In June 2023 [1] [3], Microsoft Defender for Endpoint successfully thwarted a large-scale remote encryption attempt by Akira ransomware actors targeting an industrial organization [1] [3]. This achievement was made possible by the new automatic attack disruption capability, specifically the “contain user” feature [2], which detects and blocks the initial phase of an attack, preventing lateral movement and limiting the attackers’ ability to access endpoints and network resources.


The attack, carried out by the operator Storm-1567, involved the use of devices that were not onboarded to Microsoft Defender for Endpoint. It included reconnaissance and lateral movement activities [1] [3]. However, the automatic attack disruption capability effectively stopped breached accounts from accessing endpoints and network resources [1] [3]. The “contain user” feature correlates signals across Microsoft 365 Defender workloads to detect the initial phase of an attack and block it [2]. By containing compromised users across all devices [1] [2], it cuts off all inbound and outbound communication [2], preventing lateral movement [1] [2] [3]. This feature is available automatically and provides security operations analysts with additional time to locate and address the threat [2]. It is currently accessible to customers with Microsoft Defender for Endpoint Plan 2 and associated bundles [2].

In August 2023 [1] [3], Microsoft’s enterprise endpoint security platform also disrupted lateral movement attempts against a medical research lab [1] [3]. In this case, the adversary compromised a domain admin-level account [1] [3]. However, by identifying and containing compromised user accounts [3], the platform prevented the attack from progressing, even after initial access was gained [3]. Microsoft emphasizes the importance of containing compromised user accounts [1], as they can provide attackers with access to Active Directory and undermine traditional security mechanisms [1].


The successful prevention of the Akira ransomware attack and the disruption of lateral movement attempts highlight the effectiveness of Microsoft Defender for Endpoint’s automatic attack disruption capability. By containing compromised user accounts [1] [2] [3], the platform mitigates the impact of attacks and prevents further progression. This feature provides security operations analysts with valuable time to address threats. Moving forward, the containment of compromised user accounts will continue to be crucial in safeguarding organizations against sophisticated cyber threats.