This afternoon, I got a Defender alert about some suspicious activity linked to an emerging threat actor. It mentioned that Chrome on one user's computer made an outbound connection to an IP address (147.45.178.85) and the URL uhaknews.com. Trying to be proactive, I blocked that IP and URL using our Endpoint protection policy, which operates on an Allow/Deny basis for users.
However, shortly after, my own laptop lost its Wi-Fi connection. I tried connecting via Ethernet, but I kept getting a 169.254 address and couldn't connect to the gateway, no matter what I did. To make matters worse, over 30 devices managed by Intune also stopped working across the organization.
After some troubleshooting on another computer, I removed the blocked lines from the policy and disabled the Defender Firewall on my laptop, which allowed it to connect again. After waiting a bit, I re-enabled the firewall and the connection worked fine. Now, I'm left trying to figure out how to fix all those other devices that are offline. What could blocking those two sites have done to cause this issue?
5 Answers
From what you're saying, you might have a policy that isolates infected systems. If that’s the case, then blocking those sites could have triggered an isolation protocol. Does Defender isolate an endpoint this way when it suspects a threat?
You might want to dive deeper into DHCP. Check if you can sniff the DHCP conversation from the affected devices. Temporarily assigning an IP outside your usual range might help you establish if you can ping the gateway. Start with basic troubleshooting to get to the root of the issue!
This situation may not be as dire as 'bricked.' For a real bricking scenario, you’d need something like an RMM update that gets wiped unexpectedly, preventing even recovery access. But since Defender can sometimes act unpredictably, rolling back to a previous restore point might help if you have that option.
You should check if those devices are isolated or if live response works for them. Also, look into whether anyone quarantined the devices accidentally. It's important to know if isolation was applied or if it was just a containment issue.
Sounds like there was a DHCP failure, which is indicated by the 169.254 address you got. I also checked, and pinging uhaknews.com resolves to that same IP you blocked, so that definitely connects. It's possible you might have accidentally removed a whole IP range in your admin portal instead of just blocking those two. You should check the audit logs for confirmation!
I didn't think of that! My fear is that it might be the reason, but Defender hasn't flagged those devices before.