The concept behind this feature is known as “attack disruption,” which involves containing compromised users across all devices to outmaneuver attackers. By preventing malicious actions, like lateral movement, credential theft, data exfiltration, and remote encryption, this capability adds an extra layer of security.
Rob Lefferts, Corporate Vice President for Microsoft 365 Security, explained, “This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them.”