Sophos MDR: New Analyst Response Actions for Microsoft 365

ProductsManaged Detection and Response (MDR)

Powerful new response capabilities reduce risk — and work — for you and your customers.

15 Mag 2025 Autore:

Businesses of all sizes are increasingly reliant on productivity tools like Microsoft 365 — and attackers are using this to their advantage. Organizations need 24/7 visibility and a fully staffed SOC team to effectively defend against attacks — which is a major challenge for many resource-constrained businesses.

Sophos MDR provides the people, processes, and technology to detect, investigate, and effectively respond to threats targeting Microsoft 365. Our turnkey integrations and proprietary detection rules identified and thwarted almost 5,000 attacks on Microsoft 365 environments last quarter alone.

We continually innovate and enhance Sophos MDR, and today, we’re excited to announce that the service is getting even stronger with the introduction of new response capabilities.

New analyst response actions for Microsoft 365

The ability to respond quickly to a cyber incident is crucial — the faster the attack can be detected, contained, and neutralized, the less damage the attacker can inflict. Now, when an attack is detected in a customer’s Microsoft 365 environment, Sophos MDR analysts can execute a range of additional response actions, rapidly containing the threat and freeing up time for you and the customer.

Microsoft 365 response actions now available

Block / enable user sign-in
Sophos MDR analysts can lock down a user’s account to prevent an adversary from accessing Microsoft 365 services and Azure resources using stolen credentials. Following clean-up, access to the user’s account can be restored in seconds.
Terminate current user sessions
By immediately revoking all currently active sessions for a specific user, Sophos MDR analysts can quickly eject an attacker who has already gained access to an account and remove their ability to reuse any stolen session tokens. 
Disable suspicious inbox rules
Attackers routinely set up inbox rules in Microsoft 365 for business email compromise attacks in order to move, obfuscate, or delete emails that could otherwise alert the user. Sophos MDR analysts can disable specific inbox rules to regain control. 

 

Easy setup in Sophos Central

The new response capabilities for Microsoft 365 are included with all Sophos MDR service tiers at no additional cost and can be enabled in minutes by activating a new integration in Sophos Central.

Threat response modes

Sophos provide the flexibility for your customers, and Sophos MSPs, to choose how our MDR team will interact with them when a cyber incident requires a response, by selecting their preferred threat response mode:

  • “Authorize” mode: Our experts perform threat response without prior consent or active involvement from the customer or MSP. Once the new Microsoft 365 response actions integration is enabled, Sophos MDR analysts will immediately execute those actions when needed, to provide the most efficient response.
  • “Collaborate” mode: Our experts conduct investigations, but do not take response actions without prior consent or active involvement from the customer or MSP. Once the new Microsoft 365 response actions integration is enabled, Sophos MDR analysts will execute those actions only once consent has been obtained. Customers and MSPs can also choose to allow Sophos MDR to operate in “Authorize” mode if we are unable to reach them for consent.

 

The most robust MDR service for Microsoft environments

Sophos MDR services protect over 30,000 organizations – more than any other MDR service provider in the world. In Gartner’s 2024 Voice of the Customer Report for Managed Detection and Response Services, Sophos once again had the highest number of reviews among all vendors and scored a 4.9/5.0 rating based on customer reviews.

Many of these businesses have also invested in Microsoft tools, leveraging Sophos MDR to defend against sophisticated attacks that technology alone can’t stop.

Microsoft Certified experts
Organizations can extend their in-house teams with Microsoft Certified Security Operations Analysts specializing in detecting and responding to cyberattacks using custom Microsoft response playbooks.
Microsoft-specific threat detectionsSophos uses proprietary threat detection rules and world-class intelligence to identify and stop threats that could bypass Microsoft security solutions. We can accurately identify suspicious inbox rules, unauthorized user access patterns, and more.
NEW Analyst response actions for Microsoft 365Sophos MDR analysts can execute a range of additional response actions, enabling rapid containment of threats with no action required by the customer or MSP. Disable user sign-in, terminate active user sessions, and more. 
Comprehensive support for Microsoft solutionsIncluded with Sophos MDR at no additional cost, our turnkey integrations support a broad range of Microsoft solutions. Data from Microsoft 365, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and more, is collected, analyzed, correlated, and prioritized.

 

To learn more about Sophos MDR and how it can strengthen your customers’ defenses for Microsoft 365, visit www.sophos.com/mdr-microsoft and access the Sophos Partner portal for valuable product and sales resources.

 

Coming soon: Microsoft 365 response actions for Sophos XDR

The new analyst response actions for Microsoft 365 are now generally available for Sophos MDR. And, coming soon, organizations with their own in-house security operations teams will have access to these same powerful capabilities in the Sophos XDR platform. Customers and MSPs will be able to enable/disable M365 user logins, terminate user sessions, and disable suspicious inbox rules directly from the Threat Analysis Center in Sophos Central. We expect the new capabilities to be generally available for Sophos XDR at the end of May.

 

Gartner, Voice of the Customer for Managed Detection and Response, Peer Contributors, 28 November 2024.

GARTNER is a registered trademark and service mark, and the GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge and PEER INSIGHTS are trademarks and service marks, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

 

Informazioni sull’autore

Paul is Senior Director, Product Marketing at Sophos (Security Operations and Endpoint). Paul has over twenty years’ experience of SaaS and cybersecurity offerings across Product Management, Product Marketing and User Experience design.