December 2, 2023

Microsoft has announced that the Defender for endpoint contain user feature is now available to a wider pool of organizations.

The feature aims to disrupt human-operated attacks like ransomware, business email compromise, and adversary-in-the-middle, which start with compromised user accounts.

The “contain user” feature correlates signals across Microsoft 365 Defender workloads (identities, endpoints, email, and SaaS apps) to detect the initial phase of an attack and block it.


This will be achieved by containing the compromised users across all devices to outmaneuver attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration, and encrypting remotely.

This feature is on-by-default, which will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them. Even if a user has the highest permission level and would normally be outside a security control’s purview, the attacker will still be restricted from accessing any device in the organization.

Depending on the attack scenario and stage, the triggered actions to contain the user might involve preventing the compromised user account to sign into other systems, disconnecting or terminating active sessions, intercepting SMB activity, etc that prevents lateral movement.


Attack disruption covers the most prevalent, complex attacks, including BEC and adversary-in-the-middle. This also provides security operations analysts with extra time to locate, identify, and remediate the threat to the compromised identity.

The feature is currently available to customers with Microsoft Defender for Endpoint Plan 2 and associated bundles, Defender for Business standalone and associated bundles, and works only for onboarded devices.

Leave a Reply

%d bloggers like this: