Security is the industry’s first generative AI that empowers security teams to protect at the speed and scale of AI, generally available as of April 2024. Embedded within the Defender XDR experience, it assists analysts by providing enriched context for faster and smarter decisions. It accelerates investigation, containment, and remediation with prescriptive step-by-step guidance. Analysts can now easily understand attacker actions with intuitive script analysis and launch complex Kusto Query Language (KQL) queries using plain language. The results from a randomized controlled trial based on 147 security professionals showed significant efficiency gains including speed and quality improvements when using Copilot for Security. Security professionals were up to 22% faster across all tasks, and more than 93% of users wanted to use Copilot again.

A new Linux agent has been built from scratch, using eBPF sensor technology to deliver the performance and stability needed for mission-critical server workloads while providing visibility into cyberthreats. We continue prioritizing innovations across every type of endpoint from Windows, Linux, macOS, iOS, Android, and IoT to provide the holistic endpoint security that organizations need.

Simplified setup and change management help analysts configure devices correctly to minimize threat exposure. With the general availability of simplified settings management, SOC analysts can manage security policies without leaving the Defender XDR portal.

Unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unification helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time, and improving overall efficiency. Defender for Endpoint is core to this platform, which combines “the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security.” By working seamlessly across Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot for Security, security analysts need only a single set of automation rules and playbooks. Plus, they can use plain language to execute complex tasks in an instant with Copilot for Security embedded in the platform.

Microsoft Defender Experts for XDR gives your security team coverage with around-the-clock access to Microsoft expertise. Recognizing that sophisticated cyberthreats go beyond the endpoint, Microsoft offers Microsoft Defender Experts for XDR. This managed service is available 24 hours a day, 7 days a week, helping organizations extend their SOC team to fully triage events and respond to incidents across domains.

Thank you to all our customers. You inspire us as together we work to create a safer world.

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform. 

Are you a regular user of Microsoft Defender for Endpoint? Review your experience on Gartner Peer Insights™ and get a $25 gift card.    

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2024 Microsoft Digital Defense Report. Publishing October 15, 2024.

²Microsoft Digital Defense Report, Microsoft. 2023.

³Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview, Rob Lefferts. April 3, 2024.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Franz Hinner, Deepak Mishra, Satarupa Patnaik, Chris Silva, September 23, 2024. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, MAGIC QUADRANT and PEER INSIGHTS are registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post ​​Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

Defender Experts for XDR offers a range of capabilities: 

• Managed detection and response: Let our expert analysts manage your Microsoft Defender XDR incident queue and handle triage, investigation, and response on your behalf.  
• Proactive threat hunting: Extend your team’s threat hunting capabilities and prioritize significant threats with Defender Experts for Hunting built in. 
• Live dashboards and reports: Get a transparent view of our operations conducted on your behalf, along with a noise-free, actionable view of prioritized incidents and detailed analytics. 
• Proactive check-ins: Benefit from remote, periodic check-ins with your named service delivery manager (SDM) team to guide your MXDR experience and improve your security posture. 
• Fast and seamless onboarding: Get a guided baselining experience to ensure your Microsoft security products are correctly configured.

Microsoft Defender Experts for XDR

Give your security operations center (SOC) team coverage with leading end-to-end protection and expertise.

Learn more

Cyberattacks detected by Defender Experts for XDR

In the first cyberattack, Defender Experts for XDR provided detection, visibility, and coverage under what Microsoft Threat Intelligence tracks as the threat actor Purple Typhoon. From the early steps in the intrusion, our team alerted the customer that 11 systems and 13 accounts were compromised via a malicious Remote Desktop Protocol (RDP) session, leveraging a Dynamic Link Library (DLL) Search Order Hijacking on a legitimate Notepad++ executable. As is common with this threat actor, the next cyberattack, established a Quasar RAT backdoor triggering keylogging, capturing credentials for the domain admin. After the loaders were executed, scheduled tasks were used to move laterally, execute discovery commands on internal network areas, and complete credential theft dumping.       

For the second cyberattack, which used BlackCat ransomware, Defender Experts for XDR detected and provided extensive guidance on investigation and remediation actions. The BlackCat ransomware, also known as ALPHV, is a prevalent cyberthreat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid. This attack used access broker credentials to perform lateral movement, exfiltrate sensitive data via privileged execution, and execute ransomware encryption malware.    

In both cyberattacks, our team focused on providing focused email, in-product focus to guide the customer, and in a real world cyberattack, our service and product would take disruption actions to stop the cyberattack.

Comprehensive threat hunting, managed response, and product detections 

With complex cyberattacks, security operations teams need robust guidance on what is happening and how to prioritize remediation efforts. Throughout this evaluation, we provided over 18 incidents, 196 alerts, and enriched product detections with human-driven guidance via email and in product experiences using Managed responses. This includes a detailed investigation summary, indicators of compromise (IOCs), advanced hunting queries (AHQs), and prioritized remediation actions to help contain the cyberthreat. Our world class hunting team focuses on providing initial response to a cyberattack, then iterations on updates based on new threat intelligence findings and other enrichment.   

Figure 1. The incident and alerts are tagged with Defender Experts and detailed analysis provided under view Managed response.

Figure 2. Managed response showing details of investigation summary, IOCs, and TTPs.

Figure 3. Managed response focused remediation one-click actions such as blocking indicator, stopping a malicious process, and resetting passwords.

AI-driven attack disruption with Microsoft Defender XDR   

As the second cyberattack leveraged BlackCat ransomware, Microsoft Defender XDR’s attack disruption capability automatically contained the threat and then followed up with hunter guidance on additional containment. This capability combines our industry-leading detection with AI-powered enforcement mechanisms to help mitigate cyberthreats early on in the cyberattack chain and contain their advancement. Analysts have a powerful tool against human-operated cyberattacks while leaving them in complete control of investigating, remediating, and bringing assets back online. 

Figure 4. A summary attack graph, managed responses and attack disruption automatically handling this ransomware threat.

Seamless alert prioritization and consolidation into notifications for the SOC 

We provide prioritization and focus for a typical customer’s SOC team using tags and incident titles with Defender Experts where we enrich product detections. In addition, a dedicated SDM will conduct periodic touchpoints with customers to share productivity and service metrics, provide insights on any vulnerabilities or changes in their environment, solicit feedback, and make best practices recommendations. Our customers see a reduction in total incident volume over time, improvements in security posture, and overall lower operational overhead. Learn how Defender Experts helps Westminster School.  

Figure 5. Summary of all incidents and Defender Experts tag to help filter and prioritize for customers.

Commitment to Microsoft MXDR partners 

We continue our commitment to support our partners in our Microsoft-verified MXDR program. We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners to provide customers the flexibility to choose what works best for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. 

We acknowledge that there are areas for discussion and enhancement, but we will take these as a valuable learning opportunity to continuously improve our products and services for the customers we serve. We appreciate our ongoing collaboration with MITRE as the managed services evaluation process evolves with the growing cyberthreat landscape. We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation. 

Learn more about Microsoft Defender Experts for XDR

To learn more, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog. 

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

© June 2024. The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. 

The post Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&CK® Evaluation for Managed Services appeared first on Microsoft Security Blog.

According to Frost & Sullivan, the market for MDR is growing rapidly, with a growth rate of 35.2%, as evidenced with 22 MDR vendors plotted in this year’s analysis. This growth is expected to continue as Frost & Sullivan cited that “faced with a lack of access to professionals and an inability to protect their business-critical data effectively, organizations are outsourcing to alleviate the issue.”

Figure 1. Frost Radar^TM for Managed Detection and Response 2024 showing Microsoft as a leader.

Advancing cybersecurity frontiers with Defender Experts

Designated as one of the companies to be considered first for investment, partnerships, or benchmarking by Frost & Sullivan, Microsoft is a recent entrant in the MDR space, but with its focus on AI and machine learning, “especially the development of Microsoft Copilot for Security, coupled with its top-tier threat detection and response capabilities, allows it to maintain an innovation edge over other world-class competitors.”¹ Our Defender Experts for XDR service helps our customers boost their security operations centers (SOCs) with security expertise and around-the-clock coverage to detect and accurately respond to incidents that matter across their varied Microsoft Defender XDR workloads.

The Frost & Sullivan report emphasizes the comprehensive capabilities of our Defender Experts for XDR service, which brings together human expertise with AI and automation powered by our Defender XDR suite. The service provides cross-domain MDR services with visibility over endpoints, email, cloud, and identity. In addition, Defender Experts for XDR “delivers 24/7 monitoring, detection, and response, and proactive threat hunting, combined with its world-class threat intelligence, security posture assessments, and access to its expert team.”

Charting new horizons—the convergence of managed services and generative AI

The report highlights the key innovation that Microsoft offers to customers, which is the ability to use both human-led expertise and generative AI in cybersecurity. As organizations continue to adopt MDR services to enhance their SOC efforts, the appearance of generative AI in cybersecurity solutions also offers more potential to those who want to improve their SOC teams. According to Frost & Sullivan, “AI, [machine learning], and automation have become increasingly integral to cybersecurity solutions. These technologies enhance detection and response and allow SOC analysts to focus on what’s important instead of chasing down false alerts.”

The report also recognizes Microsoft Copilot for Security as a pivotal AI assistant that enhances the capabilities of security analysts. It streamlines complex data into concise summaries, offers insights, aids in detection, accelerates response, and contextualizes alerts and incidents. This tool is instrumental in supporting both novice and seasoned analysts, enabling them to make well-informed decisions with greater confidence and speed.

Building on this, the Defender Experts team has found the utilization of Copilot for Security not only boosts productivity and streamlines workflows, but also significantly enhances threat detection and response. Insights from team leaders and real-world applications, such as script analysis and incident summaries, are detailed in a recent blog post. These examples underscore Copilot’s role in elevating the skills of analysts and enriching threat intelligence, and empowering security teams to leverage AI’s full potential in safeguarding their organizations. Microsoft will continue to invest in generative AI and unlock its potential for Defender Experts and our customers.

Microsoft Defender Experts for XDR

Give your security operations center team coverage with leading end-to-end protection and expertise.

See features

Empower your SOC with managed XDR

Frost & Sullivan’s report praises Microsoft Defender Experts for XDR for its capacity to expedite SOC operations through expert triage and investigation, provide robust protection through human-led response and proactive remediation, offer around-the-clock access to Defender Experts for real-time consultations, and provide strategic recommendations to fortify defenses and mitigate future cyberthreats, all underscored by the transformative integration of generative AI with human expertise.

We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners that provide customers the flexibility to choose what works for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. To date, we’ve added more than 50 partners to our Microsoft-verified MXDR program and invite you to review their offerings.

Learn more

To learn more about our service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog home.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Frost & Sullivan, Frost Radar™: Managed Detection and Response, 2024, Lucas Ferreyra. March 2024.

The post ​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024 appeared first on Microsoft Security Blog.

Our own Microsoft Defender Experts team has been using and exploring Copilot, and finding new ways it can streamline, inform, and optimize their daily work—from improving communication clarity to data analysis and upskilling. Through their work on the Microsoft Defender Experts for XDR service, they serve as an extension of our customers’ security operations center (SOC) teams. They proactively hunt for serious cyberthreats using Microsoft Defender data. They triage, investigate, and expose advanced threats, identify the scope and impact of malicious activity, and then take action on a customer’s behalf to remediate the incident. And now with Copilot, Defender Experts have a powerful new security tool.

Microsoft Copilot for Security

Powerful new capabilities, new integrations, and industry-leading generative AI.

Learn more

A leadership view of Copilot for Security

In this new series of short videos, our Defender Experts share real-world scenarios where Copilot is helping them navigate threat detection, investigation, and managed response. To begin, Ryan Kivett, Partner Group Manager for Defender Experts, Microsoft, shares his leadership view on how Copilot helps support learning and career growth for his team. Then Brian Hooper, Principal Research Lead for Defender Experts, Microsoft, talks about how Copilot can help minimize the mundane tasks that take security analysts away from their most important work—serious threat investigations.

Watch the video “A leadership view on deploying Copilot.”

Save time and increase efficiency

From a leadership level, it’s easy to see the potential of Copilot. But when every second counts—like during an active security incident—that potential needs to be fully realized and actionable. Copilot for Security puts critical guidance and context into the hands of your security team so they can respond to incidents in minutes instead of hours or days. In our next video clip, Phoebe Rogers, a senior member of the Microsoft Defender Experts analyst team, shares how Copilot helps her shave minutes off every script analysis—which adds up to real saved time, increased efficiency and understanding, and greater incident insight. Watch as she shares how she uses Copilot to analyze a suspicious script, step by step.

Watch the video “Script Analysis.”

When security analysts communicate with customers, they need to provide a clear, concise, and comprehensive summary of an active incident in a timely manner, so customers have a deep understanding of the situation. In the following video, Brian Hooper shares a detailed walkthrough of how Copilot is helping analysts write up these incident narratives 90% faster than in the past.

Watch the video “Incident Summaries.”

Upskill junior analysts and develop critical expertise

Most complex and sophisticated attacks like ransomware evade detection through numerous ways, including the use of scripts and PowerShell. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. In our next video, Brian Hooper shows how the detailed, line-by-line script examination in Copilot allows security analysts to quickly assess and identify a script as malicious or benign. It also helps junior security analysts upskill their expertise. With Copilot, any analyst can use natural language prompts to initiate and perform tasks that they may not have a lot of experience with or expertise in, and the outputs of Copilot will help them both accomplish the right results quickly, and, more importantly, help them develop those critical skills for long-term use.

“Copilot for Security really helps our junior analysts, as if they had a coach next to them, guiding them through the learning phase of their role. And for our senior analysts, it’s really helping them push past what would have otherwise been possible, in terms of reaching their potential.”

—Ryan Kivett, Partner Group Manager for Defender Experts, Microsoft

Watch the video “Script Analyzer in Defender.”

Get rich, contextual information with threat intelligence

Understanding an organization’s external threat surface can take a lot of time and tools. Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and don’t always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure. Getting threat intelligence data and rich, contextual information from Microsoft Defender Threat Intelligence and Copilot helps security analysts make determinations, like whether an IP is malicious or not. In the next video clip, Phoebe Rogers uses Defender Threat Intelligence and Copilot to compare a user’s sign-in properties with their authentication history, surfacing the relevant information to streamline her analysis and determine whether or not it’s a threat.

Watch the video “Getting threat intel data.”

Once a determination is made, it can still take time and effort for an analyst to summarize and communicate a threat to affected parties. But Copilot can help. In our last video clip, Phoebe explains how Copilot can quickly explain the impact of common vulnerabilities and exposures (CVEs) and summarize relevant content like impacted products, bad actors known to exploit the vulnerability, and mitigation recommendations.

Watch the video “CVEs and Vulnerabilities.”

Protect at the speed and scale of AI

When faced with incomplete and imperfect data and the need to investigate a potential threat, communicate that threat to a customer, or craft a timely response, security analysts are realizing tangible, measurable benefits from using Copilot in their daily work. It helps them protect and defend their organization at machine speed and scale. Of course, the ability to leverage generative AI is not exclusive to security teams. It may also be leveraged by potential threat actors. So, the sooner security teams can experience and evaluate generative AI to augment and improve their security, the better. That’s why Brian Hooper encourages department leadership who are building their plan to deploy Copilot within their team to encourage exploration. “Let the team try different prompts. Let the team summarize incidents. Let the team analyze scripts. Let the team find out about intelligence that Microsoft knows about attacks. Organically, they will find all different places that it’s going to help them.”

Learn more

To learn more about Microsoft Copilot for Security, visit the product page, and for more helpful tips and information, view the Copilot for Security Playlist on the Microsoft Security Channel on YouTube.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team appeared first on Microsoft Security Blog.

Today we are excited to announce that Gartner has named Microsoft a Leader in the 2023 Gartner^® Magic Quadrant™ for Endpoint Protection Platforms. We believe this recognition showcases Microsoft’s continued progress and excellence in helping organizations protect their endpoints against even the most sophisticated attacks and driving continued efficiency for SOC teams.

Microsoft Defender for Endpoint is an endpoint security platform that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across all platforms, devices, and Internet of Things (IoT). It is core to Microsoft Defender XDR. Built on the industry’s broadest threat intelligence informed by more than 65 trillion daily signals and over 10,000 security experts, it empowers security teams to fend off sophisticated threats.¹

Figure 1. Gartner^® Magic Quadrant^TM for Endpoint Protection Platforms. Source: Gartner (December 2023).

Microsoft’s leadership in endpoint security reflects the close partnership forged with customers that has shaped our product development and innovation. Recent highlights include:

• Elevate your security posture: An organization’s best offense is a secure defense. Key to minimizing threat exposure is a combination of simplified security settings management to curtail misconfigurations (generally available as of November 2023), proactive vulnerability management to harden your defenses, and next-generation antivirus to neutralize malware at the perimeter. Defender for Endpoint is unique in providing built-in posture assessments and vulnerability management capabilities that continually evaluate an organization’s security posture and prioritizes remediation suggestions. Other security vendors treat these capabilities as a separate product that must be integrated, further burdening organizations that require such protections up front. Additionally, Defender for Endpoint’s next-generation antivirus, which has been tested and recognized in various industry tests, such as the 2023 MITRE Engenuity ATT&CK® Evaluations, fortifies the strong prevention stack to protect against endpoint-based threats.

• Protect against the most sophisticated threats: Drawing on vast threat intelligence informed by 65 trillion daily signals and more than 10,000 security experts around the globe, Microsoft possesses a unique vantage point on the emerging threat landscape.¹ Microsoft Defender XDR’s industry-first automatic attack disruption capability reflects this distinctive position, harnessing the seamless integration across the workloads (identities, endpoints, email, and software as a service [SaaS] apps) to disrupt advanced cyberthreats such as ransomware, business email compromise, and attacker-in-the-middle with high confidence. Attack disruption has rapidly evolved to now stopping human-operated attacks, on average within 3 minutes, with just Defender for Endpoint. Coupled with the new deception capabilities introduced in November 2023, automatic attack disruption can disrupt threat campaigns even earlier with the high-fidelity signal.

• Secure all devices across the enterprise: Defender for Endpoint continued to expand its coverage with network detection and enterprise IoT devices included at no added cost as a part of Microsoft 365 E5 and E5 Security plans. Cross-platform enhancements across macOS, Linux, and Windows regularly roll out, keeping customers at the forefront of available protections.

Endpoint security is at the core of the Microsoft Defender suite. The following recent innovations reinforce Microsoft’s leadership in helping SOCs scale protection and efficiency on a platform level.

• See and act on a complete view of the digital threat landscape with an AI-powered, unified security operations platform: In November 2023, we announced the industry’s first unified platform that will help close the talent gap for security and data professionals and accelerate SOC efficiency. Defender for Endpoint is core to this platform. It combines “the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security.” By working seamlessly across Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Security Copilot, security analysts only need to work with a single set of automation rules and playbooks. Plus, they only need to use plain language to execute complex tasks in an instant with Security Copilot embedded in the platform.

• Give your security team coverage with around-the-clock access to Microsoft expertise: Recognizing that sophisticated threats go beyond the endpoint, Microsoft introduced Microsoft Defender Experts for XDR. This managed service is available 24 hours a day, 7 days a week, helping organizations extend their SOC team to fully triage events and respond to incidents across domains.

Download the complimentary report to get more details on our positioning as a Leader. Our customers and partners have been an invaluable part of this multiyear journey. We owe our immense gratitude to you.

Unmatched customer impact defending against ransomware

With capabilities unique to Microsoft Defender such as automatic attack disruption, the odds are starting to tilt in favor of defenders. For example, in August 2023, hackers compromised the devices of a medical research lab. With lives and millions of dollars in research at stake, the potential reward for hackers to encrypt the devices and demand a ransom was high. Automatic attack disruption immediately shut them out from accessing any of the lab’s devices. And the security analysts didn’t even have to lift a finger.

Thanks to the invaluable partnership and insights from organizations of all sizes around the globe, Microsoft has been named a Leader in every Gartner^® Magic Quadrant^TM for Endpoint Protection Platforms report since 2019. In 2024 customers will continue to see leading innovation as we further build on a strong foundation of AI-enabled capabilities to empower defenders and drive efficiencies for SOC teams with more automated disruption of advanced threats, Microsoft Security Copilot supported tasks, and more.

Are you a regular user of Microsoft Defender for Endpoint? Review your experience on Gartner Peer Insights™ and get a $25 gift card. 

Microsoft Defender for Endpoint

Protect every layer of your environment with a unified security operations platform embedded with Microsoft Security Copilot.

Learn more

Learn more

We know that diving deep into how a solution really works is key to making any investment. If you are not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to start evaluating the leading endpoint protection platform.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report, Microsoft. 2023.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Max Taggett, Franz Hinner, Nikul Patel, 31 December 2023.

Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft is named a Leader in the 2023 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

At Microsoft, we aim to help our customers meet the range of today’s security demands—together. In this environment, it is not a surprise that organizations are looking to do more with less and turning to managed security services to help their security teams.

Microsoft Security Experts

Extend your ability to defend and manage with a comprehensive line of services from the experts at Microsoft.

Learn more

Microsoft Defender Experts for XDR

In preview last year, Microsoft Defender Experts for XDR is now generally available. This managed extended detection and response (MXDR) service helps customers alleviate some of their most pressing pain points, including alert fatigue, scarce cybersecurity resources, and a limited ability to look end-to-end—beyond the endpoints—to visualize and correlate threat data across their entire digital environment. For most companies, security isn’t their core business. Defender Experts for XDR can help customers drive security operations center (SOC) efficiency and add security expertise to their team quickly, freeing up their time to work on other security priorities.

Microsoft Defender Experts for XDR helps SOC teams focus on what matters, triaging and investigating prioritized incidents on your behalf. Our Defender Experts are available around the clock to chat about specific incidents or alerts, so your team can get immediate confirmation or clarification on a particular incident. Also, they provide detailed best practices and recommendations to help your team prevent future attacks and improve your overall security posture.

To learn more about Defender Experts for XDR, read through our blog that walks through how the service works or watch our explainer video to see the service in action.

Microsoft Defender Experts for Hunting

Microsoft Defender Experts for Hunting is generally available for customers who look to Microsoft to proactively hunt for threats across Microsoft Defender data—including endpoints, email, cloud applications, and identity. Defender Experts for Hunting combines human expertise and hunter-trained AI to probe deeper to expose threats and correlate across your security stack. Improve your SOC response and prioritize significant threats with timely notifications and analysis by our expert threat hunters. And if you have questions, you can contact our Experts on Demand directly within your Microsoft Defender portal.

To learn more about how we approach active threat hunting, read through our Threat Hunting Survival Guide, or read about our participation in MITRE’s first managed services evaluation.

Microsoft Incident Response

For customers that want help remediating a complex breach (or avoiding one altogether), Microsoft Incident Response (Microsoft IR) offers an end-to-end portfolio of proactive and reactive incident response services. We’ve been helping customers with their toughest incident response challenges since 2008. And we created Microsoft IR to be the first call for customers before, during, and after an incident. We operate in 190 countries and our incident responders are seasoned veterans with more than a combined 1,000 years of career experience resolving attacks from ransomware criminals to the most sophisticated nation-state threat actor groups.

Proactive services can help organizations identify and mitigate risks before they become incidents. This includes services such as compromise assessments, threat hunting, and incident response planning. We know companies that put proactive measures in place detect breaches 108 days faster than those without support (214 days compared to 322 days).³ Reactive services can help organizations respond to a breach quickly and effectively to mitigate damage. This includes services such as incident investigation, containment, and remediation.

Since our last update, Microsoft Incident Response Retainer is now generally available. This new option is designed to give our customers a proactive way to get IR support from Microsoft and was designed to work with cyber insurance. The Microsoft IR Retainer is a flexible and scalable service that can help organizations of all sizes prepare for and respond to cyber incidents. The retainer includes pre-paid hours that provide organizations with peace of mind knowing that they have the resources they need to respond to an incident, regardless of its size or complexity. And if reactive services are not needed, the pre-paid hours can be reallocated to proactive services that help shore up the organization’s security posture. The Microsoft Incident Response Retainer is a valuable tool for organizations of all sizes that want to be prepared for the unexpected. View the explainer video for more information.

To learn more about all our Incident Response services—including the newly available retainer—visit our Microsoft Incident Response webpage or go behind the scenes for an inside look at real-life cyberattack investigations in the Cyberattack Series.

Expert-led security transformation

Microsoft Security Enterprise Services (Enterprise Services), formerly known as Microsoft Security Services for Modernization, has restructured its offerings and is now more focused on helping customers meet modern security needs. These services are ideal for large enterprises that want to leverage Microsoft best practices and know-how as they continue their security transformation. Enterprise Services offers hands-on expertise and advisory services to assess and create your modern organizational cybersecurity strategy. These offerings provide planning and operations expertise to help you mitigate business risks and meet compliance requirements to ensure your business is future-ready. The services have recently been combined into two core expertise areas:

Security Cyber Resilience: End-to-end services to modernize and secure your digital estate including identities, data, applications, and devices across Microsoft Azure and multicloud environments. Microsoft Security Cyber Resilience helps safeguard your digital estate and create a transformation program of change, strategy, and operating models.

Security Operations: Secure your digital estate and safeguard critical information and assets with a security strategy and framework designed and implemented to respond to the modern threat landscape. Security Operations helps create—and action—a program of change for cybersecurity to make your digital estate more secure.

Working alongside our partners

Cybersecurity is a team sport. Too often, organizations play it outnumbered and outsmarted by the attacker. For most companies, cybersecurity is not their core business, and hiring specialized resources to address these concerns can be a challenge. Most customers rely on a trusted security provider in some capacity to help them on their security journey.

Microsoft partners provide robust services and the ability to uniquely customize their offering to your needs. Service providers commonly protect across the breadth of your estate including Microsoft and other third-party security tools. Microsoft’s partners also routinely provide customized service level agreements, data regulatory and industry specialization, and other specialized services aligned with the specific needs you may have, ranging from remotely managed supplementary services to your in-house team through full outsourcing services as required. Microsoft Security Experts services were built to work alongside partner services, and we frequently partner with them on customer requests and design feedback for our solutions.

Over the previous 12 months, more than 40 partners in the Microsoft Cloud Partner Program with Security designations have now received this verified MXDR engineering verification. If you are considering adding MXDR services, we recommend reviewing one of Microsoft’s verified MXDR service partners.

Looking to the future

As we continue to face new cybersecurity challenges, Microsoft will continue to evolve our Microsoft Security Experts services through our innovative engineering practices while leveraging the immense power of AI and other breakthrough technologies to help protect individuals, businesses, and more. Visit the Microsoft Security Experts page to learn more.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.  

¹Revealing New Opportunities for the Cybersecurity Workforce, (ISC)2. 2022.

²Top Risks in Cybersecurity 2023, Bipartisan Policy Center. February 13, 2023.

³Cost of a Data Breach Report 2023, IBM. 2023.

The post Expanded Microsoft Security Experts offerings provide comprehensive protection appeared first on Microsoft Security Blog.

Microsoft Defender Experts for XDR

Meet the new first-party MXDR services from Microsoft with end-to-end protection and expertise.

Learn more

Defender Experts for XDR builds on Microsoft’s industry-leading XDR suite

Industry-leading technologies serve as the backbone of any managed security service, and Defender Experts for XDR builds on the defining benchmark that Microsoft 365 Defender has set in the extended detection and response space. Microsoft was named a Leader in The Forrester New Wave™: Extended Detection and Response (XDR), Q4, 2021, one of only two providers to be named a Leader.⁵ Microsoft 365 Defender was rated as “differentiated” in seven criteria including detection, investigation, response, and remediation. Forrester noted that our decision to regulate inputs into XDR, specifically to rich, native telemetry, yields tailored detection, investigation, response, and mitigation capabilities.

Forrester notes that “there is a deep divide in the XDR market between those far along the path and those just starting to deliver on the vision of XDR” and those mature providers “combine the best elements of their portfolios, including industry-leading products, to simplify incident response and build targeted, high-efficacy detections.”

The right and leading technologies are crucial to implementing managed services. Microsoft has a leading endpoint detection and response (EDR) solution, and while EDR is important and serves a valuable purpose, it is insufficient as the only method to protect against evolving threats.⁶ In addition, “too many tools, or worse, duplicate tools in the SOC [security operations center] need to be rationalized and managed security services like MDR [managed detection and response] are increasingly seen as not only a cost savings opportunity but also as a way to rapidly mature their capabilities.”⁷ With Microsoft’s XDR solution coupled with Defender Experts for XDR, we can deliver end-to-end protection and expertise.

How Microsoft Defender Experts for XDR works

Our Defender Experts team delivers the essential human element that complements the power of our Microsoft 365 Defender suite. They are the tip of the spear—taking unparalleled access to data and intelligence across nation-state and e-crime activity, new vulnerability data, newly observed tactics and techniques, and more to analyze and curate a hypothesis-led hunting strategy to find emerging, suspicious activities, and in turn deliver expertise to your security team immediately to help address coverage gaps and augment your overall security operations.

Figure 1. This diagram describes how Microsoft conducts its four-step Defender Experts for XDR process. It starts with triage and prioritizing Microsoft 365 Defender incidents and alerts to alleviate alert fatigue. Microsoft investigates and analyzes the most critical incidents first, documenting the process and findings. In the response step, Microsoft helps contain and mitigate incidents faster by delivering step-by-step guided and managed response, with Defender Experts available on-demand by live chat. Detailed recommendations and best practices are then provided to prevent future attacks. This process delivers continuous security posture improvements around the clock.

As an extension of your team, Defender Experts for XDR empowers you to respond with confidence. Our Defender Experts work around the clock, monitoring your environment and triaging the incidents that need immediate attention. In the event your organization is being affected by a critical incident, our team will investigate it, correlate the threat data to determine the root cause, and provide step-by-step response actions you need to take to contain and remediate the threat. You can take it further and give us permission to contain and remediate the threat for you.

Figure 2. This graphic shows a multistage incident in Microsoft 365 Defender. It includes the attack story of the active alerts related to the incident as well as the Defender Experts section that shows the guided response that includes the actions needed to resolve the incident immediately.

This is all available to you in a turnkey experience, where you can get up and running in hours, with the help of your dedicated service delivery manager (SDM)—your trusted advisor, who is available to you at any given time. And if you have any questions or need additional context on a particular incident, you can access our experts around the clock through live chat. Our detailed, real-time reporting shows you the comprehensive details of investigations into critical incidents, and how long it takes for our team to conduct the investigations on your behalf.

Figure 3. The graph highlights the number of hours that a customer spent completing guided response tasks and the potential time savings a customer can realize if Defender Experts for XDR handles response on their behalf.

“Defender Experts for XDR found a shadow IT detection on the first day of service,” said Mike Johnson, Global Cyber Threat and Incident Response Security Operations Center Manager at Verifone. “I was impressed that they found a real issue for us so fast—none of our other tools alerted us about it.”

Defender Experts for XDR also provides recommendations on how your team can be proactive to prevent the next attack and reduce the number of incidents over time to improve your security posture. “Organizations who need to augment their SOC with 24/7 coverage and immediate access to expertise that will help them quickly triage, investigate, and respond to incidents should explore a managed XDR service,“ said Craig Robinson, Vice President of Security Services at IDC Research. “Microsoft’s new MXDR service positions them to support the needs of organizations facing talent shortages who need to scale their security programs quickly, address coverage gaps, and protect their environment.”

Learn more about Microsoft Defender Experts for XDR

Defender Experts for XDR can quickly deliver expertise to your security teams, help address coverage gaps, and add capabilities like proactive threat hunting to augment your overall security operations. Our customers and partners have been instrumental in the development of Defender Experts for XDR and your continued trust in us drives our team to listen, learn, and adapt to meet your evolving needs. We’re excited about the road ahead and look forward to being a part of your security journey and building a safer world for everyone.

To learn more about the service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, download the datasheet, or watch a short video.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Building a safer world together with our partners—introducing Microsoft Security Experts, Vasu Jakkal. May 9, 2022.

²Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

³Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services, Ryan Kivett. November 9, 2022.

⁴Meet unprecedented security challenges by leveraging MXDR services, Microsoft Security Experts. July 10, 2023.

⁵Forrester Research, Inc., The Forrester New Wave™: Extended Detection And Response (XDR) Providers, Q4 2021, Allie Mellen, Joseph Blankenship, Alexis Tatro, Peggy Dostie. October 13, 2021.

⁶Microsoft is named a Leader in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms, Rob Lefferts. March 2, 2023.

⁷Applying the Lessons Learned from 2022 Is Vital for Security Service Providers to Secure Growth in 2023, Doc #US50206623, IDC. February 2023.

The post Microsoft Defender Experts for XDR helps triage, investigate, and respond to cyberthreats appeared first on Microsoft Security Blog.

Attacks are quickly becoming more automated through AI-assisted tools. They are also increasing exponentially—the number of password attacks Microsoft detects has more than tripled in the last 12 months, from 1,287 per second to more than 4,000 per second.¹ Plus, the annual cost of cyberattacks continues to grow. According to the FBI Internet Crime Complaint Center’s (IC3) latest research, reported total losses grew from USD6.9 billion in 2021 to more than USD10.2 billion in 2022.² Such losses are even greater on a global scale. If organizations continue to operate within a fractured security state and only utilize what’s worked in the past, they will leave gaps in their security posture.

Now there is a unique opportunity to harness the power of AI in combination with an end-to-end security solution to build a resilient security posture with defenses that rapidly adapt. There has never been a more important time for specialized cybersecurity expertise, and our partners are critical to preparing customers for the era of AI. According to a Forrester Total Economic Impact study, Microsoft Security partners are realizing a significant increase in their business with more than 14 percent year-over-year growth.³ In small and medium businesses (SMBs), partners are seeing even more dramatic demand with more than 37 percent market expansion just this last year.

Today at Microsoft Inspire 2023, we will discuss AI-powered security during the “Springboard customers into the era of AI with end-to-end security” session. Also, you’ll have an opportunity to ask your most pressing questions at the expert Q&A.

Register for Microsoft Inspire to hear more details on our latest exciting announcements listed in this blog.

Microsoft Inspire 2023

Elevate your business by joining us for Microsoft Inspire, July 18 and 19, 2023, and learn how to accelerate AI transformation in your security practice.

Register now

Coming soon: Microsoft Security Copilot Early Access Program

We are extremely encouraged by the excitement and positive feedback we have received from customers and partners since we announced Microsoft Security Copilot—one of the first generative AI products in the security industry—in March 2023. This fall, we will open our Early Access Program and invite more customers and partners to experience Security Copilot. To help us focus our learning, customers who use Microsoft Defender for Endpoint will be prioritized for early access. Those who also use Microsoft Sentinel will get even more benefit from the program. Security Copilot is designed to work with a broad range of Microsoft and third-party tools, and we will expand the program as we learn.

Our preview is well underway, and the feedback from our preview customers shows that there’s every reason to be excited about the massive potential of this technology to help protect at machine speed and scale:

“Microsoft is spearheading a transformative shift in security operations center (SOC) processes and operations at a truly remarkable speed. By fully integrating these cutting-edge AI technologies, they are pioneering a leap so momentous that by December 2024, SOC operations from 2021 may seem prehistoric in comparison. The surge in productivity could be unparalleled. At Bridgewater, we are thrilled to be helping Microsoft on this voyage, collaboratively propelling Security Copilot’s full potential to the forefront of the industry.”

—Igor Tsyganskiy, President, Bridgewater

New: Security Copilot design advisory council

Today, we are officially kicking off our partner engagement to help you build your own solutions and services powered by Security Copilot. If you are a Microsoft partner, you can start today by helping customers deploy Microsoft Defender for Endpoint and Microsoft Sentinel so that they are prepared to adopt Microsoft Security Copilot. We are excited to join forces with our partners, including members of the Microsoft Intelligent Security Association. Here’s what a couple of our partners have shared already:

“When it comes to cybersecurity, threat actors are increasingly using AI to carry out sophisticated attacks, so why aren’t defenders? We are operating in an era where fighting AI with AI is non-negotiable. By partnering with Microsoft Security Copilot, we can help level the playing field for defenders together. Much of the AI universe sits behind Cloudflare, and acting as the intermediary to allow businesses to harness the power of this technology in a safe way is critical.”

—Matthew Prince, Chief Executive Officer, Cloudflare

“We believe that generative AI will be truly revolutionary and will allow us to become more effective and efficient, by orders of magnitude, in protecting our customers. We expect to see productivity increases from our SOC analysts using Security Copilot when dealing with scenarios like incident response and threat hunting and believe there is potential for upskilling effects, allowing any analyst to complete more advanced tasks quicker than ever before. We are proud to be on this journey with Microsoft and remain excited as they continue to add more compelling capabilities to Security Copilot.”

—Brian Beyer, Chief Executive Officer, Red Canary

“Building on our recent investment to expand and scale our AI offerings, we’re excited to team with Microsoft on bringing Security Copilot to our joint customers, augmenting their ability to predict—prevent—and rapidly respond to security threats. This will help empower all of our customers and provide new opportunities leveraging the responsible use of generative AI.”

—Sean Joyce, Global Cybersecurity and Privacy Leader, PwC

If you are interested in learning how to engage with your customers now to take full advantage of these new AI technologies, we invite you to sign up to receive communications and to be considered for our new Security Copilot design advisory council.

Investments in the managed security service provider community

According to Gartner®, “by 2025, 60 percent of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30 percent today.”⁴ 

To help meet the anticipated demand for these services, we are actively working to recruit more Managed Extended Detection and Response (MXDR) partners alongside our first-party offering. Microsoft is deeply committed to our partner community, and partners will always be the primary path for customers to get the services they need. We are increasing our overall investments for security partners by nearly 50 percent this coming year. A great example of this continued investment is the Microsoft engineering verified MXDR solution status that we launched for partners last year.

Making it easier to better protect small and medium businesses

Small and medium businesses are seeing more cyberattacks, with 82 percent of ransomware attacks targeting small businesses.⁵ Due to a lack of internal security specialists, these businesses often look to IT partners to help secure their IT environments.

We are making it easier for partners to deliver security services to their customers:

• For partners who want to build their own SOC or managed detection and response (MDR) service, we are pleased to announce streaming APIs from Microsoft Defender for Business to enable advanced hunting and attack detection. Available in preview in Defender for Business standalone and as part of Microsoft 365 Business Premium.
• With a 3.4 million-person global shortage in the cyber workforce, partners face staffing challenges as much as their customers do.⁶ For those partners who want to resell security services but do not have the resources to invest in an in-house SOC, we are pleased to announce integrations with leading MDR providers. For example, Blackpoint Cyber now offers both a round-the-clock cloud response MDR service for Microsoft 365 environments, including Microsoft 365 Business Premium, and a managed endpoint detection and response (EDR) service for Defender for Business customers. 
• We’re extending mobile protection to SMB customers who may not have a mobile device management solution with Mobile threat defense for standalone Defender for Business customers—now generally available. The new Defender for Business monthly summary report will show threats prevented, current status from Microsoft Secure Score and recommendations, and will help partners to show value to customers.

For details on our SMB-focused announcements, read our Tech Community blog post.

Expanding comprehensive security with product innovations

We continue to offer one of the most comprehensive security solutions in the market and power it with world-class global threat intelligence. Today we announced the following innovations:

• Microsoft Sentinel: To simplify budgeting, billing, and cost management, the Microsoft Sentinel price now includes the Azure Monitor Log Analytics price. To learn more, read the announcement blog.
• Microsoft Defender Experts for XDR: A new managed service gives customers step-by-step guidance to respond to incidents, receive expertise when they need it, and stay ahead of emerging threats.
• Microsoft Purview Insider Risk Management: With the new bring-your-own-detections capabilities, partners can help their customers create custom indicators by bringing in detections from non-Microsoft sources, such as a customer relationship management system like Salesforce or a developer tool like GitHub.
• Microsoft Defender for Cloud Apps: The new open app connector platform makes it easier for partners to plug their solutions into our platform. New API connectors include the preview of Asana and Miro as well as the general availability of software as a service security posture management capabilities for DocuSign, Citrix, Okta and GitHub.
• Microsoft Defender for Endpoint: The settings management experience is now natively embedded into Microsoft Defender for Endpoint for Windows, Linux, and macOS, removing dependencies on Microsoft Intune and the need to switch between portals.
• Microsoft Defender Threat Intelligence: Graph APIs now enable simple exporting and ingestion of data to Microsoft Defender, Microsoft Sentinel, and third-party applications.
• Microsoft Purview eDiscovery: Now generally available, the Microsoft Graph eDiscovery Export API will enable external applications and partners to integrate the eDiscovery export function through scripting.
• Microsoft Purview Information Protection: With this update, confidential and highly sensitive Excel files that are labeled and protected by Microsoft Purview Information Protection can continue to be protected when imported into Microsoft Power BI datasets and reports throughout their lifecycle. Additionally, documents in SharePoint and OneDrive now support labeled and encrypted documents with user-defined permissions. Co-authoring for Word, Excel, and PowerPoint apps now enables document owners to define permissions for people who can have access to shared sensitive documents that are encrypted.
• Microsoft Purview Data Loss Prevention: Microsoft Purview Data Loss Prevention introduces a new capability to allow security teams to create policies that prevent their users from pasting sensitive data to specific websites or web applications.
• Microsoft Defender for External Attack Surface Management: With External Attack Surface Management, you can leverage new data connections to seamlessly integrate your attack surface data into other Microsoft solutions, including Azure Data Explorer and Log Analytics. These data connections will help you supplement workflows with new insights, which will enable you make informed security decisions based on more comprehensive information.

We have been innovating rapidly across the entire Microsoft Security portfolio. In case you missed them, here are a few of our most recent announcements.

• Two new Security Service Edge solutions: Microsoft Entra Internet Access helps protect access against malicious traffic and threats from the open internet. Microsoft Entra Private Access helps secure access to private apps and resources from any device and network.
• Microsoft Azure Active Directory is now Microsoft Entra ID: To unify our product family, we changed the name of Microsoft Azure Active Directory to Microsoft Entra ID.
• Microsoft Intune Suite: In March 2023, we launched the Intune Suite, which unifies mission-critical advanced endpoint management and security solutions into one simple bundle. The suite’s AI-powered automation empowers IT and security teams to move simply and quickly from reactive to proactive in addressing security challenges.
• Adaptive Protection in Microsoft Purview: In early 2023, we launched Adaptive Protection in Microsoft Purview. This new capability dynamically updates data loss prevention controls and policies, turning them to individual users and helping customers identify and mitigate the most critical risks. This saves security teams valuable time while ensuring better data security. Learn more about the features and benefits of Adaptive Protection.
• Microsoft Sentinel reduces investigation time by 88 percent: This year, we unveiled a new context-focused incident investigation experience for Microsoft Sentinel that enables security analysts to reduce their investigation time by up to 88 percent.⁷ We also delivered the ability to automatically disrupt in-progress attacks in Microsoft 365 Defender to help customers prevent devasting breaches. 

2023 Security Partner of the Year Awards

We are excited to announce our 2023 Security Partner of the Year Award winners.

Security Partner of the Year: BDO Digital

BDO Digital is a global company that offers detection, automation, and reduction of overall cybersecurity risks. Many of BDO’s clients’ legacy tools were not equipped to deal with modern infrastructure, and internal security teams did not have the bandwidth to monitor and triage security events. BDO helped improve its clients’ cybersecurity posture by reducing actionable alerts by over 50 percent.

Compliance Partner of the Year: Epiq

Epiq offers advanced data security technology solutions, such as a unique Chat Connector for Microsoft Teams that allows legal teams to effectively assess data for relevant and privileged content. 

Building securely together

As we all consider what we can accomplish with AI now and in the future, I cannot overstate the importance of end-to-end security. This is exactly where we recommend you start with your customers. Help them strengthen their security posture now so that when they deploy AI, they are not vulnerable to attacks. AI solutions will only ever be as strong as their underlying security.

As with any product design, we hold ourselves to high security standards when building, developing, and deploying AI-powered solutions from platforms to applications to processes. We maintain rigorous responsible AI practices, aimed at understanding and mitigating harms, measuring the quality of responses, and fostering a continuous learning environment from customer feedback. A cornerstone of these standards is our commitment to developing solutions that are “secure by design and secure by default.” However, it is important to note that the robustness of security is significantly enhanced when users actively manage and maintain it. Our focus extends to ensuring robust control over data, meaning it won’t be used to train AI models without explicit permission. We advocate for our partners to adhere to these benchmarks while crafting and implementing AI-based offerings for customers—whether the aim is to enhance productivity, automate a business process, or safeguard against threats.

Connect with us at Microsoft Inspire 2023

Microsoft Inspire 2023 is an incredible opportunity to share all the ways AI can support security efforts with our partner ecosystem. If you haven’t registered, there’s still time to reserve your complimentary spot. There, you’ll hear strategies to prepare your organization for AI with comprehensive security and security posture. Hope to see you in these sessions!

• “Springboard customers into the era of AI with end-to-end security” (FS106): This session will spotlight how AI will transform technology for our customers and their security practices. You can also join a live Q&A with the experts.
• “Investments Microsoft is making to accelerate your security business” (ODBRK117): Learn the latest opportunities to expand the offerings of existing customers over the next 12 months with Microsoft Security.
• “Take advantage of the expanding opportunity with end-to-end security” (OD130): Explore how Microsoft Security’s end-to-end solution helps you get ready and get your customers to fully leverage the massive opportunity in the security market.  
• “Securing the channel: protecting customers’ digital transformation” (OD131): Find out more about Microsoft’s vital role in addressing increasing cyberattacks in hybrid and remote work environments, while also hearing of the role of partners in proactively securing customers’ digital transformation.
• “Bridging the cybersecurity gap: security training for partners” (OD132): In this Level 400 session, you’ll experience a new gamified learning simulation that makes Microsoft Security solutions real for you and your teams through interactive scenarios. 
• “Build Your Security Practice” (OD142): Explore how partners can grow revenue and profitability with managed security services with Microsoft 365 Business Premium and Microsoft Defender for Business. We will discuss key SMB trends, new product innovations, and resources to help partners develop successful security service offerings.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft internal data.

²Internet Crime Report, Federal Bureau of Investigation. 2022.

³The Partner Opportunity For Microsoft Security, Forrester. July 2023.

⁴Gartner® Market Guide for Managed Detection and Response Services, Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies. February 14, 2023. 

⁵The Devastating Impact of Ransomware Attacks on Small Businesses, Quinn Cleary. April 4, 2023.

⁶2022 Cybersecurity Workforce Study, (ISC)². 2022.

⁷The Total Economic Impact™ Of Microsoft SIEM And XDR, Forrester. August 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

The post Microsoft Inspire: Partner resources to prepare for the future of security with AI appeared first on Microsoft Security Blog.

Endpoint-focused detection and response are insufficient to protect against evolving threats

Historically, many customers begin their security journey focusing on endpoint security products. But in today’s connected and dynamic world, organizations risk serious data breaches if they are not looking end-to-end. Specific pain points our customers often encounter include:

• Inability to resource cybersecurity experts: Teams may lack the skill sets needed to thoroughly investigate incidents and do not have the capacity for round-the-clock coverage. And even if organizations have the budget to hire internally, a resource gap in the industry can make it very difficult to hire the right talent in a timely fashion.
• Triaging vast amounts of security alerts and data: Many companies are dealing with alert fatigue, and they need to focus on the things that matter. They need help beyond just cleaning up minor incidents or false positive alerts. They need help enhancing their security posture to reduce the volume of alerts and incidents they see over time.
• Ability to look end-to-end: Many organizations have made the jump to endpoint detection and response (EDR), but they’re not getting visibility into their environment beyond the endpoint. The advantage of Managed Extended Detection and Response (MXDR) over endpoint-focused managed detection and response (MDR) solutions is the ability to go beyond the endpoint to visualize and correlate threat data across domains and have that human-led expertise delivered quickly to help organizations accelerate or augment their security operations center capabilities.

Managed Extended Detection and Response changes how security work gets done

Microsoft believes it’s critical that customers not only have their environments well protected using Zero Trust principles leveraging advanced security technologies but also have the expertise available to them to fully triage events and respond to incidents 24 hours a day, 7 days a week.

Cybersecurity is a team sport. Too often, organizations play it outnumbered and outsmarted by the attacker. When your security team is challenged by a sophisticated adversary, an MXDR service provider can bring the power of best-in-class technologies and security know-how to tip the scales in your favor.

For most companies, cybersecurity is not their core business, and having the specialized resources to address these concerns can be a challenge. According to Gartner^®, “by 2025, 60 percent of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30 percent today.”³

How an MXDR service can work for you

A Managed Extended Detection and Response (MXDR) service is an extension of your team, empowering you to have specialist resources available around the clock. Monitoring your environment and triaging incidents that need immediate attention in a timely manner is critical to maintaining a healthy security posture. In the event your organization is affected by a critical incident, you will want to ensure you have the resources to investigate the incident, correlate the threat data to determine the root cause, and implement step-by-step response actions to contain and remediate the threat.

Microsoft-verified MXDR partner services

Most customers rely on a trusted security provider in some capacity to help them on their security journey. To assist customers as they consider MXDR services to further protect their organization, Microsoft has provided our Microsoft Cloud Partner Program members a way to receive Microsoft-verified MXDR partner status. This status means Microsoft engineers have reviewed and audited a partner’s MXDR solution to meet the highest industry standards of round-the-clock security including proactive threat hunting, investigation, response, and prevention services. This verification can help you identify potential service partners who can help you secure your users and multicloud infrastructure.

Microsoft partners provide a full line of services and the ability to uniquely customize their offering to your needs. Service providers commonly protect across the breadth of your estate including Microsoft and other third-party security tools. Microsoft’s partners also routinely provide customized service level agreements, data regulatory and industry specialization, and other specialized services aligned with the specific needs you may have, ranging from remotely managed supplementary services to your in-house team through full outsourcing services as required.

Over the previous 12 months, more than 40 partners in the Microsoft Cloud Partner Program with Security designations have now received this engineering verification. If you are considering adding MXDR services, Microsoft recommends reviewing one of Microsoft’s verified MXDR service partners.

Microsoft Defender Experts for XDR

Microsoft is committed to ensuring customers have all the help they need. In addition to customizable partner offerings that work for the full range of global customer needs, for customers that require XDR products and managed services from a single platform provider, Microsoft is excited to announce the general availability of Microsoft Defender Experts for XDR, a first-party MXDR offering that gives security teams air cover with leading end-to-end protection and expertise. Powered by Microsoft’s best-in-class XDR suite, Defender Experts for XDR helps security teams triage, investigate, and respond to incidents related to email, cloud applications, endpoint, and identity to stop attackers in their tracks and prevent future compromise.

Capabilities include:

• Managed detection and response—Let our expert analysts manage your Microsoft 365 Defender incident queue and guide your response to incidents or handle triage, investigation, and response on your behalf.
• Proactive threat hunting—Extend your team’s threat-hunting capabilities and prioritize significant threats with Microsoft Defender Experts for Hunting built in.
• Live dashboards and reports—Get a transparent view of our operations conducted on your behalf, along with a noise-free, actionable view of what matters for your organization, coupled with detailed analytics.
• Proactive check-ins—Benefit from remote, periodic check-ins with your named service delivery manager to guide your MXDR experience and improve your security posture.
• Fast and seamless onboarding—Get a guided baselining experience to ensure your Microsoft security products are correctly configured.

Microsoft Defender Experts for XDR

Meet the new first-party MXDR services from Microsoft with end-to-end protection and expertise.

Learn more

Learn more

To learn more about this service, visit the Defender Experts for XDR product page  and visit the Microsoft Defender Experts for XDR documentation page.  

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Anatomy of a modern attack surface: Six areas for organizations to manage, Microsoft. May 5, 2023.

²2022 Cost of Insider Threats: Global Report, The Ponemon Institute. 2022.

³Gartner®, Market Guide for Managed Detection and Response Services, Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies. February 14, 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Meet unprecedented security challenges by leveraging MXDR services appeared first on Microsoft Security Blog.