Monthly news - April 2026

Microsoft Defender
Monthly news - April 2026 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2026. We are now including news related to Defender for Cloud in the Defender portal. For all other Defender for Cloud news, have a look at the dedicated Defender for Cloud Monthly News here. 

🚀 New Virtual Ninja Show episode:

• New skills in Microsoft Defender
• Autonomous AI Agents in Microsoft Defender

• Beyond KQL: Unlocking SOC Insights with Sentinel data lake Jupyter Notebooks

• Extending Attack Disruption beyond Microsoft: third‑party signals in action

• A new home for Microsoft Defender for Cloud 

RSA blog posts:

• Security Copilot in Defender: empowering the SOC with assistive and autonomous AI
• RSA 2026: What’s new in Microsoft Defender?

Actionable threat insights

• Inside an AI‑enabled device code phishing campaign
• Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
• Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments
• Mitigating the Axios npm supply chain compromise

Microsoft Defender

• We’re introducing a chat experience for Security Copilot directly within Microsoft Defender. Copilot is already embedded across Microsoft Defender experiences today, but now you can interact with it through an ongoing, two-way conversation. Ask questions, explore hypotheses, and follow your investigation threads across incidents, alerts, identities, devices, IPs, and other evidence. Read more about it in this blog post.
• We are expanding agentic triage to identity and cloud alerts - bringing triage for phish, identity and cloud together within a single agent. The Security Alert Triage Agent helps you autonomously determine whether these alerts represent real threats or false alarms, delivering natural language findings and transparent, step-by-step decision analysis. Read more about it in this blog post.
• Identity security enhancements: New identity security capabilities help you monitor and manage identity security for human and non-human identities:
  • (Public Preview) Identity Security dashboard: The Identity Security dashboard provides summary cards for identity providers, on-premises identities, SaaS identities, PAM and IGA integrations, and non-human identities. For more information, see The Identity Security dashboard. The Identity Security dashboard is being rolled out gradually to customers, and might not yet be available in your organization.
  • (Public Preview) Coverage and maturity page: The Coverage and maturity page shows your organization's identity security coverage with maturity levels, including Connected, Protected, Fortified, and Resilient, and prioritized setup tasks. For more information, see Coverage and maturity. The Coverage and maturity page is being rolled out gradually to customers, and might not yet be available in your organization. If you don't see this feature in your environment yet, check back soon.
  • Identity inventory: The Identity inventory page now shows human and non-human identities in separate tabs. Insight cards help you classify critical assets, view highly privileged identities, identify critical Active Directory service accounts, and view cloud application accounts. For more information, see View the Identity inventory.
  • (Preview) Non-human identities: The Non-human identities tab shows non-human identities, including Microsoft Entra ID apps, Active Directory service accounts, Google Workspace apps, and Salesforce apps. For more information, see Identity inventory and Investigate non-human identities.
  • (Public Preview) Identity risk score: A new risk score for identities, ranging from 0 to 100, that indicates the likelihood of compromise and the potential impact based on criticality and privileged roles. The risk score is available in Microsoft Entra ID, where it can be used to inform conditional access policies and identity protection workflows. A new Risk score tab on the Identity page provides a detailed breakdown of the risk factors, including percentile comparison and risk trends. For more information, see Investigate an identity.
  • (Public Preview) Domain investigation page: The Domain investigation page shows Active Directory domain security, including domain properties, deployment health, identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships. For more information, see Investigate a domain.
  • (Public Preview)Identity security recommendations: View recommendations from Active Directory, Microsoft Entra ID, SaaS applications, and supported non-Microsoft identity providers. For more information, see Identity security recommendations.
• Call to action: update older Microsoft Sentinel content as code (Sentinel repositories) API versions before June 15, 2026
• (Public Preview) The following advanced hunting schema tables are now available for preview:
  • The CloudDnsEvents table contains information about DNS activity events from cloud infrastructure environments.
  • The CloudPolicyEnforcementEvents table contains policy enforcement evaluation decisions and metadata of security gating events for various cloud platforms protected by the organization's Microsoft Defender for Cloud.
• To improve accuracy and better protect organizational identities, we've made updates to the Secure Score category calculations. Some security recommendations categorized as Cloud apps recommendations are now considered identity‑related and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change.
• (Public Preview) Customers can now use filters on very large incidents with many alerts and entities or hide specific entities to simplify complex incident graphs. By simplifying the graphs, they can focus their investigations on what matters most. Learn more
• The proactive user containment (contain user) action as part of the predictive shielding feature is now generally available. This action infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity.

Microsoft Defender for Endpoint / Microsoft Defender Vulnerability Management

• Library management for live response is now generally available. This feature provides a centralized view for managing files and scripts used during live response sessions.
• Microsoft Secure Score now includes new recommendations:
  • Block outbound network connections from Microsoft HTML Application Host (mshta.exe): Helps mitigate attacks that leverage mshta.exe (a trusted Windows binary) to execute malicious scripts and communicate with external command-and-control (C2) infrastructure. Blocking outbound connections from mshta.exe disrupts common attack chains, prevents payload download and data exfiltration, and reduces the risk of living-off-the-land attacks. This is relevant for emerging attack campaigns, for example, ClickFix campaigns, where attackers abuse legitimate tools like mshta.exe to execute malicious content delivered through user interaction. 
  • Block file transfer over RDP: Restricts file transfer capabilities in Remote Desktop Protocol (RDP) sessions. This helps prevent attackers from using RDP sessions to transfer malicious files into the environment or exfiltrate sensitive data.
  • SMB server security hardening against authentication relay attacks: Helps protect servers from credential relay attacks by strengthening Server Message Block (SMB) authentication protections, including enforcing Extended Protection for Authentication (EPA), SMB signing, and SMB encryption to ensure authentication integrity and protect SMB traffic from tampering or interception.
• The proactive user containment (contain user) action as part of the predictive shielding feature is now generally available. This action infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity.

Microsoft Defender for Identity

• New identity security capabilities help you monitor and manage identity security for human and non-human identities:

  • (Public Preview) Identity Security dashboard: The Identity Security dashboard provides summary cards for identity providers, on-premises identities, SaaS identities, PAM and IGA integrations, and non-human identities. Widgets show deployment status, highly privileged identities, users at risk, and domains with unsecured configurations. For more information, see The Identity Security dashboard. The Identity Security dashboard is being rolled out gradually to customers, and might not yet be available in your organization.
  • (Public Preview) The Coverage and maturity page shows your organization's identity security coverage for identity providers, on-premises identities, SaaS identities, and PAM and IGA integrations. Each source displays a maturity level, including Connected, Protected, Fortified, and Resilient, with identity counts, coverage scores, and prioritized setup tasks. For more information, see Coverage and maturity. The Coverage and maturity page is being rolled out gradually to customers, and might not yet be available in your organization. If you don't see this feature in your environment yet, check back soon.
  • The Identity inventory page now shows human and non-human identities in separate tabs. Insight cards help you classify critical assets, view highly privileged identities, identify critical Active Directory service accounts, and view cloud application accounts. For more information, see View the Identity inventory.
  • (Public Preview) The Non-human identities tab on the Identity inventory page shows non-human identities, including Microsoft Entra ID apps, Active Directory service accounts, Google Workspace apps, and Salesforce apps. The tab includes statistics for risky, highly privileged, overprivileged, unused, and externally published identities. A separate investigation page lets you view details for each identity. For more information, see Identity inventory and Investigate non-human identities.
  • (Public Preview) A new risk score for identities, ranging from 0 to 100, that indicates the likelihood of compromise and the potential impact based on criticality and privileged roles. The risk score is available in Microsoft Entra ID, where it can be used to inform conditional access policies and identity protection workflows. A new Risk score tab on the Identity page provides a detailed breakdown of the risk factors, including percentile comparison and risk trends. For more information, see Investigate an identity.
  • (Public Preview) Identity security recommendations: View recommendations for Active Directory, Microsoft Entra ID, and SaaS applications such as Microsoft, Atlassian, GitHub, Google Workspace, Salesforce, and ServiceNow. Recommendations are also available for non-Microsoft identity providers such as Okta, PingOne, CyberArk, and SailPoint. For more information, see Identity security recommendations.
  • (Public Preview) Domain investigation page: The Domain investigation page shows Active Directory domain security, including domain properties, deployment health, identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships. For more information, see Investigate a domain.
  • (Public Preview) Password protection page: The Password protection page shows identity password risk from Active Directory, Microsoft Entra ID, and Okta, with tabs for password hygiene, password policies, leaked credentials, and exposed passwords. For more information, see Password protection.
  • To improve accuracy and better protect organizational identities, we've made updates to the Secure Score category calculations. Some security recommendations categorized as Cloud apps recommendations are now considered identity‑related and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change.
  • The Suspected pass-the-ticket attack alert is now generally available. This alert was previously available in public preview as Pass-the-Ticket (PtT) attack. For more information, see Lateral movement alerts.

  • These new alerts were added to the Defender for Identity security alerts:

    New alerts related to Entra ID:

    • Attempt to disable Defender for Identity service principal observed
    • Suspicious Entra account enablement after disruption
    • Suspicious Intune device registration activity
    • Suspicious OS switch sign-in
    • Suspicious shared client infrastructure activity
    • Suspicious sign-in from unusual user agent and IP address using PowerShell
    • Suspicious sign-in from unusual user agent and IP address using device code flow

    New alerts related to Active Directory:

    • Suspicious on-premises account enablement after disruption
    • Suspicious resource-based constrained delegation (RBCD) attribute change
    • Suspicious resource-based constrained delegation (RBCD) authentication

Microsoft Defender for Office 365

• Expanding User reporting in Teams to include Calls: Users can reported completed or missed one-to-one Microsoft Teams calls from the call history as malicious (scam) or non malicious (non-scam) to the specified reporting mailbox, or Microsoft and the reporting mailbox via user reported settings.
• Added support for contextual Teams messages in User reported Teams Messages: When Users report Microsoft Teams messages from chats, channels (standard, shared, and private), and meeting conversations to Microsoft as malicious (security risk), up to fifteen messages before and after the reported message are shared for analysis.

Microsoft Defender for Cloud Apps

• To improve accuracy and better protect organizational identities, some security recommendations categorized as Cloud apps recommendations are now considered identity‑related and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change.