Monthly news - May 2025
Microsoft Defender XDR Monthly news May 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time. Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try! (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting. Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption. Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs. Microsoft Defender for Endpoint Updated documentation Schedule antivirus scans using Group Policy Schedule antivirus scans using PowerShell Two new ASR rules are now generally available: Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode. Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles: Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers Microsoft Defender for Endpoint on Linux Microsoft Defender for Office 365 Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters. Options to "tune" controls within Defender for Office 365 for an organization to maximize protection and efficacy. We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025. Learn more in this blog post.. Microsoft Defender for Cloud Apps Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API. (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps Microsoft Defender for Identity (General available) Identities guided tour New attack paths tab on the Identity profile page New and updated events in the Advanced hunting IdentityDirectoryEvents table Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others. Deprecation of Defender for Identity alert email notifications (Public Preview) Defender for Identity integration with Entra Privileged Identity Management (PIM) Privileged Access Management (PAM) vendors integration with Defender for Identity – CyberArk, Delinea and BeyondTrust Microsoft Security Blogs Threat actors leverage tax season to deploy tax-themed phishing campaigns As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos. Exploitation of CLFS zero-day leads to ransomware activity Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025. Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. Threat actors misuse Node.js to deliver malware and other malicious payloads Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. Understanding the threat landscape for Kubernetes and containerized assets The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Threat Analytics (Access to the Defender Portal needed) Activity profile: Tax and IRS-themed phishing campaigns [TA update] Tool profile: Grandoreiro banking trojan Activity profile - Threat actors using fake Chrome updates to deliver Lumma Stealer Actor profile: Storm-2256 Actor Profile - Storm-1877 [TA update] Vulnerability profile: CVE-2025-26633 Vulnerability profile - CVE-2025-29824 Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications Technique profile: ClickFix technique leverages clipboard to run malicious commands [TA update] Actor profile: Storm-1249 Tool profile - XCSSET Tool profile: ReedBed Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025) Actor Profile - Storm-1125 Activity profile: Sapphire Sleet using GoLang files to download malware Technique Profile: Device Code Phishing
Expanding Cross Cloud Multitenant Security Operations for Government Customers
Securing complex, multitenant environments is a top priority for government organizations operating in highly regulated cloud environments. We are excited to introduce a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. These capabilities are now in public preview. Bringing Multitenant Security Operations to Government Cloud Security teams in government cloud environments—such as GCC High and DoD—face unique challenges when managing multiple tenants across different cloud environments. Until now, they lacked a unified view of their security posture across government and commercial clouds. Challenges customers faced included: US government customers require a unified view between different cloud environments. Such a view must honor high/low boundaries and compliance requirements. Users in federal environments can see only the tenants that are in the same AAD cloud, or add tenants in a structure of DOD <-> GCCH and GCC -> Commercial. The new cross-cloud capabilities are designed to enable customers to gain visibility across different clouds by manually adding remote tenants into their aggregated View. This will enable users in GCCH or DOD to add tenants from GCC or Commercial. With our latest enhancement, multitenant management in the unified SecOps platform now supports the ability to view and manage tenants from different cloud environments across Microsoft Sentinel and Defender XDR. This means that security operations teams working in GCC High and DoD can now view and manage their tenants in Microsoft GCC and Commercial cloud environments, across products—all from a single pane of glass. Why This Matters Government agencies and service providers require strict security controls, data residency compliance, and operational efficiency when managing multiple tenants. This new capability addresses these needs by offering: Unified Incident Management – Security teams can now more easily manage incidents across Microsoft Sentinel and Defender XDR, in a single workstream. Unified view across cloud types - Security analysts can now view and manage security incidents across all their tenants, regardless of cloud environment, enabling faster and more effective response times. Cross-Tenant Investigation – Analysts can investigate threats across multiple tenants and cloud environments, ensuring no blind spots in their security posture. Scalable Content Management – Organizations can now manage and distribute security content at scale across all their tenants, from all environments, reducing operational overhead and improving consistency. Security and Compliance First While enabling cross-cloud visibility, we remain committed to keeping customer data secure and compliant with data residency requirements. Security teams can confidently leverage this new capability, knowing that their sensitive data remains within their designated cloud environment while still benefiting from a consolidated security view. Looking Ahead This is just the beginning. As we continue to enhance multitenant security management, we remain focused on delivering capabilities that improve efficiency, security, and compliance at scale. We encourage security teams in government environments to explore these new capabilities and experience the benefits of unified security management across all their tenants. To learn more, visit Manage tenants in other Microsoft cloud environments - Microsoft's unified security operations platform | Microsoft Learn FAQ: Which clouds could be connected? Answer: If your user is in GCCH or DOD, you can use our multi-tenant solution with tenants from GCCH, DOD, GCC or COM.Monthly news - April 2025
Microsoft Defender XDR Monthly news April 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ April 9th & 10th is Microsoft Secure! Make sure you join this virtual event to hear about our latest product announcements. Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best. April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast Microsoft Secure - Home - Microsoft Secure registration home page. New episodes of the Virtual Ninja Show has been published, covering various products and scenarios. Microsoft's Zero Trust approach Resolving high CPU utilization in Microsoft Defender Antivirus Microsoft Defender for Endpoint Client Analyzer overview Mastering onboarding issues with Defender for Endpoint Client Analyzer Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer Connecting your Apps to Defender for Cloud Apps Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. Blog post: Transforming public sector security operations in the AI era Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense? (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details. The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365. You can now link Threat analytics reports when setting up custom detections. Learn more Microsoft Defender for Endpoint Update to the Microsoft Defender Antivirus group policies documentation. Learn more Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more New video (9 mins): How Microsoft is redefining endpoint security New documentation: Troubleshoot Microsoft Defender Antivirus scan issues Microsoft Defender for Office 365 User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet. Microsoft Defender for Cloud Apps (GA) Unified Identity inventory now general available. Learn more Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. Join one of these workshops to learn: Real-world examples of OAuth attacks New pre-built templates and custom rules to simplify app governance How to quickly identify and mitigate risks from high-risk or suspicious apps Best practices for operationalizing app governance to improve your security posture These workshops are designed to accommodate global participation, with flexible date and time options. Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks. Microsoft Defender for Identity Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment. New health issue for cases where sensors running on VMware have network configuration mismatch. The Identities page under Assets has been updated to provide better visibility and management of identities across your environment. New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment. Microsoft Security Blogs Silk Typhoon targeting IT supply chain Malvertising campaign leads to info stealers hosted on GitHub New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware StilachiRAT analysis: From system reconnaissance to cryptocurrency theft Analyzing open-source bootloaders: Finding vulnerabilities faster with AI Threat Analytics (Access to the Defender Portal needed) Vulnerability Profile: CVE-2024-40711 – Veeam Backup Activity profile: Moonstone Sleet using Qilin ransomware [TA update] Actor Profile: Secret Blizzard Actor profile: Berry Sandstorm Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices [TA update] Actor profile - Swirl Typhoon Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software Activity profile: Lumma Stealer spreads via YouTube video descriptions [TA update] Actor profile: Aqua Blizzard Tool profile: Latrodectus Vulnerability profile: CVE-2025-26633 Tool profile: WinRing0 Activity profile: Storm-0485 phishing activity Activity profile: Silk Typhoon targeting IT supply chain Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks Threat overview: Business Email Compromise [Snapshot] Actor profile: Storm-2372 [TA update] Actor profile: ZigZag Hail Actor profile: Storm-0287 Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application Actor profile: Yulong Flood Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability Tool profile: FrostyStash [TA update] Tool profile: Mimikatz Tool profile: Mamba 2FA Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway [TA update] Actor profile: Silk Typhoon Seamless SSO Abuse via AADInternals [TA update] SystemBC Tool Profile Vulnerability profile: CVE-2025-22224 – VMwareMonthly news - August 2024
Microsoft Defender XDR Monthly news August 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2024.
