Monthly news - September 2025

Microsoft Defender
Monthly news - September 2025 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from August 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. 

New Virtual Ninja Show episodes:

• Announcing Microsoft Sentinel data lake. 
• Inside the new Phishing Triage Agent in Security Copilot.

Microsoft Defender

• Public Preview items in advanced hunting:
  • The new CloudStorageAggregatedEvents table is now available and brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. 
  • You can now investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting.
  • The IdentityEvents table contains information about identity events obtained from other cloud identity service providers.
  • You can now enrich your custom detection rules in advanced hunting by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel.
  • The number of query results displayed in the Microsoft Defender portal has been increased to 100,000.
• General Availability item in advanced hunting: you can now view all your user-defined rules - both custom detection rules and analytics rules - in the Detection rules page. This feature also brings the following improvements:
  • You can now filter for every column (in addition to Frequency and Organizational scope).
  • For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace.
  • You can now view the details pane even for analytics rules.
  • You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
• (General Availability) Defender Experts for XDR and Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more
• (General Availability) Defender Experts for XDR customers can now incorporate third-party network signals for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments.
• (General Availability) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts.
• (Public Preview) Suggested prompts for incident summaries. Suggested prompts enhance the incident summary experience by automatically surfacing relevant follow-up questions based on the most crucial information in a given incident. With a single click, you can request deeper insight (e.g. device details, identity information, threat intelligence) and obtain plain language summaries from Security Copilot. This intuitive, interactive experience simplifies investigations and speeds up access to critical insights, empowering you to focus on key priorities and accelerate threat response.

Microsoft Defender for Endpoint

• (Public Preview) Multi-tenant endpoint security policies distribution is now in Public Preview. Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. 
• (Public Preview) Custom installation path support for Defender for Endpoint on Linux is available in public preview.
• (Public Preview) Offline security intelligence update support for Defender for Endpoint on macOS is in public preview.

Microsoft Defender for Identity 

• (Public Preview) Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in advanced hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
• (Public Preview) Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts. For more information, see: Security Assessment: Remove Inactive Service Accounts
• (Public Preview) A new Graph-based API is now in preview for initiating and managing remediation actions in Defender for Identity. For more information, see Managing response actions through Graph API.
• (General Availability) Identity scoping is now generally available across all environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity.
• (Public Preview) The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise. For more information, see: Security Assessment: Remove discoverable passwords in Active Directory account attributes.
• Detection update: Suspected Brute Force attack (Kerberos, NTLM). Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase.

Microsoft Defender for Office 365

• SecOps can now dispute Microsoft's verdict on previously submitted email or URLs when they believe the result is incorrect. Disputing an item links back to the original submission and triggers a reevaluation with full context and audit history. Learn more.

Microsoft Security Blogs

• Dissecting PipeMagic: Inside the architecture of a modular backdoor framework 
  A comprehensive technical deep dive on PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application.
• Think before you Click(Fix): Analyzing the ClickFix social engineering technique 
  The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily.
• Storm-0501’s evolving techniques lead to cloud-based ransomware 
  Financially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs).