Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft is previewing automatic isolation for compromised endpoints in Defender for Endpoint, reducing lateral movement risk on managed workstations. The capability is part of automatic attack disruption and keeps isolated devices connected to Microsoft’s service for monitoring. It gives security teams more time to contain attacks and limit harm from data exfiltration and ransomware propagation.

Related Happenings

External Microsoft Teams helpdesk-impersonation campaign

Campaign
First: 20.04.2026 18:11 Last: 20.04.2026 18:11 Sources 1

About this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...

Open Happening

Microsoft Teams remote assistance abuse mitigation

Advisory/Mitigation
First: 20.04.2026 18:11 Last: 20.04.2026 18:11 Sources 1

About this happening: **Microsoft** issued mitigation guidance to curb **Teams-adjacent remote assistance abuse**, warning that external contacts should be treated as untrusted and that **remote assist...

Open Happening

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

Havoc Demon payload deployment and persistence operation

Malware Activity
First: 03.03.2026 19:15 Last: 03.03.2026 19:15 Sources 1

About this happening: A **fake IT support** operation is deploying **Havoc Demon** payloads to preserve access across compromised endpoints and support likely **data exfiltration** or **ransomware** fo...

Open Happening

Timeline

  1. 26.05.2026 15:19 2 articles · 1d ago

    Microsoft previews automatic isolation for compromised Defender for Endpoint workstations

    Initial Disclosure

    Microsoft is testing a new Defender for Endpoint capability in preview that automatically isolates compromised endpoints as part of automatic attack disruption. The control applies only to onboarded end-user workstations managed by Microsoft Defender for Endpoint, disconnects suspected compromised devices from the network, keeps them connected to the Microsoft Defender for Endpoint service for monitoring, and is intended to limit lateral movement, data exfiltration, and ransomware propagation.

    Show sources
    Open in new tab