ATP can alert administrators that this is happening.
For example, if a system is iteratively opening and overwriting all its documents, there's a good chance that it's running some kind of ransomware process that's systematically encrypting the user's files. Defender ATP for Windows tracks various system behaviors and reports them to the ATP cloud service, which can be used to detect threats even without identifying any specific piece of malware. The initial preview of Defender for Mac will focus on signature-based malware detection. One would hope that Defender for Mac will also trap Windows malware to prevent Mac users from spreading malware to their Windows colleagues. This situation is particularly acute in corporate environments while Windows has a range of tools to ensure that systems are kept up-to-date and alert administrators if they fall behind, a similar ecosystem hasn't been developed for macOS. Apple has integrated some malware protection into macOS, but we've heard from developers on the platform that Mac users aren't always very good at keeping their systems on the latest point release. Ransomware for the platform was found in 2016, and in-the-wild outbreaks of other malicious software continue to be found.
Further Reading First Mac-targeting ransomware hits Transmission users, researchers saymacOS malware is still something of a rarity, but it's not completely unheard of.