Article Details
Scrape Timestamp (UTC): 2025-04-11 19:13:56.862
Original Article Text
Click to Toggle View
Microsoft Defender will isolate undiscovered endpoints to block attacks. Microsoft is testing a new Defender for Endpoint capability that will block traffic to and from undiscovered endpoints to thwart attackers' lateral network movement attempts. As the company revealed earlier this week, this is achieved by containing the IP addresses of devices that have yet to be discovered or onboarded to Defender for Endpoint. Redmond says the new feature will prevent threat actors from spreading to other non-compromised devices by blocking incoming and outgoing communication with devices using contained IP addresses. "Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through automatic attack disruption. The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded," Microsoft explains. "Through automatic attack disruption, Defender for Endpoint incriminates a malicious device, identifies the role of the device to apply a matching policy to automatically contain a critical asset. The granular containment is done by blocking only specific ports and communication directions." This new feature will be available on Defender for Endpoint-onboarded devices running Windows 10, Windows 2012 R2, Windows 2016, and Windows Server 2019+. Admins can also stop an IP address's containment by restoring its connection to the network at any time by selecting the "Contain IP" action in the "Action Center" and selecting "Undo" in the flyout. Since June 2022, Defender for Endpoint has also been able to isolate hacked and unmanaged Windows devices, blocking all communication to and from the compromised devices to stop attackers from spreading through victims' networks. Microsoft also started testing device isolation support for Defender for Endpoint on onboarded Linux devices, with the capability reaching general availability on macOS and Linux in October 2023. The same month, the company revealed that Defender for Endpoint could also isolate compromised user accounts to block lateral movement in hands-on-keyboard ransomware attacks using automatic attack disruption. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Daily Brief Summary
Microsoft is developing a new feature in Defender for Endpoint to isolate traffic to and from undiscovered network endpoints.
This capability aims to prevent attackers from moving laterally across the network by blocking communications with these unseen devices.
The feature works by automatically containing the IP addresses of devices that haven't been discovered or integrated into Defender for Endpoint.
Automatic attack disruption identifies and blocks IP addresses related to malicious or unknown devices, applying containment measures to protect network integrity.
The new security measure will extend to devices running Windows 10, Windows 2012 R2, Windows 2016, and Windows Server 2019+ that are onboarded to Defender for Endpoint.
Administrators have the option to manually reverse the IP containment at any time through the Defender for Endpoint "Action Center".
Since June 2022, Microsoft has also enabled the isolation of compromised and unmanaged Windows devices to prevent the spread of attacks within networks.
The device isolation feature was extended to Linux devices, with macOS and Linux support achieving general availability in October 2023.