3 min Security

Microsoft Defender for Endpoint now automatically isolates infected accounts

Microsoft Defender for Endpoint now automatically isolates infected accounts

Microsoft Defender for Endpoint now automatically takes action on suspicious activity. For example, it automatically shuts down compromised accounts from the network and blocks hands-on keyboard attacks.

Microsoft Defender for Endpoint gets significant improvements for enterprise security. Automatic actions immediately put user accounts in isolation in case of suspicious activity. This keeps hackers from moving laterally and infecting the entire organization with malware or ransomware.

The feature will be automatically activated for all Microsoft Defender for Endpoint once general availability is achieved. Currently, the feature is in public preview.

The first parts of the new feature were already introduced in the summer of 2022. A blog post at the time revealed that the endpoint security solution was better at identifying and intercepting advanced attacks. Microsoft has now managed to turn this fact into a feature that really helps businesses.

How it works.

Microsoft demonstrates how the solution can help during a hands-on keyboard attack in a video. The hacker invaded the first administrator account on a device not using Microsoft Defender for Endpoint. However, all devices the account interacts with are already logged into the security solution.

Before deploying the attack, the hacker secures more access into the corporate environment by connecting to a domain controller. From there, the hacker finds himself in two domain administrator accounts and can thus access the company’s entire digital environment.

From there, the hacker intends to move laterally through the organization to spread malware on as many devices as possible. However, activities to gain more login credentials are blocked by the antivirus. Microsoft Defender for Endpoint further intervenes by detecting lateral movement and removes the account trying to access the domain controller. Logging in to this account again is no longer possible.

Hackers naturally take this possibility into account from the start of their actions and create a new account once they enter the administrator account. This account is still new and not yet marked with suspicious activity. But Microsoft’s solution knows that the account is linked to the account that was just deleted and will, as a result, still block the new account.

The administrator can monitor and undo the actions via the Microsoft 365 Defender portal should the solution have accidentally locked out an employee.

The full video can be viewed here.

Reduce the impact of an attack

“This action can significantly help reduce the impact of an attack. When an identity is under control, security analysts have additional time to locate, identify and remediate the threat to the compromised identity,” said Rob Lefferts, vice president of Microsoft 365 Security.

The feature does have cybersecurity benefits once an attack occurs. Moreover, the solution works for Linux devices. Attacks on these devices will receive the same handling as devices running Windows. However, it does not eliminate the necessary investments in solutions to secure endpoints.

Also read: Microsoft bundles Microsoft Defender with Microsoft 365