I received a incident warning from my Microsoft Defender ATP recently. Turns out that I had downloaded a phishing PDF attachment to see where it was trying to point me. I was careful, and check it closely before downloading. However, Defender ATP also picked up the fact that I had downloaded it jumped into action.
I was curious to see how it had detected it as a threat, as the PDF file itself was harmless, just that the link it contained, and tried to get you to click on, took you to a fake Microsoft 365 login page. Turns out that Defender ATP also uses third party indicators like Virus Total as highlighted above.
When I clicked on the link Defender ATP provided it took me the Virus Total site as shown above. Here you can see that the file was detected as phishing by four common engines.
The more you look at Defender ATP the more extensive it is. If you haven’t taken a look at everything it can do I strongly encourage you to do so.
CIAOPS 