Microsoft Defender for Endpoint now includes the capability to automatically disrupt human-operated attacks like ransomware early in the kill chain without requiring additional deployment of security features. It is called automatic attack disruption. This adds up to the new security measures like ‘credit monitoring’ and ‘privacy protection’.
Ransomware is a type of malware that encrypts your files so that you can’t access them. Ransomware attackers then demand a ransom payment in exchange for the decryption key.
Automatic attack disruption in Microsoft 365 Defender uses signals to automatically detect and stop advanced attacks across identities, endpoints, email, and SaaS apps, providing high-confidence protection for your devices.
In simple words, automatic attack disruption is a new feature in Microsoft Defender for Endpoint that can automatically stop ransomware attacks before they start. It does this by looking for suspicious activity across all of your devices, such as unusual network traffic or attempts to encrypt files. If automatic attack disruption detects suspicious activity, it can immediately stop the attack and protect your devices.
Microsoft also revealed that when an attack is detected on a device, it is immediately stopped, and all other devices in the organization are protected. Even users with high-level permissions cannot access compromised devices. This mechanism resolves the challenge of identifying attacks that appear to be normal user behaviour.
Automatic attack disruption is not limited to ransomware. It also covers other complex attacks. Effective security strategies require patching vulnerabilities, deploying next-gen antivirus, automating incident response, and enabling automatic attack disruption.
The feature is available in public preview for various endpoint protection offerings, including Microsoft Defender for Endpoint Plan 2 and Defender for Business.