The “contain user” feature is now available to a wider pool of organizations. The feature has been tried out since November 2022 by select Microsoft Defender for Endpoint customers and is now being spread to other organizations. The feature aims to disrupt human operated attacks like ransomware, business email compromises and adversary-in-the-middle attacks. These attacks often all begin with compromised user accounts.

Microsoft Defender for Endpoint is Microsoft’s XDR solution that detects threats on networks and systems and allows security to investigate and respond to the attacks. The “contain user” feature correlates signals across Microsoft 365 Defender workloads to detect the initial phase of the attack and block it. It contains compromised users across all devices to outmaneuver attackers prior to when their attack can be successful. The capability is on by default and prevents the attacker from spreading further on the remaining devices.

Read More: Microsoft Defender can automatically contain compromised user accounts