Microsoft promises that Microsoft Defender for Endpoint is now able to "disrupt ransomware attacks". company states that the new auto-stop feature attacks analyzes and uses signals provided by Microsoft 365 Defender workloads. These include email, software as a service apps, identities or endpoints among others.
New protective feature can detect “advanced attacks with high reliability” according to Rob Lefferts, Corporate Vice President, Microsoft 365 Security.
When Microsoft Defender for Endpoint detects an attack on an individual device, it will automatically stop the attack on the device itself as well as other devices in the organization.
This can be achieved by isolating compromised systems and/or users across devices. The system identifies the user under attack and restricts their access to other endpoints to "stop all incoming and outgoing communication".
Even with elevated privileges they will be “restricted from accessing any device in the organization,” according to Microsoft.
Attackers will not have time to act maliciously, as they will not be able to use compromised accounts for lateral attacks, credential theft, export data or encrypt data remotely.
The new defense system protects against ransomware, spearphishing, man-in-the-middle and adversary-in-the-middle attacks according to the company, and is enabled by default.
Microsoft claims that this new protection prevented 91% of data encryption attempts by malicious users after testing began "quietly" from 2022.
The new features are now available in public preview for Microsoft Defender for Endpoint Plan 2 or Defender for Business.