Microsoft Enhances the AI-based Protections in Microsoft Defender for Endpoint with a Range of Specialized Machine Learning Techniques

The ransomware attack surface for businesses is vast and is quickly expanding and changing. To effectively quantify risk, up to several hundred billion time-varying signals must be processed, depending on the size of your business.

Limiting the impact of ransomware attacks on target companies, including economic disruption and extortion, requires early detection and prevention of these assaults. Microsoft consistently improves the solutions it offers to safeguard clients based on its comprehensive understanding of human-operated ransomware assaults, which are supported by a robust gig economy for cybercrime. They have a unique understanding of these risks because of their skilled observation of threat actors, research into actual ransomware assaults, and knowledge gleaned from the billions of signals the Microsoft cloud analyses daily. For instance, they track human-operated ransomware operations as a series of harmful behaviors that end with ransomware distribution rather than individual malware payloads.

Microsoft improved the AI-based protections in Microsoft Defender for Endpoint with various specialized machine learning techniques that find and swiftly incriminate—that is, determine malicious intent with high confidence—malicious files, processes, or behavior observed during active attacks. This was done to stop human-operated ransomware attacks as early as possible.

A complex mitigation strategy that calls for an analysis of the attack context and related actions on either the targeted device or within the organization is the early incrimination of entities, including files, user accounts, and appliances. To assess if an entity is connected to an ongoing ransomware assault, Defender for Endpoint integrates three levels of AI-informed inputs, each of which produces a risk score:

  • Analyzing alerts over time and statistically to search for abnormalities at the organizational level
  • Aggregation of suspicious events across devices in the company using a graph framework to spot malicious behavior on a group of devices
  • Monitoring at the device level to confidently spot suspicious behavior

Defender for Endpoint, for instance, was able to identify and incriminate a ransomware attack early on in its encryption process when the attackers had only encrypted files on less than four percent (4%) of the organization’s devices, demonstrating improved ability to stop an attack and safeguard the organization’s remaining devices. This incident serves as an excellent example of the significance of swiftly convicting suspected parties and stopping a human-operated ransomware operation in its tracks.

Fig1. A chart demonstrating how Microsoft Defender for Endpoint detected a ransomware assault when 3.9% of the organization’s machines had data that were encrypted. Source:

This event demonstrates how ransomware assaults might be lessened within an organization by quickly identifying suspicious files and processes. Following an accusation against a target, Microsoft Defender for Endpoint halts the attack via feedback-loop blocking, which employs Microsoft Defender Antivirus to stop the threat on endpoints within the business. Defender for Endpoint then defends other companies using the threat information obtained during the ransomware assault.

Fig 2. Overview of Microsoft Defender antivirus’s blocking and incrimination utilizing cloud-based machine learning classifiers | Source:

Organization-level detection of alarm abnormalities

A ransomware assault that is human-operated causes a lot of system commotion. Solutions like Defender for Endpoint raise several alarms during this period after seeing numerous malicious artifacts and activity on multiple devices, causing an alert spike. A single organization was the target of the attack depicted in Figure 3.

Fig 3. Graph displaying an increase in alarms during a ransomware attack | Source:

Defender for Endpoint uses statistical analysis to find any substantial rise in alert volume and time-series analysis to track the aggregation of alerts to see an organization-level assault. When alerts spike, Defender for Endpoint examines the associated warnings and applies a sophisticated machine learning model to separate genuine ransomware attacks from fictitious alert spikes.

Defender for Endpoint searches for suspect entities to implicate based on attack relevance and propagate throughout the enterprise if the alerts entail activity indicative of a ransomware assault. Organization-level detection is shown in Figure 4.

Fig 4. Introduction to organizational anomaly detection | Source:

Detecting suspicious activities on a single device with high confidence

Finding suspicious behavior on a single device is the last detection category. When a ransomware assault employs evasion strategies like spreading activity over time and across unrelated processes, such as when it utilizes suspicious signals from just one device, it may be possible to detect the attack. If defenses fail to perceive these processes as connected, a similar assault may go undetected. No alerts will be generated if the signals are not strong enough for each link in the process chain.

Fig 5. Two distinct process chains that took place at various periods made up the evasion action.


AI and machine learning provide creative ways to identify complex threats notorious for utilizing cutting-edge tools and strategies to remain persistent and elusive. Human-operated campaign attackers judge based on what they learn from their infiltration settings. These assaults include a human component, leading to various attack strategies that develop based on particular chances that attackers see for privilege escalation and lateral movement. This advanced detection method bolsters the already-existing ransomware defenses provided by Microsoft 365 Defender. This growing attack disruption capability is a prime example of Microsoft’s dedication to using AI to investigate cutting-edge threat detection techniques and strengthen organizational defenses against an ever-changing threat landscape.

This Article is written as a summary article by Marktechpost Staff based on the Microsoft article: 'Improving AI-based defenses to disrupt human-operated ransomware'. All Credit For This Research Goes To Researchers on This Project. Checkout the blog post.

Please Don't Forget To Join Our ML Subreddit

Prathamesh Ingle is a Consulting Content Writer at MarktechPost. He is a Mechanical Engineer and working as a Data Analyst. He is also an AI practitioner and certified Data Scientist with interest in applications of AI. He is enthusiastic about exploring new technologies and advancements with their real life applications