Defender Attack Disruption — Solving Microsoft 365

Automatic Attack Disruption is a Microsoft Defender XDR capability that automatically contains in-progress attacks without waiting for an analyst to investigate. It's been increasingly important as attackers operate at machine speed — by the time a human SOC analyst opens an incident, ransomware encryption has already started.

What Attack Disruption does

When Defender XDR's correlation engine determines with high confidence that a specific attack pattern is happening — based on signals from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps — it takes automatic containment actions:

Disable a compromised user account in Entra ID so the attacker can no longer authenticate with the stolen credentials.
Isolate a compromised device at the network level so it can't communicate further.
Contain a compromised device — block specific outbound traffic without full isolation.
Quarantine malicious emails across all mailboxes that received them.

The actions are scoped to the specific entities involved in the active attack — not blanket changes. The incident is paused at the disruption point; analysts then investigate and either confirm and remediate or roll back the action.

What attacks are covered

Microsoft has progressively added attack patterns to disruption coverage:

Human-operated ransomware — early-stage indicators of ransomware in motion.
Business email compromise (BEC) — patterns of compromised mailboxes used for fraud.
Adversary-in-the-middle phishing — detection of post-AitM token use.
Compromised user investigation patterns — automated containment of confirmed compromised users.

Microsoft publishes which scenarios are covered; the list expands over time.

High-confidence is the bar

Attack Disruption only fires when Microsoft's confidence is very high — false positives in automated containment would be operationally devastating. The detection patterns combine:

Multiple corroborating signals across Defender products.
Behavioural patterns matching known attack chains.
Threat intelligence on active campaigns.
Context about the specific environment (which users / devices are involved).

In practice, the false-positive rate is low. Microsoft publishes telemetry showing how many incidents disruption has shortened or prevented.

How analysts interact

When disruption fires, the SOC sees:

An incident flagged as "attack disrupted."
The containment actions taken and their scope.
Recommended next steps to fully remediate.
A clear timeline of detection, disruption, and post-disruption activity.

Analysts can roll back disruption actions if they conclude it's a false positive. They can extend disruption — disable additional accounts, isolate additional devices.

What it doesn't do

It doesn't replace SOC analysts — disruption is the first response, not the final remediation.
It doesn't cover every attack — only the patterns Microsoft has built confidence in.
It doesn't undo damage already done — if encryption started before disruption, files are still encrypted.

Prerequisites

Attack Disruption requires:

Microsoft Defender XDR — the unified portal.
Defender for Endpoint onboarded to all relevant devices.
Defender for Identity sensors on relevant domain controllers / Entra Connect.
Defender for Office 365 P2 for email-side disruption.
Cross-product configuration — disruption needs telemetry from multiple Defender products to make confident decisions.

When it matters

Attack Disruption matters most for organisations with:

Limited SOC coverage — small teams or business-hours-only operations.
High-value target profiles — financial services, healthcare, regulated industries.
Past ransomware experience — knowing what minutes cost during an active incident.

For Microsoft 365 E5 customers, Attack Disruption is essentially free with the existing Defender investment. Enable it, monitor it, trust it cautiously — and let it buy minutes during the next bad day.