From 9571806352b370e728878663b4785a2d7eb31af5 Mon Sep 17 00:00:00 2001
From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com>
Date: Mon, 17 Aug 2020 19:03:42 +0200
Subject: [PATCH] Typo correction: spell NTLM correctly (not NTML)

Switch the letter ordering of the word "NTLM" in the Example 2 subheading so it becomes correct:
- old spelling "Example 2: NTML relay - Juicy Potato malware variant"
- new spelling: "Example 2: NTLM relay - Juicy Potato malware variant"

Closes #8081
---
 .../microsoft-defender-atp/behavioral-blocking-containment.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 04569f6785..4fc887a605 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -90,7 +90,7 @@ While the attack was detected and stopped, alerts, such as an "initial access al
 
 This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
 
-### Example 2: NTML relay - Juicy Potato malware variant
+### Example 2: NTLM relay - Juicy Potato malware variant
 
 As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.