Microsoft Defender: Security at Risk Accounts

Microsoft Defender for Endpoint now uses automatic attack interruption to isolate compromised user accounts. This helps block lateral movement in direct attacks through a new “contain user” feature, which is currently in public preview.

In such incidents, as in human-operated ransomware, threat actors penetrate networks and spread sideways using stolen accounts to deploy malicious payloads.

Strengthening Security Against Lateral Attacks.

According to Microsoft, Defender for Endpoint now prevents attackers from moving sideways within victims’ IT infrastructure, both on-premises and in the cloud. It does this by temporarily isolating the compromised user accounts.

“With attack interruption, we contain compromised users across all devices, stopping attackers before they can perform malicious actions,” said Rob Lefferts, corporate vice president for Microsoft 365 Security.

Active Defense Against Threats

When a threat is detected in the initial phase of a human-operated attack, the automated attack interruption feature blocks it immediately. Defender for Endpoint will simultaneously protect all other devices within the organization by blocking malicious traffic.

“If an identity is embedded, any supported Microsoft Defender for Endpoint device will block inbound traffic in specific protocols while allowing legitimate traffic,” Redmond explained.

Additions and Refinements to Defender

Microsoft added automatic attack interruption to its Microsoft 365 Defender XDR solution in November 2022. This feature helps contain ongoing attacks and automatically isolate affected assets.

“Since August 2023, more than 6,500 devices have been spared encryption by ransomware campaigns,” according to Microsoft’s internal data. Furthermore, since June 2022, Defender for Endpoint can also isolate hacked and unmanaged Windows devices, stopping malicious actors.