Monthly news - November 2025

Microsoft Defender
Monthly news - November 2025 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 

⏰ Microsoft Ignite 2025 November 18-20, register now!

🚀 New Virtual Ninja Show episode:

• What’s new for Microsoft Teams protection in Defender for Office 365
  
  

Microsoft Defender

• Custom detections are now the unified experience for creating detections in Microsoft Defender! Read this blog for all the details. 
• How Microsoft Defender helps security teams detect prompt injection attacks in Microsoft 365 Copilot. We’re excited to share that Microsoft Defender now provides visibility into prompt injection attempts within Microsoft 365 Copilot and helps security teams detect and respond to prompt injection attacks more efficiently and at a broader context, with insights that go beyond individual interaction.  
• Microsoft Defender Experts for Hunting reports now include an Emerging threats section that details the proactive, hypothesis-based hunts we conducted in your environment. Each report also now includes investigation summaries for nearly every hunt that Defender Experts conduct in your environment, regardless of whether they identified a confirmed threat.
• Microsoft Defender Experts for XDR reports now include a Trends tab provides you with the monthly volume of investigated and resolved incidents for the last six months, visualized according to the incidents' severity, MITRE tactic, and threat type. This section gives you insight into how Defender Experts are tangibly improving your security operations by showing important operational metrics on a month-over-month basis.
• Threat Intelligence Export is now available in Microsoft Sentinel. Traditionally, Microsoft Sentinel has supported importing threat intel from external sources (partners, governments, ISACs, or internal tenants) via Structured Threat Information eXpression (STIX) via Trusted Automated eXchange of Intelligence Information (TAXII). With this new export feature, you can now share curated threat intel back to trusted destinations. This empowers security teams to contribute threat intel to other organizations in support of collective defense, or to their own central platform to add or enrich threat intelligence.

Microsoft Defender for Identity 

• We’re excited to announce that the Defender for Identity Unified Sensor (v3.x) is now generally available (GA). The unified sensor provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers. Learn more on how to active it in our docs..

Microsoft Defender for Office 365

• 📘 Email Authentication SecOps Guide (New learn doc) - visit & bookmark our short link: https://aka.ms/authguide
• The following docs article has been updated with with Compauth Codes: Message Headers Reference
• New blog series: Best practices from the Microsoft Community
  • Defender for Office 365: Migration & Onboarding
    Onboarding to Microsoft Defender for Office 365 is often treated as a quick setup task, but it should be seen as a critical opportunity to establish strong security foundations. In my roles supporting incident response and security operations in Microsoft 365, I have observed that onboarding is often underestimated. - Purav Desai, Dual Microsoft Security MVP (Most Valuable Professional)
    This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is important to clarify a common misconception about Defender for Office 365 protections.

  • Safeguarding Microsoft Teams with Microsoft Defender for Office 365
    As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. As a collaborative piece between Pierre Thoor, a Microsoft Security MVP, and the Defender for Office 365 Product Engineering Team, this guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps.

Microsoft Defender for Endpoint

• End of Windows 10 Support: What Defender Customers Need to Know
  As of October 14, 2025, Microsoft officially ended support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from Microsoft. While these devices will continue to operate, the lack of regular security updates increases vulnerability to cyber threats, including malware and viruses. Applications running on Windows 10 may also lose support as the platform stops receiving updates. 
• Endpoint Security Policies can now be distributed via MTO's (Multi Tenant Organization) Content Distribution capability. This capability moved from Public Preview to General Availability (GA). With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content - such as custom detection rules and now, endpoint security policies - from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. You can read the announcement blog for public preview, as the content shares valuable insights. 
• (Public Preview) Streamlined connectivity support for US government environments (GCC, GCC High, DoD). Learn more in our docs.
• (General Availability) Isolation exclusions. The Isolation exclusions feature is now generally available. Isolation exclusions allow designated processes or endpoints to bypass the restrictions of network isolation, ensuring essential functions continue while limiting broader network exposure. Learn more in our docs.

Microsoft Defender Vulnerability Management

• (Public Preview) Microsoft Secure Score now includes three new Attack Surface Reduction (ASR) based proactive recommendations that help organizations prevent common endpoint attack techniques including web-shell persistence, misuse of system tools, and Safe Mode based evasion.
• (Public Preview) You can now use CVE exceptions to exclude specific Common Vulnerabilities and Exposures (CVEs) from analysis in your environment. CVE exceptions allow you to control what type of data is relevant to your organization and to selectively exclude certain data from your remediation efforts. For more information, see Exceptions in Microsoft Defender Vulnerability Management and Create, view, and manage exceptions. For more information, see Exceptions in Microsoft Defender Vulnerability Management and Create, view, and manage exceptions.

Microsoft Security Blogs

• The new Microsoft Security Store unites partners and innovation
  On September 30, 2025, Microsoft announced a bold new vision for security: a unified, AI-powered platform designed to help organizations defend against today’s most sophisticated cyberthreats. But an equally important story—one that’s just beginning to unfold—is how the Microsoft Security Store is bringing this vision to life through a vibrant ecosystem of partners, developers, and innovators—all contributing together to deliver more value and security to our customers. Security Store is the gateway for customers to easily discover, buy, and deploy trusted security solutions and AI agents from leading partners—all verified by Microsoft Security product teams to work seamlessly with Microsoft Security products.
• Inside the attack chain: Threat activity targeting Azure Blob Storage 
  Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads and is increasingly targeted through sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud tactics.
• Investigating targeted “payroll pirate” attacks affecting US universities 
  Microsoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, attacks that have been dubbed “payroll pirate”.
• Disrupting threats targeting Microsoft Teams 
  Threat actors seek to abuse Microsoft Teams features and capabilities across the attack chain, underscoring the importance for defenders to proactively monitor, detect, and respond effectively.
• Harden your identity defense with improved protection, deeper correlation, and richer context 
  Expanded ITDR features—including the new Microsoft Defender for Identity sensor, now generally available—bring improved protection, correlation, and context to help customers modernize their identity defense.