Very High Increase in CPU activity after Update Microsoft Defender for Identity sensor
All our servers that are running this sensor (DCs, Certificate servers, AD Connect servers) showed a massive increase in average CPU utilization from virtually straight after the sensor was automatically updated to version 2.254.19112.470 (late night UK time). Two of our DCs are sitting on 100% CPU today and we can't find anything to resolve it. Has anyone else seen this since running this version and if so what actions did you take ? How would we go back to rolling back to the previous version when it appears it will just be automatically updated soon after ? This is our monitoring of CPU utilization from one of the majorly affected DCs but every server with the sensor had the exact same graph showing a major increase in CPU at the same date and time i.e. just after the sensor was updated.Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response
New Layers of Protection for Teams Messages With more than 300 million monthly active users on Microsoft Teams, ensuring secure collaboration has become increasingly critical. As the threat landscape continues to change, our security measures must adapt accordingly. To address these challenges, we are pleased to announce enhanced protection and Security Operations response capabilities for enterprise messages containing URLs in Teams, utilizing Microsoft Defender. Threat Profile – Tech Support Impersonation with Phishing URLs In previous blogs, we’ve discussed how threat actors are employing multimodal attacks and targeting users in an organization over Teams by impersonating tech support. Lately some of these attackers have been observed steering their victims towards malicious websites that appear purpose-built to complete their harmful objectives while allaying the victim’s suspicions. The typical attack chain proceeds as follows: Hybrid attacks often begin with mail bombing (spam) directed at the targeted individual, followed by Teams messages or calls in which the attacker impersonates IT support personnel offering to resolve the spam issue. Victims may then be deceived into granting system access to the attacker via remote management and monitoring tools such as Quick Assist or AnyDesk. In recent incidents, attackers have directed victims to malicious URLs that closely resemble legitimate internal IT security update or patching tools, featuring falsified logos and branding. These sites are actually conventional phishing platforms intended to capture user credentials and enable malware deployment, while victims believe their spam problem is being resolved. Below: Rendering of a malicious URL shared over Teams by an attacker to an intended victim Microsoft Defender uses robust detection engines and threat intelligence to support URL warnings, post-delivery protection, and advanced hunting for Teams, enabling comprehensive protection against evolving attack vectors. Near real-time defense For Worldwide customers with Teams enterprise licenses and above Our new advanced near-real-time protection ensures that any message containing URLs is thoroughly scanned and appropriately flagged before delivery. End users are notified with a warning tip upon messages delivery when malicious URLs are detected, helping them recognize and avoid potential risk. Threats don’t always appear right away, to stay ahead of evolving attacks, protection continues for up to 48 hours after a message is delivered. If a previously safe URL later becomes weaponized, the message is automatically updated with a warning tip, ensuring users remain protected even after the message reaches them. This dual-layered approach means: Immediate warnings for messages with known malicious URLs. Post-delivery detection that adapts to evolving threats. Protection across internal and external communications, including chats and channels, regardless of tenant origin. These capabilities powered by Microsoft Defender will provide out-of-the-box protection as it will be enabled by default and will be available for all Teams enterprise users, with no additional configuration required. This ensures that every user benefits from advanced protection. Empowering Users and SOC Teams For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license Security is a shared responsibility. We’re enabling users to report false negatives (FN) and false positives (FP) directly from Teams messages. These reports feed into Microsoft Defender investigation workflows, helping improve detection accuracy and reduce support overhead. Users can now report potentially malicious messages or messages incorrectly detected as malicious directly from the message context menu in Microsoft Teams: Report as security risk: For messages that seem suspicious but weren’t flagged. Report as not security risk: For messages that were flagged but are actually safe. This enables users to actively contribute to their organization's security management and protection efforts, while simultaneously enhancing the accuracy of Microsoft Defender detection controls. Reports may be submitted for both internal and external communications including chats, meetings, and channels ensuring comprehensive coverage across all collaboration platforms such as Teams web, desktop, and mobile clients. Upon submission, these reports are accessible to administrators and security operations personnel in the Microsoft Defender portal as incidents, where they can efficiently triage, investigate, and respond. Holistic Visibility for Security Operation Teams For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license Security Operation teams need context, coverage, and control. That’s why we’ve introduced three new Advanced Hunting tables in Microsoft Defender designed specifically to surface Microsoft Teams message metadata and enable deep investigations across both internal and external communications. MessageEvents: Captures metadata for all Teams messages containing URLs at the time of delivery. MessagePostDeliveryEvents: Surfaces messages that were flagged as malicious after delivery, including Zero-hour auto purge (ZAP) actions. MessageURLInfo: Provides granular details on URLs extracted from Teams messages. These tables are now generally available in the Microsoft Defeder portal providing direct insight into Teams message flows. SOC teams can now hunt across all external (federated) messages, not just messages that contain URLs. This is a major step forward in enabling cross-tenant threat detection and response, especially in today’s hybrid collaboration environments. All three tables are accessible via Advanced Hunting APIs and Streaming APIs, allowing SOC teams to integrate hunting workflows into their existing automation pipelines. To further enhance visibility, we’ve added a new column called SafetyTip to both the MessageEvents and MessagePostDeliveryEvents tables. This column flags whether a URL warning tip was shown to the user in the Teams client, helping SOC teams distinguish between warning and block detections. Third-party security information and event management (SIEM) solutions can also integrate with and utilize these hunting tables via the Microsoft Defender Streaming API. For instance, in Splunk, the new tables may be configured to automatically flow into your Splunk instance, supporting extended data retention by leveraging the latest version of the Microsoft Defender Splunk connector. It is important to ensure that the new Teams protection tables are selected during connector configuration to enable the continuous transfer of relevant data. Empower Security Teams to Act Against Threats For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license We’ve introduced a powerful new capability that gives security teams greater control and confidence when managing potential risks in Teams. With this feature, security admins can investigate suspicious conversations in Advanced Hunting and instantly remove internal users from unsafe chats, revoking their access and clearing all prior chat history to prevent further exposure. This proactive step ensures employees stay protected from threat actors and sensitive information remains secure. The experience is streamlined through the Action Wizard, accessible directly from the Teams entity flyout, making remediation fast and intuitive. Every action is fully traceable in Action Center, providing a centralized view for monitoring and validating security interventions, while audit logs deliver records for reporting. These capabilities empower organizations to contain risks in real time, strengthen collaboration security, and maintain trust across their digital workplace. Response capabilities for Security Teams For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license In addition to these enhanced detection, investigation and hunting capabilities, security team members are now able to perform advanced response actions for Microsoft Teams directly in the Microsoft Defender portal. Security Operations Center (SOC) analysts and admins can directly block malicious domains from within the Microsoft Defender portal, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains list without leaving their security workflows and switching portals. This capability enables near real-time protection when suspicious or abusive external organizations are identified. SOC teams can immediately block suspicious organizations, effectively halting new external chat messages, invites, and channel communications from those domains while deleting existing ones. These controls empower organizations to react to emerging risks in minutes, all while maintaining compliance and reducing operational overhead. Expanding Admin Quarantine and Zero-Hour Auto-Purge (ZAP) to MDO P1 We are also extending the power of Zero-hour auto-purge (ZAP) and Teams admin quarantine to even more customers, bringing this post-delivery protection layer to Microsoft Defender for Office 365 Plan 1. This reinforces our commitment to secure-by-default protection across all Microsoft Teams environments. ZAP automatically moves malicious messages containing phishing or malware URLs from internal Teams chats and channels to admin quarantine in the Microsoft Defender portal. This post-delivery protection ensures that even if a threat evades initial detection, it can be neutralized before causing harm. This capability will be enabled by default for all Microsoft Teams customers with Microsoft Defender for Office Plan 1, providing immediate protection without requiring additional configuration. Security admins maintain full control through the Microsoft Defender portal, where quarantined Teams messages can be reviewed, managed, and released if needed. This expansion ensures more customers benefit from continuous, automated threat removal, strengthening protection across Teams with no extra effort required These new protections reflect our commitment to delivering security that scales effortlessly with the way people work today. By combining real-time detection, post-delivery protection, and user-driven feedback loops, we’re giving organizations the tools to stay ahead of emerging threats without slowing down collaboration. These capabilities are engineered to operate efficiently in the background, providing assurance and proactive security measures. This enables frontline workers, IT administrators, and SOC analysts to concentrate on their core responsibilities while maintaining a secure working environment. To learn more https://learn.microsoft.com/defender-office-365/mdo-support-teams-about https://learn.microsoft.com/defender-office-365/mdo-support-teams-quick-configure https://learn.microsoft.com/defender-office-365/mdo-support-teams-sec-ops-guideLearn more about Microsoft Security Communities.
In the last five years, Microsoft has increased the emphasis on community programs – specifically within the security, compliance, and management space. These communities fall into two categories: Public and Private (or NDA only). In this blog, we will share a breakdown of each community and how to join.
Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Why use workbooks in Microsoft Sentinel? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables for Defender for Office 365: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example you can store Defender for Office 365 EmailEvents table data for 1 year and build visuals over longer period of time. You can customize your visuals easily based on your organization’s needs. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready to use workbook templates and customize them if it's needed. Getting started After you connect your data sources to Microsoft Sentinel, you can visualize and monitor the data using workbooks in Microsoft Sentinel. Ensure that Microsoft Defender XDR is installed in your Microsoft Sentinel instance, so you can use Defender for Office 365 data with a few simple steps. Detection and other Defender for Office 365 insights are already available as raw data in the Microsoft Defender XDR advanced hunting tables: EmailEvents - contains information about all emails EmailAttachmentInfo - contains information about attachments in emails EmailUrlInfo - contains information about URLs in emails EmailPostDeliveryEvents – contains information about Zero-hour auto purge (ZAP) or Manual remediation events UrlClickEvents - contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps. CloudAppEvents – CloudAppEvents can be used to visualize user reported Phish emails and Admin submissions with Defender for Office 365. The Microsoft Defender XDR solution in Microsoft Sentinel provides a connector to stream the above data continuously into Microsoft Sentinel. Microsoft Sentinel then allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub. How to access the workbook template We are excited to share a new workbook template for Defender for Office 365 detection and data visualization, which is available in the Microsoft Sentinel Content hub. The workbook is part of the Microsoft Defender XDR solution. If you are already using our solution, this update is now available for you. If you are installing the Microsoft Defender XDR solution for the first time, this workbook will be available automatically after installation. After the Microsoft Defender XDR solution is installed (or updated to the latest available version), simply navigate to the Workbooks area in Microsoft Sentinel and on the Templates tab select Microsoft Defender for Office 365 Detection and Insights. Using the “View Template” action loads the workbook. What insights are available in the template? The template has the following sections with each section deep diving into various areas of email security, providing details and insights to security team members: Detection overview Email - Malware Detections Email - Phish Detections Email - Spam Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks Email - Top Users/Senders Email - Detection Overrides False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Email - Malware Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Can I customize the workbook? Yes, absolutely. Based on the email attributes in the Advanced Hunting schema, you can define more functions and visuals as needed. For example, you can use the DetectionMethods field to analyse detections caught by capabilities like Spoof detections, Safe Attachment, and detection for emails containing URLs extracted from QR codes. You can also bring other data sources into Microsoft Sentinel as tables and use them when creating visuals in the workbook. This sample workbook is a powerful showcase for how you can use the Defender for Office 365 raw detection data to visualize email security detection insights directly in Microsoft Sentinel. It enables organizations to easily create customized dashboards that can help them analyse, track their threat landscape, and respond quickly—based on unique requirements. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel. Learn more about Microsoft Sentinel workbooks. Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR.I have absolutely no idea what Microsoft Defender 365 wants me to do here
The process starts with an emal: There's more below on the email - an offer for credit monitoring, an option to add another device, an option to download the mobile app - but I don't want to do any of the, so I click on the "Open Defender" button, which results in this: OK, so my laptop is the bad boy here, there's that Status not of "Action recommended", with no "recommendations" and the only live link here is "Add device", something I don't need to do. The only potential "problem" I can even guess at here is that Microsoft is telling me that the laptop needs updating. Since I seldom use the laptop, only when traveling, I'd guess the next time I'd fire it up the update will occur, but of course I really don't know that's the recommended action it's warning me about, do I? You'd expect that if something is warning you "ACTION NEEDED!!!" they'd be a little more explicit, wouldn't you?
Defender for Identity health issues - Not Closing
We have old issues and they're not being "Closed" as reported. Are we missing something or is this "Microsoft Defender for Identity" Health Issues process broken? Thanks! Closed: A health issue is automatically marked as Closed when Microsoft Defender for Identity detects that the underlying issue is resolved. If you have the Azure ATP (workspace name) Administrator role, you can also manually close a health issue.
Tenant Forwarding - Trusted ARC Sealer
As part of a tenant to tenant migration we often need to forward mail from one tenant to another. This can cause some issues with email authentication verdicts on the destination tenant. Is it possible or best practice to configure another tenant as a Trusted ARC sealer to help with forwarded email deliverability?
