Skip to main content
Microsoft Security

Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations

For the fourth consecutive year, Microsoft 365 Defender demonstrated its industry-leading protection in MITRE Engenuity’s independent ATT&CK® Enterprise Evaluations, showcasing the value of an integrated XDR-based defense that unifies device and identity protection with a Zero Trust approach:

Microsoft 365 Defender XDR solution displayed top-class coverage by successfully surfacing to the security operations center (SOC) a single comprehensive incident per each of the simulated attacks. This comprehensive view provided in each incident detailed suspicious device and identity activities coupled with unparalleled coverage of adversary techniques across the entire attack chain. Microsoft 365 Defender also demonstrated 100% protection by blocking both attacks in the early stages.

This is the third year in which Microsoft 365 Defender showcases the power of the combined XDR suite, demonstrating coverage across devices, identities, and cloud applications.

Demonstrated complete visibility and analytics across all stages of the attack chain

Microsoft 365 Defender demonstrated complete technique-level coverage across all the attack stages of Wizard Spider and Sandworm, leveraging our artificial intelligence-driven adaptive protection.

Diagram showing an overview of the Wizard Spider and Sandworm attack stages.
Figure 1. Microsoft 365 Defender providing full attack chain coverage

Defending against human-operated ransomware requires a defense in-depth approach that continuously evaluates device, user, network, and organization risk and then leverages these signals to alert on potential threats across the entire attack chain. Providing detection and visibility enables defenders to evict the attackers from the network during the pre-ransom phase. It also minimizes the impact of encryption or extortion through data exfiltration activities.

Technique-level detection coverage in real time without delays

Human-operated ransomware attacks evolve within minutes, and the time it takes for defenders to respond and prevent attackers from performing destructive actions—such as encrypting devices or exfiltrating information for extortion—is crucial. Organizations need real-time detections with no delays to ensure they can rapidly evict attackers before they have a chance to continue to move laterally through the infrastructure. Microsoft 365 Defender provided technique-level coverage at every attack stage in real time without any delayed detections.

Bar chart comparing Microsoft's technique-level coverage against other competitors. Microsoft provided 100% coverage.
Figure 2. Microsoft 365 Defender providing technique-level coverage in every attack stage

100% protection coverage, blocking all stages in early steps

Microsoft 365 Defender provided superior coverage and blocked 100% of the attack stages, offering excellent coverage across Windows and Linux platforms. Moreover, its next-generation protection capabilities proceeded without hindering productivity by blocking benign activities or a need for user consent.  

Bar chart comparing Microsoft's protection coverage against other competitors. Microsoft blocked 9 out of 9 stages with no false positives.
Figure 3. Microsoft 365 Defender blocking in all stages

In real-world scenarios, blocking ransomware activities early—that is, in the pre-ransom stage across all platforms and assets—is crucial in protecting customers and mitigating the downstream extortion and disruption attack impact.

Each attack generated a single comprehensive incident for the SOC

Unlike many other vendors surfacing multiple alerts and multiple incidents, Microsoft 365 Defender surfaced exactly one incident per attack, combining all events across device and identity into a single comprehensive view of each attack.

Microsoft 365 Defender’s unique incident correlation technology is tremendously valuable for SOC analysts in dealing with alert fatigue. It significantly improves the efficiency in responding to threats, saving time they might have otherwise spent in manual correlations or dealing with individual alerts. It also makes triage and investigation easier and faster with a view of the full attack graph.  

Screenshot of Microsoft 365 Defender detecting the Wizard Spider simulated attack as a single incident.
Figure 4. Scenario 1: A single incident representing the Wizard Spider simulated attack with the attack sprawl and impacted assets summarized
Screenshot of Microsoft 365 Defender displaying the incident graph of the Wizard Spider simulated attack.
Figure 5. Scenario 1: Incident graph for an at-a-glance view of the entire attack, showing device and identity assets as well as all observed evidence
Screenshot of Microsoft 365 Defender detecting the Sandworm simulated attack as a single incident.
Figure 6. Scenario 2: A single incident representing the Sandworm simulated attack, with the attack sprawl and impacted assets summarized.

Unique and durable detections from the integrated Microsoft Defender for Identity

Microsoft 365 Defender’s integrated identity protection capabilities uncover and durably block identity-related attacks regardless of the specific attacker technique implemented on a device, making it practically impossible for attackers to evade. Furthermore, building these protections in the identity fabric provides in-depth, context-rich signals for security teams to investigate and respond effectively. Other vendors leveraging endpoint-only signals may be more susceptible to evasion, and their detections typically have less context.

Here are some examples representing Microsoft 365 Defender’s unique identity protection capabilities in the evaluation:

Screenshot of Microsoft 365 Defender detecting a suspicious remote SAM database query.
Figure 7. SAM database queried to enumerate users detected by the Microsoft 365 Defender Identity workload
Screenshot of Microsoft 365 Defender detecting a suspicious resource access activity.
Figure 8. Timeline view of resource activity on a domain controller and SPN exposure attack with related compromised resource

Protection for Linux across all attack stages

Microsoft 365 Defender continues to demonstrate excellent protection coverage on all platforms, with top-level coverage on Windows and Linux. It covered all Linux-related stages via technique-level analytics, context-rich alerts, and in-depth investigation signals.

Customers face threats from various entry points across devices, and device discovery and lateral movement to identify high-value assets are table stakes for advanced attacks like human-operated ransomware. Therefore, having excellent coverage across all platforms is crucial to protect organizations against attacks.

Bar chart comparing Microsoft's technique-level coverage in Linux against other competitors. Microsoft provided 100% coverage.
Figure 9. Microsoft 365 Defender providing technique-level coverage in every Linux attack stage

For example, as seen in Figure 10 below, Microsoft Defender for Endpoint on a Linux device alerted of suspicious behavior by a web server process. The alert allowed for blocking sensitive file read and preventing further file read. The attacker then attempted to download and run a backdoor on the device. However, that was also blocked behaviorally, thus preventing subsequent compromise.

Screenshot of Microsoft 365 Defender for Endpoint blocking a suspicious behavior by a web server process.
Figure 10. Sensitive file read by a web server process detected on Linux device

Unique and durable detections from Windows deep native sensors  

While most attack steps on devices could be observed by inspecting process and script activities, solely relying on this type of telemetry can be challenging in several aspects.

From a detection durability standpoint, attackers could easily avoid detection by obfuscating or pivoting to alternative methods. Furthermore, in terms of detection quality, relying solely on “surface-level” telemetry could potentially produce a higher number of false positives and overhead for security teams. Finally, this type of telemetry lacks the needed context to enable effective investigation and response.

Unlike other solutions, Microsoft 365 Defender’s unique platform-native deep device sensors introduced signal depth, providing durable, context-rich signals for security teams to identify, investigate and respond to. Here are some examples, as seen during the evaluation:

Screenshot of Microsoft 365 Defender detecting process creation via WMI.
Figure 11. Process creation via WMI detected natively using WMI sensors, regardless of invocation method
Screenshot of Microsoft 365 Defender detecting system shutdown via WMI.
Figure 12. System shutdown via WMI detected natively using WMI sensors, regardless of invocation method
Screenshot of Microsoft 365 Defender detecting a suspicious Outlook COM call.
 Figure 13. Detection of attacker’s search for passwords in Outlook using our unique COM interface sensor integration
Screenshot of Microsoft 365 Defender Advanced Hunting page.
 Figure 14. Credential access visibility via DPAPI sensor integration

A final word: Leading with product truth and a customer-centric approach

As in previous years, Microsoft’s philosophy in this evaluation was to empathize with our customers—the “protection that works for customers in the real world” approach. We participated in the evaluation with product capabilities and configurations that we expect customers to use.

As you review evaluation results, you should consider additional important aspects, including depth and durability of protection, completeness of signals and actionable insights, and quality aspects such as device performance impact and false-positive rates. All of these are critical to the solution’s reliable operation and translate directly to protection that works in real customer production environments.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.