Sophos MDR is the world’s most trusted MDR service, with hundreds of cybersecurity experts providing 24-7 monitoring, prevention, detection, and response to more than 30,000 organizations worldwide.
While Sophos MDR leverages telemetry from across our customers’ environments to detect and neutralize threats, one of the most significant advantages – and a key differentiator of the Sophos MDR service – is our deep integration with Microsoft 365 for all customers regardless of the Microsoft license they’re using.
This enables us to see and stop more threats faster, while increasing customers’ return on their Microsoft investments.
A tale of two APIs: Graph Security vs. Management Activity
Many MDR providers heavily rely on Microsoft’s Graph Security API, which provides strong detection value – but only for customers who have invested in a premium E5 license.
For the vast majority of customers using other Microsoft 365 licenses – such as Business Basic, Standard, or even Premium licenses – the Graph Security API provides minimal telemetry.
At Sophos, we take the distinct and highly effective approach of also extensively leveraging Microsoft’s Management Activity API, which provides rich audit logs from Exchange Online, SharePoint, and other Microsoft solutions.
Crucially, this API is available across nearly all Microsoft 365 license tiers, meaning even Business Basic customers benefit.
Better data, better outcomes
Sophos MDR ingests these logs and applies proprietary threat detection rules developed by our threat intelligence and engineering teams.
These aren’t “off the shelf” detections. They’re custom-built to identify high-risk scenarios such as session hijacking, phishing, business email compromise inbox rule creation, and credential-stuffing.
Faster responses, thousands of times over
This approach operates at scale, with several thousand confirmed threats surfaced each month from Microsoft data – threats that would otherwise go undetected without an E5 license.
Consider a typical scenario: a user clicks a phishing link, completes multi-factor authentication, and an attacker hijacks the session.
The attacker then creates hidden inbox rules to delete or redirect emails that would otherwise alert the user to suspicious activity such as invoice fraud.
Because the Microsoft Management Activity API sends all the Microsoft 365 audit logs to the Sophos data lake, Sophos detections are able to flag this behavior based on patterns learned from the audit logs – patterns such as multiple operating systems using the same session or known phishing kit indicators of compromise.
More than just detection
While our deep Microsoft integration is a prime example of how Sophos extends protective capabilities, we don’t stop at detection: Sophos MDR can respond natively within the Microsoft environment.
With the customer’s permission, Sophos MDR analysts can take immediate action to remediate threats in Microsoft 365.
Revoking sessions, blocking user sign-ins, and disabling malicious inbox rules – all without requiring customer interaction.
We conduct many hundreds of these automated response actions every month, with hundreds more executed manually when needed.
Learn more
Sophos brings unique, impactful, and rapid response capabilities to Microsoft environments, even for customers on Microsoft 365 basic license plans.
It’s better cybersecurity and a better return on investment.
Visit Sophos.com/MDR-Microsoft for more information.
