Microsoft is testing a new Defender for Endpoint capability that will block traffic to and from undiscovered endpoints to thwart attackers’ lateral network movement attempts.

As the company revealed earlier this week, this is achieved by containing the IP addresses of devices that have yet to be discovered or onboarded to Defender for Endpoint.

Redmond says the new feature will prevent threat actors from spreading to other non-compromised devices by blocking incoming and outgoing communication with devices using contained IP addresses.

“Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through automatic attack disruption. The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded,” Microsoft explains.

“Through automatic attack disruption, Defender for Endpoint incriminates a malicious device, identifies the role of the device to apply a matching policy to automatically contain a critical asset. The granular containment is done by blocking only specific ports and communication directions.”

This new feature will be available on Defender for Endpoint-onboarded devices running Windows 10, Windows 2012 R2, Windows 2016, and Windows Server 2019+.

Admins can also stop an IP address’s containment by restoring its connection to the network at any time by selecting the “Contain IP“ action in the “Action Center” and selecting “Undo” in the flyout.

Since June 2022, Defender for Endpoint has also been able to isolate hacked and unmanaged Windows devices, blocking all communication to and from the compromised devices to stop attackers from spreading through victims’ networks.

Microsoft also started testing device isolation support for Defender for Endpoint on onboarded Linux devices, with the capability reaching general availability on macOS and Linux in October 2023.

The same month, the company revealed that Defender for Endpoint could also isolate compromised user accounts to block lateral movement in hands-on-keyboard ransomware attacks using automatic attack disruption.