Security News > 2023 > October > Microsoft Defender can automatically contain compromised user accounts

The feature aims to help organizations disrupt human-operated attacks like ransomware, business email compromise and adversary-in-the-middle, which start - more often than not - with compromised user accounts.

Microsoft Defender for Endpoint is Microsoft's enterprise extended detection and response solution that detects threats on networks and systems and allows organizations' security staff to investigate and respond to attacks.

The operators can manage devices enrolled in Microsoft Defender for Endpoint, but also contain potentially compromised devices that are not.

The "Contain user" feature correlates signals across Microsoft 365 Defender workloads to detect the initial phase of an attack and block it.

"Attack disruption achieves this outcome by containing compromised users across all devices to outmaneuver attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration, and encrypting remotely," said Rob Lefferts, corporate vice president at Microsoft 365 Security.

"This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them. Even if a user has the highest permission level and would normally be outside a security control's purview, the attacker will still be restricted from accessing any device in the organization."

News URL

https://www.helpnetsecurity.com/2023/10/12/contain-compromised-user-accounts/