// SCENARIO
A nation-state-affiliated threat actor targets a mid-to-large enterprise to harvest intellectual property and financial data. The campaign uses phishing-resistant bypass techniques (AiTM), credential abuse, cloud-native lateral movement, and ultimately insider-leveraged exfiltration — all realistic TTPs mapped to MITRE ATT&CK. Each stage demonstrates where Microsoft's XDR stack, Purview, and Entra ID intercept, detect, or prevent the attack. Click any stage node to explore the full attacker vs. defender breakdown.
7
Attack Stages
21
MITRE TTPs
9
Attacker Tools
11
MS Controls
3
Product Pillars
E5
Full Coverage
Attack Kill Chain — Click stage to expand
⬡ Interactive: click any stage node below to load the full attacker tools, MITRE TTPs, and Microsoft defensive configuration for that stage.
01
Initial Access
T1566 / T1078
→
02
AiTM & MFA Bypass
T1557 / T1539
→
03
Privilege Escalation
T1548 / T1134
→
04
Lateral Movement
T1534 / T1021
→
05
Discovery & Recon
T1087 / T1083
→
06
Data Exfiltration
T1567 / T1048
→
07
Persistence
T1098 / T1136
Full Kill Chain — Attack vs. Defense Matrix
Top Attacker Tools by Category
Microsoft Security Solutions — Role in This Campaign