microsoft defender for identity
81 TopicsMonthly news - July 2026
Microsoft Defender Monthly news - July 2026 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from June 2026. We are now including news related to Defender for Cloud in the Defender portal. For all other Defender for Cloud news, have a look at the dedicated Defender for Cloud Monthly News here. 🚀 New Virtual Ninja Show episode: Redefining identity security for the modern enterprise One policy engine to govern them all: Securing agentic AI with Microsoft Purview Building a modern detection pipeline with ContentOps Securing local AI agents with Microsoft Defender Microsoft Defender: Extending critical protection for emerging threats in Team Weekly Security News: We publish a short 1ish minute video every week with updates across our Microsoft Security stack. Subscribe to our YouTube channel, so you don't miss the next episode. Actionable threat insights (find all of them here) Securing AI agents: When AI tools move from reading to acting Chromium extension uses AI‑related branding to redirect browser search Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access Microsoft Defender Two Workbooks capabilities in the unified Microsoft Defender portal moved to GA: Advanced Hunting connector - build custom dashboards directly on top of Advanced Hunting (XDR) dat. Query XDR tables and visualize them in Workbooks for richer investigations and reports. Workspace filter / multi-workspace experience - scope and filter workbooks by workspace, with workspace selection integrated into the workbook itself rather than relying on the global selector. MTO Tenant Groups let MSSPs and large enterprises organize their multitenant view in Microsoft Defender by grouping tenants logically (e.g., by region, business unit, or customer cohort). Learn more here. Custom Detections support in Microsoft Sentinel Repositories. Custom Detections can now be managed as code in Microsoft Sentinel Repositories, the same way customers already manage analytic rules, playbooks, parsers and workbooks. Detection engineers connect a GitHub or Azure DevOps repo to their workspace; Custom Detections placed in the repo are reconciled on every commit. A standalone Bicep path via the Microsoft Security Bicep extension lets teams deploy from any CI/CD pipeline (ADO Pipelines, GitHub Actions, custom runners). (General Availability) The following advanced hunting schema tables are now generally available: The CloudAuditEvents table contains information about cloud audit events for various cloud platforms protected by the organization's Defender for Cloud. The CloudDnsEvents table contains information about DNS activity events from cloud infrastructure environments. The CloudProcessEvents table contains information about process events in multicloud hosted environments. (Public Preview) The AgentsInfo table in advanced hunting is now available in preview. The AIAgentsInfo table is transitioning to this new table, which provides a unified schema that supports agent inventory and governance for all agent types, including Copilot Studio, Microsoft Foundry, Microsoft 365 Copilot, third-party, and endpoint-discovered agents. Microsoft Agent 365 customers should use the AgentsInfo table today. The AIAgentsInfo table remains accessible until July 1, 2026. Update your queries to use AgentsInfo before this date. For more information, see Advanced hunting schema - Naming changes. For all other Sentinel News, have a look at the "What's new in Microsoft Sentinel blog post - June edition" Identity Security (Public Preview) The Identity Security dashboard now includes a new Human identities card that shows your human identities by source (Entra ID, SaaS, and on-premises), giving you a single view of where your human identities live. For more information, see Identity Security dashboard. (Public Preview) On the Coverage and maturity page, the Review and improve coverage side panel for SaaS Identities now includes an Observed column and a Show Only Observed Applications toggle. By default, the panel shows only SaaS applications detected in your environment. Turn off the toggle to see other supported SaaS applications you can onboard to expand your identity coverage. For more information, see Coverage and maturity. New alerts were added to the Defender for Identity security alerts related to Microsoft Entra ID, Active Directory as well as other identity providers. For a full list of those new alerts, check out our documentation. Recent ShinyHunters attacks on Salesforce show how OAuth tokens and connected apps are being weaponized to bypass MFA at scale. The upgraded Salesforce connector for Defender for Cloud Apps helps detect these attacks faster, with richer connected-app context and investigation-ready signals. Customers already using the connector are advised to enable the additional events in the Salesforce console for tighter protection, and eligible customers not yet using it are advised to connect Salesforce. Learn more. Microsoft Defender for Endpoint / Microsoft Defender Vulnerability Management (Public Preview) Local AI agent discovery: as part of the Defender AI agents experience, Microsoft Defender now automatically discovers supported local AI agents running on onboarded Windows & macOS devices. Discovered agents appear as assets in the AI agent inventory, exposure map, and advanced hunting, giving security teams visibility into local AI agent usage across the organization. For more information, see Discover local AI agents. (Preview) Local AI agent runtime protection on Windows endpoints is now available in public preview. Microsoft Defender inspects the agent loop (user prompts, tool calls, and tool responses) and can block risky activity before it executes, helping stop prompt injection and unsafe agent actions at the device level. Blocked and audited events appear as alerts in Microsoft Defender to support incident correlation and investigation workflows. The new version of the Defender deployment tool for Windows streamlines onboarding and enhances security by: Bundling the onboarding package directly into the tool's executable. Generating a key during deployment package creation that is required for running the tool. Enabling users to configure an expiry date for the package to reduce the risk of unauthorized use. In addition: You have the option of downloading the package as either an .exe or a .zip file, whichever best suits your organization's needs. A new Deployment packages page in the Defender portal facilitates management of downloaded packages by providing centralized visibility into all the packages and their current status. Now generally available: Selective Response Actions enables organizations to tailor high-impact security operations on devices during onboarding. It provides precise control over how response actions are applied on Tier-0 systems and other high-value assets, helping maintain operational stability while delivering strong protection. The new exposure score model in Defender Vulnerability Management is now generally available. This model improves risk prioritization and recommendation impact accuracy by incorporating exploit prediction data (EPSS) and asset context factors such as internet-facing status and criticality. More details here. Microsoft Secure Score now includes the Reduce unnecessary inbound internet exposure on internet-facing devices recommendation, which helps identify devices that are accessible from the public internet and may represent unnecessary attack surface. This recommendation provides centralized visibility into internet-facing devices across the environment. Many predefined SaaS application classification rules were added to the critical assets list. Have a look at our documentation for the full list. These classifications require onboarding to Microsoft Defender for Cloud Apps.894Views2likes6CommentsEmpowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR
Identities have been a top threat vector forever. However, the rise of cloud identity attacks and an ever increasingly complex digital estate has made a tough problem even harder. Securing identities has always required a close partnership between two different functional teams – the identity and access management teams that are responsible for managing, authenticating, and authorizing user access to protected systems and data; and the security teams that detect and respond to threats across the entire digital estate. Nowhere is this more apparent than during a security incident. Let’s take a look at a common attack type like this phishing email example below: While this is a straightforward scenario, it’s still extremely effective as many organizations aren’t equipped to protect against it. The 2024 Verizon Data Breach Investigation report detailed how the median time for an attacker to access data from phishing is now just 60 seconds, giving the security team little time to triage alerts across email, identity, and endpoints, coordinate with the IAM team to disable the user and reset the password, and clean up any affected devices and inboxes. This is where implementing an integrated Identity Threat Detection and Response (ITDR) solution comes in. Our solution breaks down the existing silos between your identity and security teams by natively integrating our IAM solution, Microsoft Entra ID, and our identity threat protection solution, Microsoft Defender for Identity into our Extended Detection and Response (XDR) platform. Our ITDR offering is unique in that it delivers robust ITDR capabilities where your teams already work today. This means empowering the SOC to investigate identity alerts directly within Defender while also surfacing necessary insights from those investigations for Identity Admins directly within the Entra experience. Enhancing XDR with ITDR Identity is a core pillar of our XDR solution. Capitalizing on Microsoft’s leadership in both Identity and Access Management (IAM) and security, Defender correlates identity data and insights with Endpoint, Cloud, SaaS app and collaboration alerts to help security professionals better understand the full scope of security threats without spending hours triaging and correlating alerts. Customers benefit from the following within the Defender experience: 1. Enriched visibility across the identity fabric The ITDR dashboard provides the SOC with a single, prioritized view of Identity-specific security information and recommendations. Pulling relevant alerts and insights from across their identity footprint, this pane helps SOC teams better understand their identity posture and quickly manage potential identity-related security risks. Additionally, the recently updated identity inventory provides visibility into all the identities within their fabric including human and non-human, on-premises or in the cloud, from Microsoft or another provider. Each one of those identities also has a corresponding identity page which offers even more insights into the identity itself and allows the SOC to take action on that identity, right from the experience. 2. Proactive Identity posture and prevention The robust posture recommendations within Microsoft Security Exposure Management include Identity-specific posture recommendations (ISPM’s) that range from spotting common misconfigurations to helping customers address vulnerabilities across Active Directory, Entra ID and other common identity fabric elements, before they can be exploited. This is further enriched with attack path modeling, which provides a prioritized queue of possible attack paths that could be exploited by a threat actor. This helps the SOC and identity teams understand the entire scope of vulnerabilities—from initial access to reach critical data—and work together to prioritize the highest priority exposures. Again, because of the native integration between Entra ID and Defender the recommendations surfaced to identity admins and SOC professionals are consistent, helping the two teams work in unison to strengthen their overall identity. Defender for Identity provides dedicated sensors for Domain Controllers, Active Directory Federation Services (ADFS), Active Directory Certificate Services (AD CS) and Entra ID Connect to provide comprehensive visibility into on-premises identity environments while Entra ID does the same for cloud identities. 3. Incident-level visibility Microsoft Defender uses XDR-level detections to automatically correlate all related alerts into prioritized incidents – making it easy for analysts to see which alerts are tied to a broader incident and need to be addressed first. Incidents are automatically updated if new related alerts are triggered, so analysts can be confident they’re always looking at the latest info. Incidents are also automatically enriched with identity-related insights – like recently logged on users on an endpoint, recent activity, MFA type, open incidents, Entra ID risk level, and more—so the SOC team can quickly understand the full context of a user without needing to go hunting. All of this information is synced automatically with Microsoft Entra, ensuring both the identity and SOC teams are looking at the same data. This context is also showcased within the hunting experience. Customers can hunt for emerging threats across identity and other domains right from the same pane. 4. Automated Threats Response With attackers moving laterally in just minutes, even the best security teams will be challenged to respond in time with manual processes. Microsoft Defender utilizes AI to automatically take action on in-progress attacks and prevent lateral movement. This built-in, self-defense capability uses the correlated signals in XDR, the latest threat intelligence, and machine learning backed models to accurately predict the attack path used and block an attacker’s next move before it happens with above 99% confidence. Disruption attacks only take the minimum action necessary to stop the attacker – like disabling a compromise user or containing an affected endpoint – limiting the impact on the organization and leaving the SOC and identity teams in control to complete the investigation and bring assets back online. Security professionals can take direct action on identities right from the XDR experience through actions like “Confirm user as compromised” or “Disable user,” to mitigate an active threat. These updates are reflected automatically in the Entra portal, so they work in conjunction with Entra’s risk based conditional access. That way, when an identity is confirmed as compromised by the SOC, the risk level within Entra will automatically be raised and the relevant conditional access policies will be triggered at the next login to prevent future attacks. This signal loop protects customers both proactively through continuous monitoring and zero-trust policy engine , and reactively through real-time alerts and response from both Entra ID and Defender XDR. Conclusion In today's dynamic cyber landscape and with the complexity of modern identity environments, SOC analysts require a single pane of glass view into and the ability to effectively combat identity threats. Microsoft XDR, with its integration of Microsoft Defender for Identity and Microsoft Entra ID, provides a unified platform that enhances identity threat detection, investigation, and response capabilities, across on-prem and cloud. The seamless flow of data, alerts and workflows between IAM and Security teams created by this integration closes the loop between reactive and preventative identity protection helping organizations stay ahead of adversaries and ensure the security and integrity of their systems and data.2.3KViews2likes1CommentSecuring the invisible workforce
Non-human identities are now the majority of the identity estate in most enterprises. Service principals access organizational resources across SharePoint, Azure, and Microsoft 365, Service accounts run critical business processes on-premises, OAuth apps move data across SaaS boundaries, and AI agents increasingly operate autonomously at machine speed. As NHIs have grown in number and importance, so to have the threats targeting them. Midnight Blizzard showed how damaging compromised NHI can be. Attackers moved laterally across cloud resources and accessed sensitive data without ever triggering user-centric controls like MFA. The challenge many security teams are faced with however is that they simply do not have the visibility into what NHI’s even exist within their organization. Unlike their human counterparts, NHI can vary drastically in purpose, behaviour and risk profile. The one consistency is that most organizations lack a formal process for their creation, management and governance. For instance, while these identities often carry high and standing privileges, those permissions are typically granted at creation and never revisited. They authenticate programmatically so they cannot be enrolled in, or benefit from the protections of multi-factor authentication. As AI adoption accelerates, this issue has become even more urgent. Every AI agent needs an identity to function. That identity accesses data, invokes APIs, and takes action, autonomously, continuously, and at an unprecedented velocity. But because AI tooling has moved faster than guidance, many agents were never given identities of their own, many riding on existing Service Principles. This means that those ordinary app registrations may in fact represent autonomous agents making decisions and taking action. This new reality further compresses the window between compromise and impact and makes securing non-human identities a prerequisite for safely deploying AI at enterprise scale. Today, I am excited to share more about the non-human identity protection available within Microsoft Defender. These capabilities bring NHIs into the same unified platform where security teams already work and protect human identities with purpose-built experiences for discovery, risk assessment, business context, governance, threat detection, and attack disruption. The Challenge: We hear consistently from customers that they cannot answer fundamental questions about their NHI estate: How many non-human identities exist? Across Entra ID, Active Directory, and SaaS applications, the true count consistently exceeds expectations, often by an order of magnitude. Which ones are still in use? NHIs accumulate over time. Decommissioning is rare and dormant identities retain active permissions indefinitely. Which ones hold more access than they need? Permissions are granted broadly at provisioning and seldom revisited. Over-privilege is not the exception—it is the default state. Who is responsible for them? Without established ownership, remediating a risky NHI requires significant manual effort just to identify the right person to engage. Which ones are powering AI agents? Many agents ride on NHIs created long before the agent existed, making them indistinguishable from routine integrations. These are the questions that drive the capabilities we are delivering. Raising the bar for NHI protection with Defender Microsoft Defender helps protect non-human identities through six integrated focus areas: Visibility, Risk analysis, relationships and access mapping, governance policies, AI Agent awareness and Detection and Disruption. Together, these areas help organizations discover NHI risk, understand relationships and permissions, enforce governance, identify AI-driven identity activity, and detect or disrupt threats before they escalate. 1. Visibility: When Entra service principals, Active Directory service accounts, and SaaS-connected OAuth apps are managed in separate consoles with separate workflows, security teams cannot form a coherent picture of NHI exposure. These gaps in visibility translate directly into gaps in protection. Defender delivers a unified identity inventory for both human and non-human identities within a single view and investigation workflow. For non-human identities, coverage includes: Source Coverage Microsoft Entra ID All service principals Active Directory All service accounts SaaS Apps All OAuth-connected apps This consolidated inventory is the foundation that security insights, risk scoring, business context, governance, and threat detection all build on. Security teams work from one place, using the same investigation workflows they already use for human identities, across the entire NHI population. 2. Risk insights and analysis: Visibility into what exists is the starting point. What security teams need next is a clear understanding of which identities carry risk, what kind of risk, and how they should prioritize. Similar to how we review risk signals for human identities, Defender continuously evaluates the NHI estate and surfaces findings across key risk pivots: Unused Identities NHIs that have not authenticated over extended periods but retain active permissions. These identities serve no current business purpose while remaining fully available for misuse if compromised. Over-Privileged Identities NHIs whose granted permissions significantly exceed their observed usage. Defender analyses the gap between what an identity can do and what it actually does, identifying where privilege can be safely reduced without impacting operations. High-Privileged Identities Some NHI’s however require elevated roles or broad permissions to perform their intended use. These NHIs pose the highest lateral movement risk if compromised. For context, these privileges can sometimes exceed the access held by admins in the organization. Identity Risk Score for NHIs The new Identity Risk Score within Defender also extends to NHI. Ever NHI now has a dynamic risk score , informed by Microsoft’s global threat intelligence, exposure indicators, and observed activity patterns. The score is fully explainable. For every NHI, Defender shows the specific factors that contributed—what combination of privilege, exposure, and activity drove the assessment, and why. Analysts see the reasoning directly: an identity scored high because it is unused, holds broad directory permissions, and is published by an unverified publisher. This means analysts can act on the score with confidence, without needing to conduct a separate investigation to understand what it means. These insights allow teams to rank their entire NHI estate by risk and systematically focus investigation where it matters most. 3. Relationship mapping: Knowing that an NHI is risky is necessary but not sufficient for remediation. Security teams need business context: what application depends on this identity, who owns it, what resources can it access, and with what permissions. Without this information, even a critical finding stalls. Can we disable this identity, or will it break a production workflow? Who do we contact to coordinate? What is the scope of exposure if this identity is compromised? Defender introduces a Graph for NHIs that visually maps these relationships directly. What application depends on this NHI? Understanding downstream dependencies before taking remediation action. Who owns it? Identifying the owner for coordinated response. What resources or crown jewels does it access, and with what permissions? Determining the sensitivity of accessed resources to assess actual severity. With this context directly available in the investigation experience, security teams can assess risk, evaluate business impact, and coordinate remediation without switching tools or conducting manual discovery. 4. Governance policies When we extrapolate this out to enterprise scale, with thousands to tens of thousands of NHIs, manual remediation simply cannot keep pace with the rate at which risk accumulates. Organizations need governance policies that enforce decisions automatically and consistently. Defender enables this through governance policies. Organizations can define policies that leverage the insights Defender surfaces like unused timeframe, privilege level, risk score, over-privilege status, AI agent association and then map them to automated disablement of identities that exceed acceptable risk. Example: An NHI that has been unused for 90+ days, holds high-privilege roles, and carries a risk score above 70 exceeds the organization’s risk tolerance → disable the identity. This shifts NHI security from periodic audit cycles to continuous posture management. The NHI estate stays within organizational risk tolerance because policy enforces the standard automatically, at the scale the environment demands. 5. AI Agent awareness Agents built on platforms like Copilot Studio, Azure AI Foundry, and third-party frameworks require identities to authenticate, access data, and take action. In practice, many agents operate using traditional NHI that were provisioned for other workloads, making them indistinguishable from routine integrations at the identity layer. The risk profile, however, is materially different: Agents are autonomous. They make decisions and execute actions without human approval at each step. Agents are high-velocity. They perform hundreds of operations per minute across multiple systems. Agents interact with sensitive data. They access documents, query databases, read communications, and invoke APIs, often with broad permissions to support flexible workflows. When a misconfigured identity backs an AI agent, the risk compounds significantly because the agent continues to operate autonomously, with legitimate access, at machine speed, across whatever resources it can reach. Defender infers which NHIs are used by AI agents and surfaces this signal directly in the inventory, risk insights, and assessment. This enables security teams to prioritize investigation of agent-backed NHIs and apply differentiated governance like stricter controls, shorter review cycles, and tighter privilege boundaries for identities backing 6. Detection and disruption Posture and governance reduce the attack surface. But when an attacker compromises a non-human identity, detection speed and response automation determine whether the attack is contained or succeeds. Microsoft Defender brings the same detection and disruption capabilities that protect human identities to the non-human estate. Threat Detection for NHIs Defender detects anomalous and malicious activity involving non-human identities using behavioral analytics and Microsoft’s global threat intelligence. Detections are purpose-built for how NHIs operate because the signals indicating compromise in a NHI is fundamentally different from those in a human account, and our detection models reflect that. Every alert is enriched with full context from the identity inventory, risk insights, and graph. Analysts see not just what happened, but which identity was involved, what it can reach, who owns it, and how critical it is immediately, without manual correlation. Disrupting Attacker Persistence We are introducing new disruption capabilities designed to address the persistence techniques attackers use against non-human identities. These capabilities focus on the specific actions that turn a legitimate non-human Identity into an attack path, such as adding credentials for off-tenant use or modifying permissions and role assignments to expand access. Rather than broad remediation, the approach targets the exact moves attackers use to establish and maintain control. By directly addressing actions like unauthorized credential additions and privilege expansion, these capabilities help remove attacker access while preserving legitimate application functionality. Why This Maters Every AI agent requires an identity. As organizations scale agent deployments, the NHI estate grows with them and inherits every existing gap: over-privilege, absent ownership, insufficient monitoring. What has changed is speed. An AI agent with a compromised identity operates autonomously and never sleeps. The window between compromise and impact has compressed to the point where periodic manual review is no longer adequate. Automated visibility, continuous risk assessment, policy-driven governance, and real-time detection and disruption are now requirements. The organizations investing in NHI protection today are building the security foundation their AI strategy depends on. Getting Started Non-human identity protection is available in Microsoft Defender today: Visit the unified identity inventory in Defender to see all NHIs across Entra ID, Active Directory, and SaaS. Review risk insights to identify unused, over-privileged, high-risk NHIs, and NHIs used by agents. Explore the identity graph to understand business context, ownership, and resource access. Configure risk-based governance policies to enforce organizational risk tolerance at scale. These capabilities are integrated into the same platform and workflows security teams already use for human identity protection—no separate tools, no additional deployment. Learn more about the NHI protections provided by Defender within our docs here.1.1KViews1like0CommentsIntroducing the new Defender for Identity Health Alert API
Microsoft Defender for Identity (MDI) is a cloud-based security solution that helps monitor and protect identities and infrastructure across your organization. MDI is a core component of Microsoft Defender XDR, leveraging signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced cyberthreats directed at your organization. Recently, Defender for Identity (MDI) introduced Graph based API to view Defender for Identity Health issues.10KViews3likes6CommentsRedefining identity security for the modern enterprise
Every breach has one thing in common: an identity was exploited. Attackers have learned that identity is the fastest path to lateral movement and escalation. The challenge for defenders is that today's identity landscape is vast and fragmented — spanning hybrid environments, SaaS apps, cloud platforms, and autonomous agents. Protecting it demands more than point solutions. It requires continuous visibility, proactive posture reduction, and the ability to detect and disrupt identity threats across the full attack lifecycle. Leveraging our expertise as a leader in both Identity and Access Management (IAM) and Security, our focus has been to deliver a fast, comprehensive, and increasingly autonomous approach to identity security. It is designed to continuously strengthen identity posture and help SOC teams act faster with less manual effort. Today, I am excited to announce the next set of innovations including: Reimagined Identity Security dashboard and experiences to surface identity insights Expanded protection for more elements of modern identity fabrics including non-human identities. Streamlined detections including a new identity-level risk score that can be applied directly within risk-based conditional access policies. Unified identity view & protection across Active Directory, Entra ID, IAM solutions, SaaS and Cloud – with improved at-scale identity correlations New autonomous response capabilities to further speed identity threat triage, disruption and response. Below is a deeper look at what’s new. Turning identity sprawl into clarity Security teams don’t suffer from a lack of identity data — they suffer from a lack of insight across that data. Without context, the flood of activity from various directories, SaaS platforms, cloud services, and on‑premises infrastructure simply becomes noise. Disconnected alerts, isolated accounts, and fragmented investigations make it harder, not easier, to determine what actually matters. The updated Identity security dashboard is one of the new experiences designed to help with just that. It serves as the starting point for the SOC to gain a birds eye view of their entire identity security status, surfacing critical information on the human and non-human identities from across on-premises, SaaS and cloud environments. Fueling this, and other identity security experiences within Defender, are the advancements we have made in unifying the identity inventories. First, for human users we have expanded the account correlation capabilities we released at Ignite to include SaaS and cloud accounts. This means that security professionals will have an even more comprehensive view of related accounts, their holistic posture and identity risk. Additionally, we are also introducing new, policy-based linkage to help organizations customize these connections at scale. But modern identity fabrics extend far beyond human users. To address this shift, we are also expanding identity security coverage to include a greater focus on non‑human identities. The new non‑human identity inventory helps security teams to discover, understand, and protect these critical identities within the same identity‑centric view as human accounts. Defender helps teams see the full identity fabric — not as disconnected components, but as an interconnected system — so they can reduce blind spots, prioritize exposure, and apply consistent protection across the identities attackers increasingly rely on. Expanded coverage across the modern identity fabric Staying one step ahead of attackers starts with having a better understanding of what makes you vulnerable and closing those gaps before they can be exploited. With this mission in mind, I am excited to announce a new coverage and maturity view that shows how identity infrastructure, protections, and risk actually connect across your environment. This view serves as a snapshot revealing which access paths are protected, which are exposed, and what to fix next to meaningfully reduce blast radius. Rather than treating coverage as a static checklist, this experience surfaces actionable insights that show both current status and prioritized next steps, helping teams understand not only what needs to be protected, but also how to systematically improve identity security posture over time. With this clear guidance Defender empowers SOC teams to move from fragmented awareness to confident, identity‑centric protection. This new view is powered by the native integration available out-of-the-box with Microsoft Entra ID and the dedicated sensors and connectors available for other identity components like Privilege Access Management (PAM) solutions and other identity providers. Given this, I am pleased to share that we are adding new integrations with solutions like SailPoint and CyberArk that further our commitment to bringing additional depth and coverage for more elements of modern identity landscapes within Defender. In this same vein, we're making it easier for customers to activate protections across their on-premises identity infrastructure. Today we are excited to share that the unified identity and endpoint agent is extending support for more identity infrastructure and releasing a streamlined experience for existing customers looking to migrate to the new sensor. In addition to all this we are also adding a new identity explorer experience that is designed to help security professionals uncover identity-based exposures and lateral movement paths within their organization. Leveraging the graph capabilities within Defender and a robust set of pre-defined queries, SOC teams gain new visibility into potential exposure scenarios and end-to-end attack paths. Streamlined protections and workflows across Defender and Entra Security teams need to understand how the individual role, privilege, activity and alerts for each individual account relate to the risk of the identity as a whole. To address this, we’re introducing a new unified risk score that aggregates signals across all linked accounts to calculate a single risk score for the identity. As you can see in the image above the score considers the observed activity, criticality, privilege and likelihood of compromise for each linked account and produces a single, actionable view of risk. This means analysts no longer need to decipher various alerts themselves, they can quickly prioritize investigations based on the potential impact and urgency of identity‑driven threats. But the value of this new unified risk score doesn’t stop at investigation. Entra ID customers can now leverage these new risk signals directly within their risk-based conditional access policies. This gives admins a stronger signal for access decisions, resulting in earlier prevention, detection, and response across the identity control plane. This powers the feedback loop between identity and SOC teams, ensuring that insights gained in the SOC can immediately reduce exposure across the identity fabric. Together, these advances transform identity sprawl into clarity. By automatically connecting the dots and surfacing insights instead of raw data Defender is elevating what matters most, helping security teams cut through noise, focus on true risk, and respond to identity‑based threats with greater speed and confidence. New Identity detections using novel and unique sensor capabilities Detection opportunities start with visibility and sensor capabilities and we are excited to share a new capability that significantly improves how we see identity-based attacks on Domain Controllers. We work closely with the Windows team within Microsoft and are introducing a new Event Tracking for Windows (ETW) that gives us richer insight into Kerberos activity. This allows us to safely access important ticket details that were previously hidden while the ticket was in use, without needing to break or decrypt the ticket itself. With this additional context, we can spot unusual behavior that points to forged or tampered Kerberos tickets more accurately than before. By connecting this new operating system signal directly into our identity threat detection capabilities, we unlock a unique level of protection. It also opens up new investigation and hunting scenarios for SOC analysts who want deeper visibility into Kerberos related activity. Our first detection using this new sensor capability (“Possible golden ticket attack (suspicious ticket)”) is now generally available, and further exemplifies why our strategy is so revolutionary. Previously detecting these types of attacks would require decrypting the ticket/token itself, introducing even more potential for exposure. With this ETW however we have the same visibility without the risk. We know that Identity attacks no longer stop at the perimeter. Recognizing that modern adversaries target on‑premises, hybrid, and cloud identities alike, we invested heavily in expanding also our detection capabilities across this full spectrum. In particular, we introduced new detections for emerging attack techniques targeting Entra ID as a platform. While Entra ID Protection continues to deliver broad, native protection for Entra users and identities, the core mission of Identity Threat Protection products is to go further— detecting also sophisticated post‑breach activity and lateral movements where attackers directly target the identity provider itself, often by exploiting the hybrid trust and linkage between on‑premises and cloud environments. We are excited to announce the availability of the following new detections: 4 new detections for anomalies and attacks targeting Entra ID sync application in hybrid environments 2 new detections for suspicious device registration/join across Entra and Intune 1 new detection for techniques abusing Oauth Authorization Flow for browser-based attacks, as observed in-the-wild recently (“ConsentFix”) Powering autonomous Identity Threat Protection When a security incident is unfolding, every second matters. Attackers are already operating at machine speed, and human response alone can’t keep up, which is why AI-powered capabilities are essential for detecting, triaging and remediating identity threats in time. As part of our push toward autonomous Identity Threat Protection, we’re extending Security Copilot’s agentic triage capabilities to identity. We’ve already seen the impact of outcome-driven autonomous workflows in phishing, where our agent identifies 6.5 times more malicious alerts than human analysts working alone. Today, that same capability is extending beyond phishing to include identity alerts. The new Security Alert Triage Agent autonomously evaluates high‑volume identity alerts, distinguishing true threats from noise, and surfacing clear, explainable verdicts so analysts can focus immediately on what requires action. At Public Preview, it supports triage of alert types involving password spray attempts, suspicious inbox rules associated with business email compromise (BEC), and accounts potentially compromised following a password spray attack. Learn more about Security Copilot in Defender announcements here. In parallel, we’re expanding identity takeover predictive shielding, using real‑time exposure and attack path insights to proactively harden the identity attack surface during an active incident—blocking attacker progression before high‑value identities can be compromised. Together, these capabilities shift identity defense from reactive investigation to real‑time disruption, helping security teams contain attacks faster, reduce blast radius, and stay ahead of adversaries when it matters most. At Ignite, we introduced predictive shielding, an AI-powered capability in automatic attack disruption that predicts an attacker’s next move in an active attack and applies targeted, just-in-time hardening to block them before they can pivot. Today, predictive shielding proactively hardens many of the controls attackers most often rely on to regain access, such as SafeBoot abuse and Group Policy Objects. We’ve already seen tremendous impact across our customers, including a large public university: “During a ransomware incident, Microsoft Defender’s attack disruption stopped the attack before it could progress. In parallel, predictive shielding applied Safe Boot hardening across key devices, helping protect against a common evasion tactic—rebooting endpoints into Safe Mode to try and bypass protections like disruption. Together, these layers increased our confidence and resilience during the incident.” This speed and accuracy matter because identity-based attacks now operate at massive scale, with each user tied to many accounts across the environment, making it increasingly difficult to protect every identity. We are excited to share that we’re expanding this set of just-in-time hardening actions tailored for identity-based attacks. This includes: RemoteOps hardening: restricts high-risk remote administrative operations such as RPC-based actions that attackers rely on for lateral movement and hands-on-keyboard control. Remote Registry hardening: prevents attackers from remotely modifying sensitive registry settings often used to weaken security controls or enable credential theft. What makes these controls unique is their precision: Defender shields only the specific assets at risk, rather than applying broad, organization-wide restrictions, maximizing security while minimizing business impact. Looking ahead Identity has become the foundation of access, trust, and control in modern enterprises—and the primary target for attackers. The announcements detailed throughout this blog reflect our continued commitment to advancing identity security and to helping customers stay ahead of rapidly evolving identity-based threats. We’re excited to share more throughout the week at RSA, and we look forward to partnering with customers as they continue their journey toward comprehensive, identity centric security.3.5KViews5likes1CommentFrom signal to strategy: Closing attack paths with identity intelligence
Compromised credentials remain one of the most common entry points for attackers. In the first half of 2025 alone, identity-based attacks surged more than 32% and its estimated that 97% of them are password focused. While that scale is overwhelming, it only takes a single exposed account to give an attacker a foothold from which they can move laterally towards the critical assets they are after. At today’s attack scale, identity signals need to be connected with broader context to stop attacks earlier in the kill chain. Today we are excited to share more about how Microsoft Defender can help security professionals proactively understand how identity-related risks, like leaked credentials, relate back to critical assets, helping security professionals proactively close potential entry points before they can be exploited. Understanding leaked credentials and attack paths: Leaked credentials refer to valid usernames and passwords that have been exposed beyond their intended scope. Whether this exposure occurs as part of a data breach, phishing attack, or postings on dark web forums, the result is the same: an attacker may be using legitimate credentials to access your organization. Similarly, attack paths describe the sequence of misconfigurations, permissions, and trust relationships that an attacker can chain together to move from an initial foothold to high‑value resources. Rather than relying on a single vulnerability, attackers tend to think in graphs, following paths of least resistance to systematically escalate privileges and expand access. This makes identities the primary control plane they target and leaked credentials as an extremely common entry point. The recent Microsoft digital defense report put this into focus, stating that more than 61% of attack paths lead to a sensitive user. These user accounts have elevated privileges or access to critical resources meaning that if they were to be attacked or misused it would significantly impact the organization. Microsoft’s differentiated approach Most solutions stop at the alert and can only tell you that a password was exposed, found, or leaked. That information matters, but it is incomplete, it describes an event, not the risk. The real differentiation starts with the next question: what does this exposure mean for my environment right now. Not every exposed password creates the same level of risk. Context is what determines impact. Which identity does the password belong to? What assets can that identity access? Does that access still exists? And are those assets truly sensitive? That is why exposed password detection is a starting point, not an end state. Effective protection begins when organizations move beyond technical alerts and toward an identity-aware understanding. This shift from detection to context is where better decisions are made and where meaningful security value is created. This is why we took our identity alerts a step further, connecting these risks with broader security context to reveal how an initial identity signal can lead to sensitive users, critical assets, and core business operations. This perspective moves security beyond isolated alerts to prioritized, actionable insight that shows not just if risk exists, but how identity‑based threats could unfold and where to intervene to stop them before they have impact. In the case of leaked credentials, Microsoft continuously scans for exposed accounts across public and private breach sources. If a match is found, Microsoft’s Advanced Correlation Engine (MACE) automatically identifies the affected user within your organization and surfaces the exposure with clear severity and context. By bringing this powerful detection into Defender, teams can investigate and respond with better context, allowing leaked credentials to be evaluated alongside endpoint, email, and app activity, giving teams additional context needed to prioritize response. Additionally, for Microsoft Entra ID accounts we can go a step further validating whether the discovered credentials actually corresponds to a real, usable password for an identity in the tenant. This confirmation further reduces unnecessary noise and gives defenders an early signal - often before any malicious activity begins. Next, Microsoft Defender steps in to correlate these signals with your organization’s unique security context. Connecting the alert and associated account with other signals and like unusual authentications, lateral movement attempts, or privilege escalations, elevating the isolated alert into a complete story about any potential incidents related to that vulnerability. At the same time, Microsoft Exposure management is analyzing the same data to create a potential attack path related to the exposed credentials. By tracing permissions, consents, and access relationships, Attack Paths show exactly which routes an attacker could take and what controls will break that path. When these capabilities work together, visibility becomes action. MACE identifies who is exposed, Defender connects other signals into an incident level view and Attack Paths reveal where the attacker could go next. The result is a single, connected workflow that transforms early exposure data into prioritized, measurable risk reduction. Conclusion Leaked credentials should be treated as the beginning of a story, not an isolated event. Microsoft Defender is uniquely able to enrich security teams visibility and understanding of Identity-related threats from initial exposure to detection, risk prioritization, and remediation. This connected visibility fundamentally changes how defenders manage identity risk, shifting the focus from reacting to individual alerts to continuously reducing exposure and limiting blast radius. One leaked password doesn’t have to become a breach. With Microsoft’s identity security capabilities, it becomes a closed path, and a measurable step toward greater resilience. Learn more about attack paths and the new leaked credentials capabilities in Defender.1.2KViews0likes0CommentsMonthly news - December 2025
Microsoft Defender Monthly news - December 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 😎 Microsoft Ignite 2025 - now on-demand! 🚀 New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender Ignite 2025: What's new in Microsoft Defender? This blog summarizes our big announcements we made at Ignite. (Public Preview) Defender XDR now includes the predictive shielding capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. Learn more about predictive shielding. Security Copilot for SOC: bringing agentic AI to every defender. This blog post gives a great overview of the various agents supporting SOC teams. Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC. Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement. Enhancing visibility into your identity fabric with Microsoft Defender. This blog describes new enhancements to the identity security experience within Defender that will help enrich your security team’s visibility and understanding into your unique identity fabric. (Public Preview) The IdentityAccountInfo table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. For more information, see Incidents and alerts in the Microsoft Defender portal. (Public Preview) New Entity Behavior Analytics (UEBA) experiences in the Defender portal! Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively. Learn more on our docs. (Public Preview) A new Restrict pod access response action is now available when investigating container threats in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation. (Public Preview) Threat analytics now has an Indicators tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. Learn more. In addition the overview section of threat analytics now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization. Microsoft Defender for Identity (Public Preview) In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by Organizational Units (OUs) as part of XDR User Role-Based Access Control. This enhancement provides even more granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview). New security posture assessment: Change password for on-prem account with potentially leaked credentials. The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: Change password for on-prem account with potentially leaked credentials. Defender for Identity is slowly rolling out automatic Windows event auditing for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones. As it becomes available, you will be able to enable automatic Windows event-auditing in the Advanced settings section in the Defender portal, or using the Graph API. Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions are now available. Learn more in our docs. Microsoft Defender for Cloud Apps (Public Preview) Defender for Cloud Apps automatically discovers AI agents created in Microsoft Copilot Studio and Azure AI Foundry, collects audit logs, continuously monitors for suspicious activity, and integrates detections and alerts into the XDR Incidents and Alerts experience with a dedicated Agent entity. For more information, see Protect your AI agents. Microsoft Defender for Endpoint Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack. This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks. (Public Preview) Defender for Endpoint now includes the GPO hardening and Safeboot hardening response actions. These actions are part of the predictive shielding feature, which anticipates and mitigates potential threats before they materialize. (Public Preview) Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. (Public Preview) Native root detection support for Microsoft Defender on Android. This enables proactive detection of rooted devices without requiring Intune policies, ensuring stronger security and validating that Defender is running on an uncompromised device, ensuring more reliable telemetry that is not vulnerable to attacker manipulation. (Public Preview) The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. Defender deployment tool: for Windows devices for Linux devices (Public Preview) Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1. A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new Defender deployment tool. Microsoft Defender Vulnerability Management (Public Preview) The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. Learn more. (General Availability) Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques. Require LDAP client signing and Require LDAP server signing - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit. Encrypt LDAP client traffic - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP. Enforce LDAP channel binding - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay. (General Availability) These Microsoft Secure Score recommendations are now generally available: Block web shell creation on servers Block use of copied or impersonated system tools Block rebooting a machine in Safe Mode Microsoft Defender for Office 365 Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation. This blog post summarizes the following announcements: General Availability of the Security Copilot Phishing Triage Agent Agentic Email Grading System in Microsoft Defender Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem. A separate blog explains these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. Blog series: Best practices from the Microsoft Community Microsoft Defender for Office 365: Fine-Tuning: This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements, by Microsoft MVP Joe Stocker. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365: Microsoft MVP Mona Ghadiri spotlights a new place AI has been inserted into a workflow to make it better… a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Blog post: Strengthening calendar security through enhanced remediation.6KViews0likes0CommentsHost Microsoft Defender data locally in the United Arab Emirates
We are pleased to announce that local data residency support in the UAE is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement reinforces our ongoing commitment to delivering secure, compliant services aligned with local data sovereignty requirements. Customers can now confidently onboard to Defender for Endpoint and Defender for Identity in the UAE, knowing that this Defender data will remain at rest within the UAE data boundary. This allows customers to meet their regulatory obligations and maintain control over their data. For more details on the Defender data storage and privacy policies, refer to Microsoft Defender for Endpoint data storage and privacy and Microsoft Defender for Identity data security and privacy. Note: Defender for Endpoint and Defender for Identity may potentially use other Microsoft services (i.e. Microsoft Intune for security settings management). Each Microsoft service is governed by its own data storage and privacy policies and may have varying regional availability. For more information, refer to our Online Product Terms. In addition to the UAE, Defender data residency capabilities are available in the United States, the European Union, the United Kingdom, Australia, Switzerland and India (see our recent announcement for local data hosting in India). Customers with Existing deployments for Defender for Endpoint and/or Defender for Identity Existing customers can check their deployment geo within the portal by going to Settings -> Microsoft Defender XDR-> Account; and see where the service is storing your data at rest. For example, in the image below, the service location for the Defender XDR tenant is UAE. ation information If you would like to update your service location, please reach out to Customer Service and Support for a tenant reset. Support can be accessed by clicking on the “?” icon in the top right corner of the portal when signed in as an Admin (see image below). If you are a Microsoft Unified support customer, please reach out to your Customer Success Account Manager for assistance with the migration process. More information: Ready to go local? Read our documentation for more information on how to get started. Microsoft Defender XDR data center location Not yet a customer? Take Defender XDR for a spin via a 90-day trial for Office 365 E5 or Defender for Endpoint via a 90-day trial for Defender for Endpoint Check out the Defender for Endpoint website to learn more about our industry leading Endpoint protection platform Check out the Defender for Identity website to learn how to keep your organization safe against rising identity threats1.4KViews1like2CommentsEnhancing visibility into your identity fabric with Microsoft Defender
Attackers don’t move in straight lines or follow predictable, sequential steps. Instead, they think in graphs, seeking the path of least resistance, surveying your environment for weak spots and then leverage legitimate connections and permissions to quietly traverse your IT landscape. Just a single compromised account can be a powerful foothold, helping an attacker bypass your other security protocols. To put this simply, while your account may not be what the attacker is looking for, it’s one step on the path to their ultimate goal. Its estimated that less than 1% of your organizational footprint is actually of interest to attackers, but 80% of organizations have at least one open attack path to these critical assets. This is why it is so critical to have a deep understanding of the connected identities, accounts and applications that make up your identity fabric. Layered identity security for the modern enterprise Identity Threat Detection and Response (ITDR) has to combine modern identity and access management (IAM) and security operations (SOC) through an integrated partnership between identity and security teams. Because of this, our vision remains focused on streamlining how these groups collaborate, breaking down siloes to unite these teams, their tools and processes. Today, I am excited to announce new enhancements to the identity security experience within Defender that will help enrich your security team’s visibility and understanding into your unique identity fabric. These new capabilities include: Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC. Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement. Account correlation: Mapping the identity fabric, one account at a time. Modern identity fabrics are often complex, reflecting the reality of today’s hybrid and multi-cloud enterprise environments. To understand vulnerabilities and map potential attack paths, security teams must first decipher the relationships between identities, accounts, infrastructure, and a myriad of identity related apps and tools. But the complexity doesn’t end with the fabric itself, each identity typically consists of several related accounts. Take the identity footprint in Figure 1 above: here we see a visual representation of the accounts associated with a single user. At the top you’ll see an on-premises Active Directory (AD) account that is synced with a corresponding Entra ID account. This type of hybrid scenario is found in more than 90% of our customers as a way to allow their users to authenticate seamlessly, to both legacy on-premises environments and cloud services like Microsoft 365. In this example the user also has two other accounts, one an administrator account with elevated privileges and the other a misconfigured cloud account. Now, as I mentioned earlier, attackers will use whatever connections they can to move laterally towards their target and in this case the misconfigured cloud account puts the identity and all its accounts at risk, including the privileged admin. Defender now links accounts, privileges, and activity patterns across the components of your unique identity fabric, augmenting the powerful graph capabilities within Microsoft Sentinel to provide defenders with one trusted view into the identity’s entire footprint. Figure 2: Identity page in Microsoft Defender showing related accounts The detailed understanding of how accounts are connected helps Defender better showcase these risks at the identity level. Posture alerts and recommendations for every related account are now surfaced within a single view. But we don’t stop there: with a relational understanding of your unique identity fabric, Defender maps potential attack paths, showing how an attacker could leverage these vulnerabilities on their way to access critical assets. The easiest way to bring this value to life is using a scenario involving leaked credentials. Earlier this year we unveiled a new leaked credentials alert that extends the powerful detection from Entra to on-premises identities. Figure 4: a sample attack path showing leaked credentials as an entry point To do this Microsoft continuously scans public and private breach resources to identify leaked credentials. If a match is found, Microsoft Security Exposure Management automatically identifies the affected user and surfaces the exposure with clear severity and context. Defender then further validates and correlates that exposure, linking that account to other cross-domain security signals to detect unusual authentications or privilege escalations. These attack paths map are now expanded to show how that compromised account could be leveraged to reach other accounts and ultimately critical assets. One leaked password doesn’t have to become a breach. With Microsoft’s identity security stack, it becomes a closed path and a measurable step toward resilience showing exactly which routes an attacker could take and what controls will break that path. Turning visibility into coordinated response Just as security professionals can now see all the related alerts and posture recommendations across the accounts associated with an identity, they can also take direct action across all accounts with one action. Figure 5: Screenshot of the new "Disable user" experience in Defender Once analysts confirm that an identity is compromised, they can disable compromised identities comprehensively across providers and applications - turning previously complex, multi-portal process into a coordinated, identity-wide response. Get started today Microsoft Defender’s latest identity security enhancements empower organizations to see and understand their entire identity fabric with unprecedented clarity. By surfacing connected accounts and posture recommendations into a single view, and coordinating response actions, Defender enables security teams to better remediate identity before, during and after a breach. This holistic approach not only strengthens identity posture but also transforms response actions from isolated steps into coordinated, organization-wide defenses. With these innovations, organizations are better equipped to outpace attackers, close open paths, and build lasting resilience in an ever-evolving threat landscape. Learn more about these capabilities here and join us in San Francisco, November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Featured sessions: Microsoft Defender: Building the agentic SOC with guest Allie Mellen Blueprint for building the SOC of the future Empowering the SOC: Security Copilot and the rise of agentic defense Identity Under Siege: Modern ITDR from Microsoft AI vs AI: Protect email and collaboration tools with Microsoft Defender AI-powered defense for cloud workloads2.9KViews2likes0CommentsMonthly news - November 2025
Microsoft Defender Monthly news - November 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. ⏰ Microsoft Ignite 2025 November 18-20, register now! 🚀 New Virtual Ninja Show episode: What’s new for Microsoft Teams protection in Defender for Office 365 Microsoft Defender Custom detections are now the unified experience for creating detections in Microsoft Defender! Read this blog for all the details. How Microsoft Defender helps security teams detect prompt injection attacks in Microsoft 365 Copilot. We’re excited to share that Microsoft Defender now provides visibility into prompt injection attempts within Microsoft 365 Copilot and helps security teams detect and respond to prompt injection attacks more efficiently and at a broader context, with insights that go beyond individual interaction. Microsoft Defender Experts for Hunting reports now include an Emerging threats section that details the proactive, hypothesis-based hunts we conducted in your environment. Each report also now includes investigation summaries for nearly every hunt that Defender Experts conduct in your environment, regardless of whether they identified a confirmed threat. Microsoft Defender Experts for XDR reports now include a Trends tab provides you with the monthly volume of investigated and resolved incidents for the last six months, visualized according to the incidents' severity, MITRE tactic, and threat type. This section gives you insight into how Defender Experts are tangibly improving your security operations by showing important operational metrics on a month-over-month basis. Threat Intelligence Export is now available in Microsoft Sentinel. Traditionally, Microsoft Sentinel has supported importing threat intel from external sources (partners, governments, ISACs, or internal tenants) via Structured Threat Information eXpression (STIX) via Trusted Automated eXchange of Intelligence Information (TAXII). With this new export feature, you can now share curated threat intel back to trusted destinations. This empowers security teams to contribute threat intel to other organizations in support of collective defense, or to their own central platform to add or enrich threat intelligence. Microsoft Defender for Identity We’re excited to announce that the Defender for Identity Unified Sensor (v3.x) is now generally available (GA). The unified sensor provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers. Learn more on how to active it in our docs.. Microsoft Defender for Office 365 📘 Email Authentication SecOps Guide (New learn doc) - visit & bookmark our short link: https://aka.ms/authguide The following docs article has been updated with with Compauth Codes: Message Headers Reference New blog series: Best practices from the Microsoft Community Defender for Office 365: Migration & Onboarding Onboarding to Microsoft Defender for Office 365 is often treated as a quick setup task, but it should be seen as a critical opportunity to establish strong security foundations. In my roles supporting incident response and security operations in Microsoft 365, I have observed that onboarding is often underestimated. - Purav Desai, Dual Microsoft Security MVP (Most Valuable Professional) This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is important to clarify a common misconception about Defender for Office 365 protections. Safeguarding Microsoft Teams with Microsoft Defender for Office 365 As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. As a collaborative piece between Pierre Thoor, a Microsoft Security MVP, and the Defender for Office 365 Product Engineering Team, this guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps. Microsoft Defender for Endpoint End of Windows 10 Support: What Defender Customers Need to Know As of October 14, 2025, Microsoft officially ended support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from Microsoft. While these devices will continue to operate, the lack of regular security updates increases vulnerability to cyber threats, including malware and viruses. Applications running on Windows 10 may also lose support as the platform stops receiving updates. Endpoint Security Policies can now be distributed via MTO's (Multi Tenant Organization) Content Distribution capability. This capability moved from Public Preview to General Availability (GA). With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content - such as custom detection rules and now, endpoint security policies - from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. You can read the announcement blog for public preview, as the content shares valuable insights. (Public Preview) Streamlined connectivity support for US government environments (GCC, GCC High, DoD). Learn more in our docs. (General Availability) Isolation exclusions. The Isolation exclusions feature is now generally available. Isolation exclusions allow designated processes or endpoints to bypass the restrictions of network isolation, ensuring essential functions continue while limiting broader network exposure. Learn more in our docs. Microsoft Defender Vulnerability Management (Public Preview) Microsoft Secure Score now includes three new Attack Surface Reduction (ASR) based proactive recommendations that help organizations prevent common endpoint attack techniques including web-shell persistence, misuse of system tools, and Safe Mode based evasion. (Public Preview) You can now use CVE exceptions to exclude specific Common Vulnerabilities and Exposures (CVEs) from analysis in your environment. CVE exceptions allow you to control what type of data is relevant to your organization and to selectively exclude certain data from your remediation efforts. For more information, see Exceptions in Microsoft Defender Vulnerability Management and Create, view, and manage exceptions. For more information, see Exceptions in Microsoft Defender Vulnerability Management and Create, view, and manage exceptions. Microsoft Security Blogs The new Microsoft Security Store unites partners and innovation On September 30, 2025, Microsoft announced a bold new vision for security: a unified, AI-powered platform designed to help organizations defend against today’s most sophisticated cyberthreats. But an equally important story—one that’s just beginning to unfold—is how the Microsoft Security Store is bringing this vision to life through a vibrant ecosystem of partners, developers, and innovators—all contributing together to deliver more value and security to our customers. Security Store is the gateway for customers to easily discover, buy, and deploy trusted security solutions and AI agents from leading partners—all verified by Microsoft Security product teams to work seamlessly with Microsoft Security products. Inside the attack chain: Threat activity targeting Azure Blob Storage Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads and is increasingly targeted through sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud tactics. Investigating targeted “payroll pirate” attacks affecting US universities Microsoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, attacks that have been dubbed “payroll pirate”. Disrupting threats targeting Microsoft Teams Threat actors seek to abuse Microsoft Teams features and capabilities across the attack chain, underscoring the importance for defenders to proactively monitor, detect, and respond effectively. Harden your identity defense with improved protection, deeper correlation, and richer context Expanded ITDR features—including the new Microsoft Defender for Identity sensor, now generally available—bring improved protection, correlation, and context to help customers modernize their identity defense.5.1KViews1like1Comment