Microsoft Defender can automatically contain compromised user accounts

The “contain user” feature select Microsoft Defender for Endpoint customers have been trying out since November 2022 is now available to a wider pool of organizations, Microsoft has announced.

contain compromised user accounts

The feature aims to help organizations disrupt human-operated attacks like ransomware, business email compromise and adversary-in-the-middle, which start – more often than not – with compromised user accounts.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is Microsoft’s enterprise extended detection and response (XDR) solution that detects threats on networks and systems and allows organizations’ security staff to investigate and respond to attacks.

The operators can manage devices enrolled in Microsoft Defender for Endpoint, but also contain potentially compromised devices that are not.

Automatic attack disruption

The “contain user” feature correlates signals across Microsoft 365 Defender workloads (identities, endpoints, email, and SaaS apps) to detect the initial phase of an attack and block it.

“Attack disruption achieves this outcome by containing compromised users across all devices to outmaneuver attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration, and encrypting remotely,” said Rob Lefferts, corporate vice president at Microsoft 365 Security.

“This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them. Even if a user has the highest permission level and would normally be outside a security control’s purview, the attacker will still be restricted from accessing any device in the organization.”

The feature also simultaneously “inoculates” all the remaining devices, thus preventing the attacker from spreading further.

The option of containing users is only available automatically, which means that it’s going disrupt attacks even when the security team is not working.

Depending on the attack scenario and stage, the triggered actions to contain the user might involve preventing the user (compromised account) to sign into other systems, disconnecting or terminating active sessions, intercepting SMB activity, etc. The goal is to prevent lateral movement.


“Attack disruption covers the most prevalent, complex attacks including business email compromise and adversary-in-the-middle. These scenarios each involve a combination of attack vectors like endpoints, email, identities, and apps, posing a significant challenge for security teams to pinpoint where the attack is coming from,” Lefferts noted.

Automatic attack disruption provides security operations analysts with extra time to locate, identify and remediate the threat to the compromised identity.

The feature is currently available to customers with Microsoft Defender for Endpoint Plan 2 and associated bundles, and Defender for Business standalone and associated bundles, and works only for onboarded devices.

Don't miss