Monthly news - May 2026

Microsoft Defender
Monthly news - May 2026 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2026. We are now including news related to Defender for Cloud in the Defender portal. For all other Defender for Cloud news, have a look at the dedicated Defender for Cloud Monthly News here. 

🚀 New Virtual Ninja Show episode:

• The future of identity protection with Predictive Shielding
• Network-layer data protection with Microsoft Entra GSA and Purview DLP
• Data lake federation: hunt across external data without ingesting it

Weekly Security News: We publish a short 1ish minute video every week with updates across our Microsoft Security stack. Subscribe to our YouTube channel, so you don't miss the next episode. 

Actionable threat insights

• CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments
• Email threat landscape: Q1 2026 trends and insights
• Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook
• Detection strategies across cloud and identities against infiltrating IT workers
• Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Defender

• Blog post: Containing a domain compromise: How predictive shielding shut down lateral movement
• (Public Preview) You can now view the current status of automatic attack disruption and predictive shielding actions related to a specific incident. You view this data in the Activities tab of the incident page. Learn more
• We made several enhancements across the Advanced hunting experience, read this blog post for all the details. 
• (Public Preview) The AIAgentsInfo table in advanced hunting now includes additional columns that provide deeper visibility into AI agents operating in your Microsoft 365 environment. These fields expand coverage beyond Copilot Studio to all agent types, including Microsoft Foundry, third-party marketplace, and custom line-of-business agents.
• (Generally Available) Built-in alert tuning rules are now generally available. Built-in alert tuning rules suppress alerts from common benign activity in Defender for Endpoint and Defender for Office 365 without affecting Automated Investigation and Response (AIR) investigations and email notifications.
• Microsoft Defender Experts for XDR customers can now see Defender Experts as a distinct entry in the Microsoft Defender portal navigation menu. This feature adds to the existing home page status card as in-portal experiences that provide consistent and predictable access to the service. Learn more
• Blog post: Simplifying AWS defense with Microsoft Sentinel UEBA

• Call to action: update automation by July 1, 2026 - Account Name is now consistently the UPN prefix for analytics rule alerts! Microsoft Sentinel is updating how the account entity's Account Name value is populated for analytics rule alerts when the full UPN is mapped into Account Name. This change improves consistency for downstream automation rules and Logic Apps playbooks. For more information, including before and after examples, read the blog article Update: Changing the Account Name Entity Mapping in Microsoft Sentinel.

• For all other Sentinel News, have a look at the "What's new in Microsoft Sentinel blog post - April edition"

Microsoft Defender for Endpoint / Microsoft Defender Vulnerability Management

• (Public Preview) You can now view the current status of automatic attack disruption and predictive shielding actions related to a specific incident. You view this data in the Activities tab of the incident page. Learn more
• Microsoft Secure Score now includes the Ensure devices are updated to Secure Boot 2023 certificates and boot manager, which helps identify devices that haven't yet transitioned to the new Secure Boot 2023 certificates required ahead of the June 2026 expiration. To learn more about the recommendation, see Assess Secure Boot status with Microsoft Defender (blog).

Microsoft Defender for Identity

• (Public Preview) Custom account correlation rules. Custom account correlation rules let you link accounts that belong to the same identity, such as privileged accounts with unique naming conventions. You can correlate accounts that don't share strong identifiers such as account ID, SID, object ID, or UPN by defining rules based on UPN prefix, UPN suffix, domain UPN, or employee ID. For more information, see Create custom account correlation rules.

• (Generally Available) The Automatic Windows event-auditing configuration for sensors v3.x is now generally available. Automatic Windows event-auditing streamlines deployment by automatically applying the required auditing settings to new sensors and correcting misconfigurations on existing ones.