Microsoft Defender’s New Tool Stops Account Threats

A significant challenge faced by IT administrators lately is figuring out when a real user’s account is under threat of being misused for deploying harmful software or stealing data. For this purpose, Microsoft has recently updated its Defender for Endpoint to deal with this issue, with an addition of the “contain user” tool, that is currently in public preview.

Basically, if this tool detects a user account that’s behaving suspiciously, Defender for Endpoint will isolate that user. It will cut off its access to other endpoints and resources, thus stopping any potential damage, such as the deployment of ransomware.

Referred to as “attack disruption,” this feature will prevent compromised users from carrying out malicious activities like moving through systems, stealing credentials, extracting data, or encrypting files remotely. Rob Lefferts, Corporate Vice President for Microsoft 365 Security, explained in a blog post that this default capability identifies and isolates compromised users by shutting down their communication with other endpoints.

When the suspicious account is held, all other endpoints are safeguarded. They will pass the process named “inoculation,” where incoming malicious traffic is blocked. This strategic move leaves the hacker isolated, with no communication. Microsoft said that this default action significantly reduces the impact of an attack, giving security analysts more time to find, identify, and deal with the threat linked to the compromised identity.