{
	"id": "053387c4-94cd-4727-b8d5-792c16fe5534",
	"created_at": "2026-04-06T00:06:39.775244Z",
	"updated_at": "2026-04-10T03:27:57.395877Z",
	"deleted_at": null,
	"sha1_hash": "f9d78b69d09925d6a19f5cb7f06b1e9546acd595",
	"title": "Automatic disruption of human-operated attacks through containment of compromised user accounts | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 820211,
	"plain_text": "Automatic disruption of human-operated attacks through\r\ncontainment of compromised user accounts | Microsoft Security\r\nBlog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-10-11 · Archived: 2026-04-05 16:53:33 UTC\r\nOur experience and insights from real-world incidents tell us that the swift containment of compromised user\r\naccounts is key to disrupting hands-on-keyboard attacks, especially those that involve human-operated\r\nransomware. In these attacks, lateral movement follows initial access as the next critical stage for attackers to\r\nadvance their objective of targeting valuable assets and sensitive data. Successful lateral movement depends on\r\nattackers’ ability to compromise user accounts and elevate permissions: our observations of attacks show that all\r\nhuman-operated ransomware attacks where ransomware deployment was successful involve attackers gaining\r\naccess to a domain admin-level account or local administrator passwords.\r\nAttackers compromise user accounts through numerous and diverse means, including techniques like credential\r\ndumping, keylogging, and brute-forcing. Poor credential hygiene could very quickly lead to the compromise of\r\ndomain admin-level accounts, which could allow attackers to access domain resources and devices, and\r\ncompletely take over the network. Based on incidents analyzed by Microsoft, it can take only a single hop from\r\nthe attacker’s initial access vector to compromise domain admin-level accounts. For instance, an attacker can\r\ntarget an over-privileged service account configured in an outdated and vulnerable internet-facing server.\r\nHighly privileged user accounts are arguably the most important assets for attackers. Compromised domain\r\nadmin-level accounts in environments that use traditional solutions provide attackers with access to Active\r\nDirectory and could subvert traditional security mechanisms. In addition to compromising existing accounts,\r\nattackers have adopted the creation of additional dormant, highly privileged user accounts as persistence\r\nmechanisms.\r\nIdentifying and containing these compromised user accounts, therefore, prevents attacks from progressing, even if\r\nattackers gain initial access. This is why, as announced today, we added user containment to the automatic attack\r\ndisruption capability in Microsoft Defender for Endpoint, a unique and innovative defense mechanism that stops\r\nhuman-operated attacks in their tracks. User containment prevents a compromised user account from accessing\r\nendpoints and other resources in the network, limiting attackers’ ability to move laterally regardless of the\r\naccount’s Active Directory state or privilege level. It is automatically triggered by high-fidelity signals indicating\r\nthat a compromised user account is being used in an ongoing attack. With user containment, even compromised\r\ndomain admin accounts cannot help attackers access other devices in the network.\r\nIn this blog we will share our analysis of real-world incidents and demonstrate how automatic attack disruption\r\nprotected our customers by containing compromised user accounts. We then explain how this capability fits in our\r\nautomatic attack disruption strategy and how it works under the hood.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/\r\nPage 1 of 7\n\nUser containment stops Storm-1567 attack, prevents Akira ransomware\r\nencryption\r\nIn early June 2023, an industrial engineering organization was the target of a human-operated attack by an Akira\r\nransomware operator tracked by Microsoft as Storm-1567. Akira is a ransomware strain first observed by\r\nMicrosoft in March 2023 and has features common to other ransomware payloads like the use of ChaCha\r\nencryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft assesses that\r\nAkira is most likely a closed ransomware offering and not openly marketed as ransomware as a service.\r\nIn this attack, the threat actor leveraged devices that were not onboarded to Microsoft Defender for Endpoint for\r\nmost of the attack stages, a defense evasion tactic we’ve seen in other attacks. While visibility by our endpoint\r\nsolution could have blocked the attack earlier in the attack chain and helped to protect the organization’s devices\r\nmuch sooner, Defender for Endpoint nonetheless successfully prevented the ransomware stage, protecting all\r\nonboarded devices in the organization from getting encrypted.\r\nFigure 1. Storm-1567 attempt to encrypt devices\r\nBased on our analysis, after gaining access to the network, the threat actor started preparing to encrypt devices by\r\nscanning, attempting to tamper with security products, conducting lateral movement using Remote Desktop\r\nProtocol (RDP), and other anomalous activities. It should be noted that the activities were conducted on a Sunday\r\nevening, a time when SOC teams might be at a limited capacity. Most of these activities were done on Windows\r\nServer devices, including SQL Servers onboarded to Microsoft Defender for Endpoint. These activities were\r\nhighly anomalous compared to routine activity in the customer’s network and therefore triggered multiple alerts.\r\nMicrosoft Defender for Endpoint’s next-generation protection capabilities detected and prevented several attacker\r\nactivities, prompting the attackers to try tampering with the security product. However, tamper protection was\r\nenabled in the environment, so these attempts were not successful. Meanwhile, Microsoft 365 Defender correlated\r\nsignals from multiple Defender products, identified the malicious activity, and incriminated – that is, determined\r\nas malicious with high confidence – the associated compromised assets, including a user account the attackers\r\nused.\r\nApproximately half an hour after activity began, attackers leveraged the compromised user account and attempted\r\nto encrypt devices remotely via Server Message Block (SMB) protocol from a device not onboarded to Microsoft\r\nDefender for Endpoint. Because of the earlier incrimination, the compromised user account was contained, and the\r\ndevices onboarded to Defender for Endpoint were protected from encryption attempts.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/\r\nPage 2 of 7\n\nLater the same day, the attackers repeated the same malicious sequences by pivoting to other compromised user\r\naccounts, attempting to bypass attack disruption protection. Defender for Endpoint was again able to protect\r\nonboarded devices from encryption over the network. In this incident, automatic attack disruption’s ability to\r\ncontain additional compromised user accounts demonstrated unique and innovative impact for endpoint and\r\nidentity security, helping to protect all devices onboarded to Defender for Endpoint from the attack.    \r\nFigure 2. Chart showing remote encryption attempts being blocked on devices onboarded to\r\nMicrosoft Defender for Endpoint as the attack progresses\r\nUser containment stops lateral movement in human-operated campaign\r\nIn early August 2023, Microsoft Defender for Endpoint automatically disrupted a human-operated attack early in\r\nthe attack chain by containing the compromised user account prior to any impact, saving a medical research lab\r\nfrom what could have been a large-scale attack. The first indication of the attack was observed at roughly 4:00\r\nAM local time on a Friday, when attackers, operating from a device not onboarded to Defender for Endpoint,\r\ninitiated a remote password reset for the default domain administrator account. This account wasn’t active on any\r\ndevice onboarded to Microsoft Defender for Endpoint in the months prior to the intrusion. We infer that the\r\naccount credentials were likely expired, and that the attackers found the stale password hashes belonging to the\r\naccount by using commodity credential theft tools like Mimikatz on a device not-onboarded to Microsoft\r\nDefender for Endpoint. Expired credentials, while often not seen as a security risk, could still be abused and could\r\nallow attackers to update an account’s password.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/\r\nPage 3 of 7\n\nMinutes after the administrator account password was reset, the attackers started scanning the network for\r\naccessible shares and enumerated other account and domain configurations using SMB-accessible services. This\r\nscan and all subsequent malicious activities originated from the same non-onboarded device and compromised\r\nadministrator account.\r\nParallel to the network scan, the threat actor initiated an RDP session to a SQL Server, attempting to tamper with\r\nsecurity products on the server and running a variety of credential theft and domain discovery tools.\r\nAt this point, the compromised administrator account was incriminated based on cumulative signals from the\r\nDefender for Endpoint-onboarded SQL server and the account’s anomalous activity. Automatic attack disruption\r\nwas triggered and the compromised account was contained. All devices in the organization that supported the user\r\ncontainment feature immediately blocked SMB access from the compromised user account, stopping the\r\ndiscovery operations and preventing the possibility of subsequent lateral movement.\r\nFollowing the initial containment of the attack through automatic attack disruption, the SOC was then able to take\r\nadditional critical remediation actions to expand the scope of the disruption and evict the attackers from the\r\nnetwork. This included terminating the attackers’ sessions on two compromised servers and disabling the\r\ncompromised domain administrator account at the Active Directory-level.\r\nWhile user containment is automatic for devices onboarded to Defender for Endpoint, this incident demonstrates\r\nthe importance of active engagement of the SOC team after the automatic attack disruption action to fully evict the\r\nattackers from the environment. It also shows that onboarding devices to Microsoft Defender for Endpoint\r\nimproves the overall capability to detect and disrupt attacks within the network sooner, before high-privileged user\r\naccounts are compromised.\r\nIn addition, as of September 2023, user containment also supports terminating active RDP sessions, in addition of\r\nblocking new attempted connections, a critical first step in evicting attackers from the network. Disabling\r\ncompromised user accounts at the Active Directory-level is already supported by automatic attack disruption\r\nthrough integration with Defender for Identity. In this particular incident, the customer was not using Defender for\r\nIdentity, but this case highlights the stronger defenses as a result of cross-domain visibility.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/\r\nPage 4 of 7\n\nFigure 3. Attack chain of human-operated campaign that targeted a medical research lab\r\nProtecting against compromised user accounts through automatic containment\r\nAs demonstrated by the incidents we described above, unlike commodity malware infection, human-operated\r\nattacks are driven by humans with hands-on-keyboard access to the network who make decisions at every stage of\r\ntheir attack. Attack patterns vary depending on what attackers find in the target network. Protecting against such\r\nhighly skilled, profit-driven, and determined adversaries is not trivial. These attackers leverage key principles of\r\non-premises Active Directory environments, which provide an active domain administrator account unlimited\r\naccess to domain resources. Once attackers obtain accounts with sufficient privileges, they can conduct malicious\r\nactivities like lateral movement or data access using legitimate administrative tools and protocols.\r\nFigure 4. An example of a malicious activity of compromised user accounts in a human-operated\r\nransomware attack\r\nAt Microsoft, we understand that to better defend our customers against such highly motivated attackers, a multi-layer defense approach must be used for an optimal security protection solution across endpoints and identities.\r\nMore importantly, this solution should prioritize organization-wide protection, rather than protecting only a single\r\nendpoint. Motivated attackers search for security weaknesses and prioritize compromising unprotected devices. As\r\na result, assuming that initial attack stages have occurred, with potentially at least a few compromised user\r\naccounts, is critical for developing security defenses for later attack stages. Using key assumptions and principles\r\nof on-premises Active Directory environments, a security-first mindset means limiting the access of even the most\r\nprivileged user accounts to mitigate security risks.\r\nThe automatic attack disruption capability contains user accounts by creating a boundary between healthy\r\nonboarded devices and compromised user accounts and devices. It works in a decentralized nature: a containment\r\npolicy distributed to all onboarded devices across the organization enables each Microsoft Defender for Endpoint\r\nclient to protect the device against any compromised account, even an account belonging to the Domain Admins\r\ngroup.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/\r\nPage 5 of 7\n\nThis decentralized approach avoids some of the pitfalls of centralized manual or automatic controls, such as\r\ndisabling an account in Active Directory, which possesses a single point of failure as it can be overridden by the\r\nattacker who may already have compromised domain controllers. The virtual security boundary set to contain the\r\nuser is implemented by controls that were tailored to disrupt attacker activity during various attack stages,\r\nincluding lateral movement, credential theft, and impact such as remote encryption or deployment of ransomware\r\npayload. The actual set of controls triggered to contain a user might vary depending on the attack scenario and\r\nstage, and includes:\r\n1. Sign-in restriction: This is the most aggressive control in containing a user account. When this control is\r\ntriggered, devices will deny all or some types of sign-ins by a compromised account. This control takes\r\neffect immediately and is effective regardless of the account’s state (i.e., active or disabled) in the authority\r\nit belongs to. This control can block most attacker capabilities, but in cases where an attacker had already\r\nauthenticated to device before a compromise was identified, the other controls might still be required to\r\nblock the attack.\r\n2. Intercepting SMB activity: Attack disruption can contain a user by denying inbound file system access\r\nfrom a remote origin, limiting the attacker’s ability to remotely steal or destroy valuable data. Notably, this\r\ncontrol can prevent or limit ransomware encryption over SMB. It can also block lateral movement methods\r\nthat include a payload being created on a remote device, including PsExec and similar tools.\r\n3. Filtering RPC activity: Attack disruption can selectively restrict compromised users’ access to remote\r\nprocedure call (RPC) interfaces that attackers often leverage during attacks. Attackers abuse RPC-based\r\nprotocols for a variety of goals such credential theft (DCsync and DPAPI), privilege escalation\r\n(“PetitPotam”, Print Spooler), discovery (server \u0026 workstation services), and lateral movement (remote\r\nWMI, scheduled tasks, and services). Blocking such activities can contain an attack before the attacker\r\ngains a strong foothold in the network or can deny the ability to capitalize on such a foothold during the\r\nimpact stage.\r\n4. Disconnecting or terminating active sessions: In case a compromised account had already gained a\r\nfoothold on the device, when attack disruption is triggered, it can disconnect or terminate sessions\r\npreviously initiated by the account. This control differs from the others in this list as it’s effective against\r\nalready compromised devices, protecting against any additional malicious activity by the attacker. Once a\r\nsession is terminated, attackers are locked out of the device by the sign-in restriction control. This is\r\nspecifically critical in stopping attacks earlier in the attack chain, disrupting and containing attacks before\r\nreaching impact stage.\r\nThe user containment capability is part of the existing protections provided by solutions within Microsoft 365\r\nDefender. As we described in this blog, this capability correlates high-fidelity signals from multiple Defender\r\nproducts to incriminate malicious entities with high confidence and then immediately contain them to\r\nautomatically disrupt ongoing attacks, including the pre-ransomware and encryption stages in human-operated\r\nattacks.\r\nTo benefit from this capability, organizations need only to onboard devices to Microsoft Defender for Endpoint.\r\nAs more devices are onboarded, the scope of disruption is larger and the level of protection is higher. And as more\r\nDefender products are used in the organization, the visibility is wider and the effectiveness of the solution is\r\ngreater. This also lowers the risk of attackers taking advantage of unprotected devices as launch pads for attacks.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/\r\nPage 6 of 7\n\nAutomatic attack disruption represents an innovative solution designed to increase defenses against the\r\nincreasingly more sophisticated threat of hands-on-keyboard attacks, especially human-operated ransomware. This\r\ncapability is informed by threat intelligence and insights from investigations and analysis of threats and actors in\r\nthe cybercrime economy, and reflects our commitment to provide industry-best protections for our customers.\r\nEdan Zwick, Amir Kutcher, Charles-Edouard Bettan, Yair Tsarfaty, Noam Hadash\r\nFurther reading\r\nLearn how Microsoft Defender for Endpoint stops human-operated attacks.\r\nFor more information, read our documentation on the automatic attack disruption capability.\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us\r\nat https://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-c\r\nompromised-user-accounts/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/"
	],
	"report_names": [
		"automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433999,
	"ts_updated_at": 1775791677,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9d78b69d09925d6a19f5cb7f06b1e9546acd595.pdf",
		"text": "https://archive.orkl.eu/f9d78b69d09925d6a19f5cb7f06b1e9546acd595.txt",
		"img": "https://archive.orkl.eu/f9d78b69d09925d6a19f5cb7f06b1e9546acd595.jpg"
	}
}