It has to be configured to enable Intel AMT to do that, and that is if the firmware edition that has the code is installed (which I don't think is always the case). It is useful in enterprises that want remote management. It probably uses DHCP by default.
My brand new Thinkpad T550 has an explicit ME config firmware I can enter. PRESS ENTER TO INTERRUPT BOOT -> F1 BIOS, F12 CUSTOM BOOT DEVICE, F9 INTEL ME SETUP
I can enter into it but its vital parts are password protected. Even though it is my computer, I cannot configure and control it. Scary. This is not the future I wanted.
Not every machine has AMT support even if the CPU and chipset support it.
Firmware level ME features are usually found on the 'enterprise' grade laptops, OS driver support for ME is another issue since that can usually be taken advantage off regardless of firmware support but it requires additional software.
I read somewhere ME (or other similar Intel technology) uses another MAC (it is off by one) not to interfere with main OS traffic. If it is really so you can setup MAC filtering on your router to block ME traffic.
But I might be wrong. For example this 2008 year document [1] says it uses same IP and MAC address as OS and filters packets by port number.
If you don't trust it, it can do it any way it wants to - including spoofing traffic from the host or modulating timing of unaltered packets from the host.