Identify persistent threats to your enterprise quickly and swiftly take action to shut down intruders

Case Studies

“Microsoft Advanced Threat Analytics provides maximum value to our security platform, with minimum integration effort.”

Sensoy Sahin, System and Platform Manager, TF Bank



With credential theft becoming prevalent, through phishing and social engineering, it’s no longer enough to protect from the outside.  Attackers may be using internal identities to snoop around and target internal assets, from the inside.

In the face of such attacks, organizations can leverage Advanced Threat Analytics, a solution that would shows and alarms on abnormal user behavior. This is not possible with the traditional security solutions that are in use.

The solution can be easily deployed, without an agent, and without causing any loss of performance.  ATA can be integrated with existing SIEM tools.

Security team can rest assured that they don’t need to write any rules for known attack types –ATA provides a database that is regularly updated for new attack types.

From detecting known malicious attacks to uncovering abnormal activity with machine learning and behavioral analytics, identify advanced persistent threats to your enterprise quickly and take action swiftly with Microsoft Advanced Threat Analytics. Click here to see a recent blog article: " Phishing Campaign Thwarted in 10 Minutes."

ATA looks for these Advanced Attacks

ATA provides detection for the following various phases of an advanced attack:  reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance and others. These detections are aimed at detecting advanced attacks and insider threats before they cause damage to your organization. The detection of each phase results in several suspicious activities relevant for the phase in question, where each suspicious activity correlates to different flavors of possible attacks. These phases in the kill-chain where ATA currently provides detections are highlighted in the image below.


ATA provides multiple reconnaissance detections. These detections include:

  • Reconnaissance using DNS DNS information in the target network is often very useful reconnaissance information. DNS information contains a list of all the servers and often all the clients and the mapping to their IP addresses. Viewing DNS information may provide attackers with a detailed view of these entities in your environment allowing attackers to focus their efforts on the relevant entities for the campaign.
  • Reconnaissance using directory services enumeration Detecting reconnaissance for entities (users, groups, etc.) performed using the SAM-remote protocol to run queries against the domain controllers. This reconnaissance method is prevalent in many types of malware seen in real-world attack scenarios.

Compromised credentials

To provide detection of compromised credentials, ATA leverages both machine-learning based behavioral analytics as well as known malicious attacks and technique detection. Using behavioral analytics and machine learning, ATA is able to detect suspicious activities such as anomalous logins, abnormal resource access, and abnormal working hours which would point to credential compromise. To protect against compromised credentials, ATA detects the following known malicious attacks and techniques:

  • Brute force In brute-force attacks, attackers try to guess user credentials by trying multiple users and pairing them with multiple password attempts. The attackers often use complex algorithms or dictionaries to try as many values as a system allows.
  • Sensitive account exposed in plain text authentication If high-privileged account credentials are sent in plain text, ATA alerts you so that you can update the computer configuration.
  • Service exposing accounts in plain text authentication If a service on a computer is sending multiple account credentials in plain text, ATA alerts you so that you can update the service configuration.
  • Honey Token account suspicious activities Honey Token accounts are dummy accounts set up to trap, identify, and track malicious activity that attempts to use these dummy accounts. ATA alerts you to any activities across these Honey Tokens accounts.
  • Unusual protocol implementation Authentication requests (Kerberos or NTLM) are usually performed using a normal set of methods and protocols. However, in order to successfully authenticate, the request only has to meet a specific set of requirements. Attackers can implement these protocols with minor deviations from the normal implementation in the environment. These deviations may indicate the presence of an attacker attempting to leverage or successfully leveraging compromised credentials.
  • Malicious Data Protection Private Information Request Data Protection API (DPAPI) is a password-based data protection service. This protection service is used by various applications that stores user’s secrets, such as website passwords and file share credentials. In order to support password-loss scenarios, users can decrypt protected data by using a recovery key which does not involve their password. In a domain environment, attackers may remotely steal the recovery key and use it to decrypt protected data in all the domain joined computers.
  • Abnormal Behavior Often in cases of insider threats, as well as advanced attacks, the account credentials may be compromised using social engineering methods or new and not-yet-known methods and techniques. ATA is able to detect these types of compromises by analyzing the entity’s behavior and detecting and alerting on abnormalities of the operations performed by the entity.

Lateral movement

To provide detection of lateral movement, when users take advantage of credentials that provide access to some resources to gain access resources that they are not meant to have access to, ATA leverages both machine-learning based behavioral analytics as well as known malicious attacks and technique detection. Using behavioral analytics and machine learning, ATA detects abnormal resource access, abnormal devices used and other indicators that are evidence of lateral movement. In addition, ATA is able to detect lateral movement by detecting the techniques used by attackers to perform lateral movement, such as:

  • Pass the ticket In pass the ticket attacks, attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by impersonating an entity on your network.
  • Pass the hash In pass the hash attacks, attackers steal the NTLM hash of an entity, and use it to authenticate with NTLM and impersonate that entity and gain access to resources on your network.
  • Over-pass the hash Over-pass the hash are attacks in which the attacker uses a stolen NTLM hash to authenticate with Kerberos, and obtain a valid Kerberos TGT ticket, which is then used to authenticate as a valid user and gain access to resources on your network.
  • Abnormal behavior Lateral movement is a technique often used by attackers, to move between devices and areas in the victim’s network to gain access to privileged credentials or sensitive information of interest to the attacker. ATA is able to detect lateral movement by analyzing the behavior of users, devices and their relationship inside the corporate network, and detect on any abnormal access patterns which may indicate a lateral movement performed by an attacker.

Privilege escalation

ATA detects successful and attempted privilege escalation attacks, in which attackers attempt to increase existing privileges and use them multiple times in order to eventually gain full control over the victim’s environment. ATA enables privilege escalation detection by combining behavioral analytics to detect anomalous behavior of privileged accounts as well as detecting known and malicious attacks and techniques that are often used to escalate privileges such as:

  • MS14-068 exploit (Forged PAC) Forged PAC are attacks in which the attacker plants authorization data in their valid TGT ticket in the form of a forged authorization header that grants them additional permissions that they weren't granted by their organization. In this scenario the attacker leverages previously compromised credentials, or credentials harvested during lateral movement operations.
  • MS11-013 exploit (Silver PAC) MS11-013 exploit attacks are an elevation of privilege vulnerability in Kerberos which allows for certain aspects of a Kerberos service ticket to be forged. A malicious user or attacker who successfully exploited this vulnerability could obtain a token with elevated privileges on the Domain Controller. In this scenario the attacker leverages previously compromised credentials, or credentials harvested during lateral movement operations.

Domain dominance

ATA detects attackers attempting or successfully achieving total control and dominance over the victim’s environment by performing detection over known techniques used by attackers, which include:

  • Skeleton key malware In skeleton key attacks, malware is installed on your domain controller that allows attackers to authenticate as any user, while still enabling legitimate users to log on.
  • Golden ticket In golden ticket attacks, an attacker steals the KBTGT's credentials, the Kerberos Golden Ticket. That ticket enables the attacker to create a TGT ticket offline, to be used to gain access to resources in the network.
  • Remote execution Attackers can attempt to control your network by running code remotely on your domain controller.
  • Malicious replication requests In Active Directory (AD) environments replication happens regularly between Domain Controllers. An attacker can spoof AD replication request (sometimes impersonating as a Domain Controller) allowing the attacker to retrieve the data stored in AD, including password hashes, without utilizing more intrusive techniques like Volume Shadow Copy.

For other Microsoft Security solutions see our main Security page.


Enabling Technologies' capabilities provides organizations with secure, cloud communications using Office 365 and Azure. Professional security services include:


Need to refresh your security policy for SaaS, BYOD, and DLP? Enabling’s experts can help.




Do your IT Pros need training on O365/Azure security? Check out our security training courses.




Microsoft’s 400+ cloud security features are off by default. Let us handle the day to day so you can get on with your business.


If monitoring your security alerts is a daunting task, our support team can filter and triage anomalies.




We build a secure, smarter, more connected, more enjoyable workplace using the Microsoft Communications and Collaboration stack. Our perspective from thousands of projects and predictable methodology translates to your successful project. Our award winning Themed Change Management program drives user adoption and acceptance which delivers full value for your UC investment.


We are always looking for dynamic new talent to join our team. If you have a passion for innovation and learning, we encourage you to browse our current openings!

2015 Microsoft Partner of Year


2015 Microsoft Partner of Year

Communications Market Acceleration



Why we won the award…

What technologies we provide users is an important decision, but perhaps the most important question of all is “will they use it?” Enabling’s “Lights, Camera, Adoption!” Organizational Change Management program provides customers with the tools required to successfully drive user acceptance and high adoption of new technologies. Enabling ensures that everyone in the organization is excited to use the new technology with fun and exciting pre-planned deployment plans. Operational Change Management made all the difference with one of Enabling’s local clients. Enabling just finished up working with this new client to deploy Lync Enterprise Voice at over 70 locations with more than 7,000 users. They were able to use the preplanned roll out plans from Enabling Technologies to insure a successful adoption.

Note: Click anywhere outside of this box to close the box.

2012 Microsoft Partner of Year



2012 Microsoft Partner of Year

Unified Communications Solutions. Instant Messaging / Presence / Conferencing / Voice



Why we won the award…

Our client, one of the nation’s leading architecture and engineering firms, wanted to improve customer relationship management. They required their project managers to take notes of customer phone calls in Dynamics’ CRM. However, their PMs only used CRM to log calls, and rarely kept it open and available. Getting to CRM’s call notes page took eight mouse clicks for each phone call, taking time and effort. Many times, the PMs were unwilling or unable to spend the extra time to comply with procedures. Enabling created ETC CRM Sync, which uses Lync APIs to automatically pop a screen to the customer’s CRM page, where the PM can immediate start taking notes. The integration significantly reduced the time and effort it normally takes to log the call notes in CRM. Not only did Enabling’s solution save their project managers time, but the company has much more accurate reporting and a complete call history for all their clients in CRM.

Note: Click anywhere outside of this box to close the box.

2010 Microsoft Partner of Year



2010 Microsoft Partner of Year

Unified Communications Solutions. Instant Messaging / Presence / Conferencing / Voice



Why we won the award…

Our client, a global provider of strategic outsourcing services, looked to Enabling for assistance rolling out Unified Communications to their organization. Depending on the time of year and the status of outsourcing contracts, user counts ranged between 7,000-14,000. They needed to replace their older Avaya PBXs and Voicemail systems. Enabling designed and implemented Lync, including Enterprise Voice, and Exchange Unified Messaging. In addition, Enabling used Lync’s APIs to connect to the client’s attendance/absentee tracking system. When an employee called in sick, Lync’s IVR took the call, prompted the caller to enter an employee ID and reason for absence, then inserted the information into the attendance application. Lync would then place an outcall to other potential substitutes and prompted them to ask if they’d be able to cover the shift. This saved FTEs from having to manually handle the process, and enabled quicker coverage for absenteeism. Lync not only proved to be a reliable voice system, but Enabling turned it into an extensible business enabler.

Note: Click anywhere outside of this box to close the box.