Monthly news - October 2025

Microsoft Defender
Monthly news - October 2025 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from September 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. 

⏰ Microsoft Ignite 2025 November 18-20, register now!

🚀 New Virtual Ninja Show episodes:

• Defender for Endpoint: Customize settings for optimum performance
• The new Defender for Identity sensor explained
• Expanding Microsoft Sentinel UEBA
• Transitioning the Sentinel SIEM experience from Azure to the Defender portal

Microsoft Defender

• Move your Microsoft Sentinel experience into Microsoft Defender to streamline security operations into a single, AI-powered interface. This move enhances analyst efficiency, integrates threat insights, and improves response times through automation and advanced posture management. Customers are encouraged to begin planning their migration now to ensure a smooth transition and maximize the benefits of the new experience. Learn more about panning your move to the Defender portal here. 

• Microsoft Defender delivered 242% return on investment over three years​​. ​The latest 2025 commissioned Forrester Consulting Total Economic Impact™ (TEI) study reveals a 242% ROI over three years for organizations that chose Microsoft Defender. Read more in our blog. 
• Custom detection rules get a boost. If you are a Microsoft Sentinel user and have connected your Sentinel workspace to Microsoft Defender, you are probably more familiar with analytics rules in Microsoft Sentinel and are looking to explore the capabilities and benefits of custom detections. Understanding and leveraging custom detection rules can significantly enhance your organization's security posture. This blog will delve into the benefits of custom detections and showcase scenarios that highlight their capabilities, helping you make the most of this robust feature. 
• (Public Preview) In advanced hunting, you can now hunt using the hunting graph, which renders rendering predefined threat scenarios as interactive graphs.
• (Public Preview) You can investigate incidents using Blast radius analysis, which is an advanced graph visualization built on the Microsoft Sentinel data lake and graph infrastructure. This feature generates an interactive graph showing possible propagation paths from the selected node to predefined critical targets scoped to the user’s permissions.

Microsoft Defender for Cloud Apps

• (Public Preview) Protect Copilot Studio AI Agents in Real Time with Microsoft Defender. Microsoft Defender offers real-time protection during runtime for AI agents built with Microsoft Copilot Studio. This capability automatically blocks the agent’s response during runtime if a suspicious behavior like a prompt injection attack is detected, and notifies security teams with a detailed alert in the Microsoft Defender portal. Learn more about it in this blog.
• Protect against OAuth Attacks in Salesforce with Microsoft Defender. In this blog, we will delve only into one of the Salesforce OAuth attack campaign and provide guidance on how organizations can use Microsoft Defender to protect against this and similar SaaS attack campaigns.

Microsoft Defender for Identity 

• Defender for Identity data centers are now also deployed in the United Arab Emirates, North and Central regions. For the most current list of regional deployments, see Defender for Identity data locations.
• (Public Preview) We are excited to announce the availability of a new Graph-based API for managing unified agent server actions in Defender for Identity. This capability is currently in preview and available in API Beta version.
  This API allows customers to:

• • Monitor the status of unified agent servers
  • Enable or disable the automatic activation of eligible servers
  • Activate or deactivate the agent on eligible servers​
    For more information, see Managing unified agent actions through Graph API.
• Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you might see a decrease in the number of alerts raised. Learn more on our docs page.
• We've added a new tab on the Identity profile page that contains all active identity-related identity security posture assessments (ISPMs). This feature consolidates all identity-specific security posture assessments into a single contextual view, helping security teams quickly spot weaknesses and take targeted actions. Learn more on our docs page. 

• (Public Preview) Defender for Identity supports the Unified connectors experience, starting with the Okta Single Sign-On connector. This enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency. For more information, see: Connect Okta to Microsoft Defender for Identity 

Microsoft Defender for Office 365

• Near real-time URL protection in Teams messages: 
  - Known, malicious URLs in Teams messages are delivered with a warning. Messages found to contain malicious URLs up to 48 hours after delivery also receive a warning. The warning is added to messages in internal and external chats and channels for all URL verdicts (not just malware or high confidence phishing).
• Users can report external and intra-org Microsoft Teams messages as non-malicious (not a security risk) from the following locations:
  • Chats
  • Standard, shared, and private channels
  • Meeting conversations

User reported settings determine whether reported messages are sent to the specified reporting mailbox, to Microsoft, or both. Also added support for Teams message reporting on Teams mobile client.

Microsoft Security Exposure Management

• Cloud Attack Paths now reflect real, externally driven and exploitable risks that adversaries could use to compromise your organization, helping you cut through the noise and act faster. The paths now focus on external entry points and how attackers could progress through your environment reaching business-critical targets. Read more about it in this blog: Refining Attack Paths: Prioritizing Real-World, Exploitable Threats
• The legacy Azure AD Connect asset rule has been removed from Critical Assets. Its associated device role, AzureADConnectServer, will be deprecated in December 2025. Ensure all relevant custom rules are transitioned to use the new device role, EntraConnectServer, to maintain compliance and visibility. For more information, see Predefined classification.
• New predefined classifications: predefined Device classification rules for SharePoint Server and Microsoft Entra ID Cloud Sync were added to the critical assets list. For more information, see Predefined classification.
• We have added new data connectors for Wiz and Palo Alto Prisma. These connectors enable seamless integration of vulnerability and asset data from leading cloud security platforms into Microsoft Security Exposure Management, providing enhanced visibility and context for your environments. For more information, see: Wiz data connector, Palo Alto Prisma data connector.

Microsoft Security Blogs

• https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/ 
  Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign that likely used AI-generated code to obfuscate its payload and evade traditional defenses, demonstrating a broader trend of attackers leveraging AI to increase the effectiveness of their operations and underscoring the need for defenders to understand and anticipate AI-driven threats.
• XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory 
  Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications.