The new capability will be added to the automatic attack disruption tool, however, new research warns that the tool has to be tuned to avoid it becoming an attack vector.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Microsoft is previewing automatic device isolation in Defender for Endpoint's auto attack disruption tool, which blocks most network traffic on a compromised device while keeping it connected to security services. The feature aims to contain attacks moving at machine speed by cutting off C2 communication and preventing lateral movement. However, a SANS Institute research paper warns that the tool can be weaponized: a researcher demonstrated an 'Autonomous Defense Induced Disruption' (ADID) attack that tricks Defender into disabling all Active Directory identities, including domain administrators, by simulating high-confidence attack signals. Microsoft recommends keeping auto attack disruption enabled with granular tuning by device group, rather than opting out entirely.

Microsoft previews automatic device isolation in Defender for Endpoint