Microsoft Defender MITRE ATT&CK on Microsoft 365
A few weeks ago I decided to stop thinking of Microsoft Defender as just an endpoint product and explore how it behaves as part of the Microsoft 365 ecosystem. Through the Microsoft 365 Developer Program (developer.microsoft.com) I have access to an M365 E5 sandbox tenant — and that was more than enough to spend hours inside the Microsoft 365 Defender portal (now called Microsoft Defender XDR).
What I found is a cloud-native XDR approach that fundamentally changes how you think about MITRE coverage.
The Microsoft 365 Defender Portal
📍 security.microsoft.com → Incidents & alerts → Incidents → [select incident] → Attack story → MITRE ATT&CK tab
The unified portal at security.microsoft.com aggregates signals from across the suite: endpoints, email, identity, and cloud apps. What immediately caught my attention is the MITRE ATT&CK tab built directly into incidents: every alert is automatically mapped to tactics and techniques, with links to the MITRE knowledge base.
Advanced Hunting allows KQL queries across events from multiple products. In a purely cloud environment, you can hunt for T1078 (Valid Accounts) across endpoints, identity, and cloud workloads simultaneously — no console switching required.
💡 The MITRE view in the portal is interactive: clicking on a tactic shows techniques detected in your specific tenant, not the theoretical product coverage. That's actually useful for understanding real gaps.
Defender for Office 365
📍 security.microsoft.com → Email & collaboration → Attack simulation training
Defender for Office 365 (MDO) is the email and collaboration protection layer. Its MITRE relevance is concentrated around Phishing (T1566), spear-phishing via links (T1566.002), and malicious attachments (T1566.001) — all techniques under TA0001 (Initial Access) and TA0043 (Reconnaissance).
Safe Links performs real-time URL detonation and Safe Attachments provides automatic sandboxing, covering the email vector transparently. What isn't immediately obvious: MDO also covers TA0009 (Collection) by detecting auto-forwarding rules, a BEC technique (T1114.003) that's often overlooked.
💡 The portal includes an Attack Simulator that lets you run phishing simulations directly — a solid way to test real coverage without reaching for external tools.
Defender for Endpoint (cloud-managed)
📍 security.microsoft.com → Hunting → Advanced hunting → New query
Defender for Endpoint (MDE) in cloud-managed mode (no on-prem Configuration Manager) is the core of MITRE coverage. As I documented in my previous article, MDE covers 141 out of 218 Enterprise techniques.
In cloud mode, the main difference is onboarding: a few minutes via Intune policy and the sensor is live. Live Response works the same way: a remote session with hunting commands directly on the endpoint, useful for investigating T1059 (Command and Scripting Interpreter) or T1105 (Ingress Tool Transfer) during an incident.
The MITRE coverage numbers are the same as standalone MDE — that's the data powering the unified portal matrix. The cloud difference is in integration: an MDE alert is automatically correlated with MDO and Defender for Identity signals into a single incident.
Defender for Cloud Apps & Secure Score
📍 security.microsoft.com → Cloud apps → App governance / Policies
📍 security.microsoft.com → Exposure management → Secure score
Defender for Cloud Apps (MDCA) adds the CASB dimension: visibility into SaaS apps used in the tenant, shadow IT detection, and policy enforcement on anomalous behaviors like bulk downloads (T1530, Data from Cloud Storage) or sign-ins from unusual locations (T1078).
What surprised me was the integrated Secure Score: it's not just a posture number, it suggests concrete actions mapped to MITRE controls. Enabling MFA for all admins, for instance, is presented as a direct mitigation for T1078.004 (Cloud Accounts).
The developer-friendly part: through the Microsoft 365 Developer Program at developer.microsoft.com you get a free E5 sandbox tenant to explore all of this. The telemetry volume and KQL query depth are genuinely impressive for a cloud-managed product.
The main takeaway after this exploration: the difference from standalone MDE isn't in MITRE coverage of individual techniques, but in cross-product correlation. An attack that moves from email to endpoint to identity is tracked as a single incident with a consolidated timeline. In an on-prem environment with separate products, that requires a dedicated SIEM; in M365, it's built in.