How Microsoft Defender used predictive shielding to proactively disrupt a ransomware attack

Modern ransomware attacks are increasingly designed to blend in with normal IT operations, using trusted administrative tools to quietly weaken defenses and distribute malicious payloads at scale.

In a recent real‑world incident, a human‑operated ransomware actor attempted to do exactly that by abusing Group Policy Objects (GPOs) to target hundreds of devices, but Microsoft Defender detected the attack and proactively hardened those devices before GPOs were deployed.

The attacker’s plan

The target organization, a large educational institution with more than a couple of thousand devices onboarded to Microsoft Defender, had already experienced a compromise of a domain admin account from an unmanaged device before the ransomware deployment attempt began.

Because GPOs are a trusted mechanism for pushing configuration changes across devices, they present an attractive path for attackers looking to disable security tools or deploy ransomware broadly without needing to access each machine individually. This attacker’s plan involved weaponizing GPOs to:

• Push tampering configurations that could disable Defender protections across the environment
• Distribute and execute ransomware via scheduled tasks
• Leverage built‑in enterprise infrastructure to scale the attack

This approach allowed the attacker to attempt ransomware deployment through standard administrative channels, minimizing the need for direct interaction with individual devices and increasing the potential for widespread impact.

How Defender thwarted the attack

First, Defender quickly detected the attack and contained the domain admin account that the attacker had compromised. Then, since the attacker had created a malicious GPO that disabled key Defender protections, a Defender tampering alert was triggered. In response, predictive shielding activated GPO hardening, temporarily pausing the propagation of new GPO policies across all MDE onboarded devices reachable from the attacker’s standpoint and achieved protection of ~85% of devices against the tampering policy before ransomware was deployed.

Ten minutes later, the attacker attempted to distribute ransomware, but because GPO hardening had already been applied, GPO propagation was already disabled on the targeted devices and the attacker was unsuccessful. Defender recognized that GPO tampering is a precursor to ransomware distribution and acted preemptively. It didn’t wait for ransomware to appear; it acted on what the attacker was about to do, preventing downstream impact such as recovery costs and operational downtime.

The results

• Zero machines were encrypted via the GPO path.
• Roughly 97% of devices the attacker attempted to encrypt were fully protected by Defender. A limited number of devices experienced encryption during concurrent ransomware activity over SMB; however, attack disruption successfully contained the incident and stopped further impact.
• 700 devices applied the predictive shielding GPO hardening policy, reflecting the attacker’s broad targeting scope, and blocking the propagation of the malicious policy set by the attacker within approximately 3 hours.

Attackers are getting more sophisticated, finding ways to evade detection by abusing legitimate IT tools that organizations rely on and can’t simply turn off. Security teams can’t restrict these mechanisms without impacting daily operations. By detecting ransomware staging and predicting the attacker’s next move, Defender can apply targeted restrictions just in time, shifting from reactive response to proactive prevention, stopping only what matters when it matters while maintaining full business productivity. With average ransom demands now ranging from $2–5M, the downstream recovery and remediation savings from preventing these attacks can be massive.

Learn more

• To learn more about this specific attack, check out the full case study: Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started [microsoft.com]
• To learn more about endpoint protection with Microsoft Defender, check out our website.
• To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.