Microsoft is addressing one of the major challenges faced by IT teams – identifying compromised user accounts and preventing them from being exploited by hackers. In the latest update to Defender for Endpoint, Microsoft introduces a powerful tool called “contain user” aimed at achieving just that.
Currently available in public preview, Microsoft Defender for Endpoint introduces the “contain user” tool, designed to isolate potentially problematic user accounts. When this tool detects suspicious behavior associated with a user account, Defender for Endpoint takes action by isolating the user, cutting off its access to other endpoints and resources. The goal is to halt any potential threats before they can inflict further damage, such as deploying ransomware.
The concept behind this feature is known as “attack disruption,” which involves containing compromised users across all devices to outmaneuver attackers. By preventing malicious actions, like lateral movement, credential theft, data exfiltration, and remote encryption, this capability adds an extra layer of security.
Rob Lefferts, Corporate Vice President for Microsoft 365 Security, explained, “This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them.”
While the suspicious account is isolated, all other endpoints are fortified, with incoming malicious traffic blocked. This effectively leaves the threat actor with no communication options.
Microsoft elaborated, “When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify, and remediate the threat to the compromised identity.”
