Microsoft Defender Bolsters Security with ‘Contain User’ Tool to Stop Threats in Their Tracks

New Tool in Defender for Endpoint Locks Down Suspicious User Accounts to Prevent Malicious Activity

The concept behind this feature is known as “attack disruption,” which involves containing compromised users across all devices to outmaneuver attackers. By preventing malicious actions, like lateral movement, credential theft, data exfiltration, and remote encryption, this capability adds an extra layer of security.

Rob Lefferts, Corporate Vice President for Microsoft 365 Security, explained, “This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them.”