Blog Post

Microsoft Defender XDR Blog
5 MIN READ

Monthly news - May 2023

HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
Apr 05, 2023

Microsoft 365 Defender
Monthly news
May 2023 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2023.  

Legend:
Product videos Webcast (recordings) Docs on Microsoft Blogs on Microsoft
GitHub External Product improvements Previews / Announcements
Microsoft 365 Defender
New XDR solution page is now live. Microsoft is excited to launch a new solution webpage to showcase our industry-leading XDR solution, along with an eBook and infographic that outline customer challenges and how XDR solves them.
Feedback portal for your feature requests. A place for you to surface new feature requests for Microsoft 365 Defender and upvote them. 
New alert classification guide for password spray attacks. This alert classification playbook helps defenders investigate password spray attacks by following a step-by-step flow to investigate alerts related to these attacks. The playbook contains advanced hunting queries that defenders can use to gather more information about the alerts. The playbook also has recommended steps to mitigate the attacks.
New threat actor naming taxonomy explained. Microsoft's shift to the new weather- and weather-related-themed taxonomy offers a more organized and easy way to reference threat actors, helping our customers and other security researchers to bring clarity to threat actor data that might be overwhelming to them. The documentation lists all threat actors that Microsoft tracks, including the actors' old names, new names, and how other security outfits name them.
Microsoft Defender for Endpoint

Multiple Zeek signals can now be used in advanced hunting queries. Announced in Oct 2022 at Microsoft Ignite, the integration of Zeek network signals to Microsoft 365 Defender has now started. Hunters can now inspect HTTP, SSH, and ICMP connections with the integration of these action types in advanced hunting capability. More action types are being added as we further enhance and explore our partnership with Zeek.

Defender for Endpoint and disconnected environments: Cloud-centric networking decisions. This article, along with the two previous articles, provides you with a better understanding of Defender for Endpoint and how it works in a disconnected environment.
Discovering internet-facing devices using Microsoft Defender for Endpoint. We are expanding our device discovery capabilities through our existing network telemetry and RiskIQ integration. We’re thrilled to announce the ability to discover internet-facing devices is now in public preview.
Microsoft Defender for Cloud Apps

RSA News: Taking XDR for SaaS apps to the next level - App Governance is now included in E5 Security

RSA Announcement: Unlock new value for E5 Security customers with the inclusion of App Governance in Microsoft Defender for Cloud Apps at no additional cost.

Simplifying SaaS Security: Deploying Microsoft Defender for Cloud Apps in 4 steps. Learn how you can deploy Defender for Cloud Apps in 4 easy steps.
Native Integration of Microsoft Defender for Cloud Apps in Microsoft 365 Defender. The entire Defender for Cloud Apps experience in Microsoft 365 Defender is now generally available!
In addition, the automatic redirection toggle is generally available.
At start the toggle default value is set to OFF, you need explicitly to opt-in to the automatic redirection and start using the Microsoft 365 Defender exclusively.
We encourage you to switch it on.
Once the redirection setting is enabled, users accessing the Microsoft Defender for Cloud Apps portal will be automatically routed to the Microsoft 365 Defender portal.
This allows a best in class threat detections across security workloads; and provide protection for users and app-to-app interactions enabling a holistic investigation experience
Microsoft Defender for Identity

Identity timeline now contains new and enhanced features! The identity timeline in the Microsoft 365 Defender portal now contains an additional improvements! With the updated timeline, you can now filter by Activity type, Protocol, and Location, in addition to the original filters. You can also export the timeline to a CSV file and find additional information about activities associated with MITRE ATT&CK techniques.

New Health alert. New health alert for verifying that Directory Services Configuration Container Auditing is configured correctly, as described in the health alerts page.

New workspaces for AD tenants mapped New Zealand will be created in the Australia East region. For the most current list of regional deployment, see Defender for Identity components.

Microsoft Defender for Office 365
Attack Simulation Training: Using machine learning to drive more effective simulations. To combat the tendency to use low-click-rate payloads and to maximize educational returns, we have created a new piece of metadata for every global payload in AST called predicted compromise rate (PCR).
Email Protection Basics in Microsoft 365: Anti-malware, Safe Attachments, and QuarantineIn this fourth part of the blog series, we cover how anti-malware and Safe Attachments protections work for known and unknown threats and review common quarantine operations, quarantine policies and notifications.  
Training only campaign is now available with an expanded training module library. Attack Simulation Training now provides the capability for admins to launch a Training only campaign. What this means is that you can assign training modules directly to users within your organization without the need to configure a phishing simulation campaign. Along with this release, we are expanding our training content library to more than 70 training modules! 
Microsoft Defender Vulnerability Management

Check out this blog for a summary of what’s new in Microsoft Defender Vulnerability Management | April 2023 Update. 

Blogs on Microsoft Security

Microsoft shifts to a new threat actor naming taxonomy. Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets. Report on a mature and active subset of Mint Sandstorm quickly adopting and operationalizing exploits for newly reported, high-severity vulnerabilities to deploy custom malware in organizations of interest, including critical infrastructure.
Threat actors strive to cause Tax Day headaches. With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT)
DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia. Microsoft analyzes a threat group tracked as DEV-0196, the actor’s iOS malware “KingsPawn”, and their link to an Israel-based private sector offensive actor (PSOA) known as QuaDream, which reportedly sells a suite of exploits, malware, and infrastructure called REIGN, that’s designed to exfiltrate data from mobile devices.
MERCURY and DEV-1084: Destructive attack on hybrid environment. Microsoft detected a unique operation where threat actors had extensive destructive impact on on-premises and cloud customer environment.
DevOps threat matrix: Categorizing and mapping techniques attackers use to target DevOps environments.
Updated Oct 29, 2024
Version 4.0