Monthly news - September 2025
Microsoft Defender Monthly news - September 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from August 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. New Virtual Ninja Show episodes: Announcing Microsoft Sentinel data lake. Inside the new Phishing Triage Agent in Security Copilot. Microsoft Defender Public Preview items in advanced hunting: The new CloudStorageAggregatedEvents table is now available and brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. You can now investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting. The IdentityEvents table contains information about identity events obtained from other cloud identity service providers. You can now enrich your custom detection rules in advanced hunting by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel. The number of query results displayed in the Microsoft Defender portal has been increased to 100,000. General Availability item in advanced hunting: you can now view all your user-defined rules - both custom detection rules and analytics rules - in the Detection rules page. This feature also brings the following improvements: You can now filter for every column (in addition to Frequency and Organizational scope). For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace. You can now view the details pane even for analytics rules. You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit. (General Availability) Defender Experts for XDR and Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more (General Availability) Defender Experts for XDR customers can now incorporate third-party network signals for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments. (General Availability) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts. (Public Preview) Suggested prompts for incident summaries. Suggested prompts enhance the incident summary experience by automatically surfacing relevant follow-up questions based on the most crucial information in a given incident. With a single click, you can request deeper insight (e.g. device details, identity information, threat intelligence) and obtain plain language summaries from Security Copilot. This intuitive, interactive experience simplifies investigations and speeds up access to critical insights, empowering you to focus on key priorities and accelerate threat response. Microsoft Defender for Endpoint (Public Preview) Multi-tenant endpoint security policies distribution is now in Public Preview. Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. (Public Preview) Custom installation path support for Defender for Endpoint on Linux is available in public preview. (Public Preview) Offline security intelligence update support for Defender for Endpoint on macOS is in public preview. Microsoft Defender for Identity (Public Preview) Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in advanced hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context. (Public Preview) Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts. For more information, see: Security Assessment: Remove Inactive Service Accounts (Public Preview) A new Graph-based API is now in preview for initiating and managing remediation actions in Defender for Identity. For more information, see Managing response actions through Graph API. (General Availability) Identity scoping is now generally available across all environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview) The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise. For more information, see: Security Assessment: Remove discoverable passwords in Active Directory account attributes. Detection update: Suspected Brute Force attack (Kerberos, NTLM). Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase. Microsoft Defender for Office 365 SecOps can now dispute Microsoft's verdict on previously submitted email or URLs when they believe the result is incorrect. Disputing an item links back to the original submission and triggers a reevaluation with full context and audit history. Learn more. Microsoft Security Blogs Dissecting PipeMagic: Inside the architecture of a modular backdoor framework A comprehensive technical deep dive on PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application. Think before you Click(Fix): Analyzing the ClickFix social engineering technique The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. Storm-0501’s evolving techniques lead to cloud-based ransomware Financially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs).Scope Identity Protection with Defender for Identity is Now Generally Available
I am excited to announce the general availability (GA) of domain-based scoping for Active Directory within Microsoft Defender for Identity. This is a foundational step in extending role-based access control (RBAC) as part of the broader XDR URBAC initiative. This new capability enables SOC analysts to define and refine the scope of Microsoft Defender for Identity monitoring, providing more granular control over which entities and resources are included in security analysis. What is “scoping” and why does it matter? As organizations grow, so does their identity fabric and as security professionals look to manage these increasingly complex identity environments, the ability to control who can access what -and where- is critical. Whether for legal or efficiency reasons many organizations need a way to delegate access based on responsibility or ownership. The new scoping capability is part of Microsoft Defender's unified role-based access control (URBAC) model which allows customers to refine investigation and administration experiences by Active Directory domains, providing: Optimize performance - improve efficiency by focusing analysts on critical assets without the noise of other non-essential alerts and data outside their purview. Enhance visibility control - visibility on specific Active Directory domains. Support operational boundaries - align access and responsibility across SOC analysts, identity admins, and regional teams. This enhancement is part of Microsoft Defender XDR’s unified role-based access control (URBAC) model and sets the foundation for even more granular controls in the future. What can be scoped? Users assigned to scoped roles will only see data, such as alerts, identities, and activities, related to the Active Directory domains included in the assignment in the XDR role. This ensures that security teams can focus on the assets they are responsible for, without being exposed to information from outside their organizational boundaries. Today this includes: Alerts and incidents: Analysts will only see alerts and incidents related to identities within the scoped Active Directory domains within their queue. Entity pages: Users can only access the account details of identities within the Active Directory domains they are scoped for. Advanced hunting and investigations: Data is automatically filtered to include only scoped data. For the full list of supported experiences, see our documentation. How to configure scoping rules: This release is part of our ongoing XDR URBAC effort, bringing consistent and unified role-based access control across Microsoft Defender products. Domain-based scoping is now available for public preview in Microsoft Defender for Identity and aligns with the same RBAC principles used across the XDR platform. To enable the feature, follow these steps: Navigate to XDR permissions page --> Microsoft Defender XDR --> Roles. You can edit existing roles or create a new custom role Add an assignment and create a scoping role with the same set of permissions Define Entra ID user or groups to be assigned to the role Choose Microsoft Defender for Identity as a data source and select User groups (AD domains) that will be scoped to the assignment. Once configured, customers can restrict SOC analysts to viewing only specific entities, ensuring they have access only to the data relevant to their responsibilities and improving security control. Before enabling scoping, ensure that: You have Microsoft Defender for Identity sensor installed. The Identity workload for URBAC is activated. To manage roles without Global Administrator or Security Administrator privileges, customers must configure Authorization permissions through URBAC. Learn more here. What’s next Some experiences are still in progress and will be expanded over time. For setup guidance and more details, visit the Defender for Identity documentation. To stay informed about upcoming enhancements and expanded support for scoping experiences, follow our What’s New documentation page.
Leaving the key under the doormat: How Microsoft Defender uses AI to spot exposed credentials
Imagine locking your front door, only to leave the key under the doormat. It’s a habit many know is risky, but it’s still surprisingly common. In cybersecurity terms this is the equivalent of storing credentials in plain text fields within Active Directory. Microsoft Defender can now help eliminate this vulnerability with a new, AI-powered posture alert that uses layers of intelligence to spot exposed credentials. Understanding free text fields in identity systems: Within identity systems like Active Directory (AD) and Microsoft Entra ID, free text fields are customizable attributes that allow administrators to store unstructured or semi-structured data. Because they are flexible and not tightly governed by schema constraints, free text fields can also be used to support integrations with HR systems, email signature tools, or Privileged Access Management (PAM) solutions. In hybrid identity environments clear text fields play a pivotal role in bridging operational gaps. Administrators rely on them to carry over business-critical context such as cost centers, project tags, or legacy system references during synchronization. Their unstructured nature however, also introduces risk. If sensitive data like credentials or personal identifiers are stored in these fields without proper controls, they can become a vector for exposure. Non-human identities (NHI) are often disproportionately impacted by this issue. And it makes sense, in addition to substantially outnumbering their human counterparts, NHI’s cannot interact with systems through traditional authentication methods like MFA. Administrators, under pressure to maintain uptime and ensure seamless automation, may store the credentials for these accounts in clear text fields. For example, a service account used by an application might have its password stored in the description or info field of an AD object to simplify troubleshooting or integration. These practices, while expedient, create a high-value target for attackers. NHI also often operate with elevated privileges and are frequently overlooked in traditional security models making them an even more tantalizing target for would be attackers. But it’s not just NHI that are at risk. In our initial research and testing we identified more than 40,000 exposed credentials across 2,500 tenants. More importantly we increasingly see bad actors and red teams targeting these fields to gain access and move laterally and thanks to the speed, scale and precision of AI-powered enumeration tools the time to exploit them has shifted from hours to seconds. Turning the tables with layered intelligence Microsoft is leveling the playing field with a powerful new posture alert in Defender that can help detect exposed credentials with unprecedented precision. This alert is part of a broader initiative to help organizations proactively identify and remediate identity misconfigurations before they’re exploited, but what sets it apart is its layered AI-driven detection model. First, a detailed scan of identity directories flags potential credential exposures. This includes everything from base64-encoded secrets to strings that match known password structures. Once complete, a more advanced AI model steps in to analyze the context, language, and structure. Looking at everything from the type of identity its associated with, if the value is static or recently changed and whether it’s referenced in automation scripts or log. This additional layer dramatically reduces false positives and ensures that alerts are both high-confidence and actionable. By embedding AI directly into posture management, Microsoft is giving security teams the same speed and scale that attackers have been using only now it’s to help stop compromise before an attack ever occurs. Getting started: This new posture recommendation is now in public preview and available to all Defender for Identity customers. To learn more about the recommendation check out our documentation here or to see if any credentials were left under your digital doormat, navigate to the “Exposure Management” section within the Defender portal and search for the recommendation.Monthly news - August 2025
Microsoft Defender XDR Monthly news - August 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender Microsoft Sentinel is moving to the Microsoft Defender portal to deliver a unified, AI-powered security operations experience. Many customers have already made the move. Learn how to plan your transition and take advantage of new capabilities in the this blog post. Introducing Microsoft Sentinel data lake. We announced a significant expansion of Microsoft Sentinel’s capabilities through the introduction of Sentinel data lake, now rolling out in public preview. Read this blog post for a look at some of Sentinel data lake’s core features. (Public Preview) The GraphApiAuditEvents table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant. (Public Preview) The DisruptionAndResponseEvents table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken. Introducing Summary Rules Templates: Streamlining Data Aggregation in Microsoft Sentinel. Microsoft Sentinel’s new Summary Rules Templates offer a structured and efficient approach to aggregating verbose data - enabling security teams to extract meaningful insights while optimizing resource usage. Automating Microsoft Sentinel: Playbook Fundamentals. This is the third entry of the blog series on automating Microsoft Sentinel. In this post, we’re going to start talking about Playbooks which can be used for automating just about anything. Customer success story: Kuwait Credit Bank boosts threat detection and response with Microsoft Defender. To modernize its security posture, the bank unified its security operations under Microsoft Defender XDR, integrating Microsoft Sentinel and Microsoft Purview. Microsoft Defender for Cloud Apps App Governance is now also available in Brazil, Sweden, Norway, Switzerland, South Africa, South Korea, Arab Emirates and Asia Pacific. For more details, see our documentation.. Updated network requirements for GCC and Gov customers. To support ongoing security enhancements and maintain service availability, Defender for Cloud Apps now requires updated firewall configurations for customers in GCC and Gov environments. To avoid service disruption, take action by August 25, 2025, and update your firewall configuration as described here. Discover and govern ChatGPT and other AI apps accessing Microsoft 365 with Defender for Cloud Apps. In this blog post, we’ll explore how Defender for Cloud Apps helps security teams gain enhanced visibility into the permissions granted to AI applications like ChatGPT as they access Microsoft 365 data. We’ll also share best practices for app governance to help security teams make informed decisions and take proactive steps to enable secure usage of AI apps accessing Microsoft 365 data. Microsoft Defender for Endpoint (General Availability) Microsoft Defender Core service is now generally available on Windows Server 2019 or later which helps with the stability and performance of Microsoft Defender Antivirus. Microsoft Defender for Identity Expanded coverage in ITDR deployment health widget. With this update, the widget also includes deployment status for ADFS, ADCS, and Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure. Time limit added to Recommended test mode. Recommended test mode configuration on the Adjust alert thresholds page, now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already had Recommended test mode enabled, a 60-day expiration was automatically applied. Identity scoping is now available in Governance environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. New security posture assessments for unmonitored identity servers. Defender for Identity has three new security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored. Learn more in our documentation. Microsoft Defender for Office 365 Protection against multi-modal attacks with Microsoft Defender. This blog post showcases how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal. Users can report external and intra-org Microsoft Teams messages from chats, standard and private channels, meeting conversations to Microsoft, the specified reporting mailbox, or both via user reported settings. Microsoft Security Blogs Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats. Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability. Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak sensitive information cached by Apple Intelligence. Disrupting active exploitation of on-premises SharePoint vulnerabilities. Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers.Microsoft Defender for Identity extends ITDR capabilities to Okta identities
Identities are the organization’s new security perimeter and are a prime target for cyber-criminals. However, with today’s ever-evolving digital landscape, security leaders often wrestle with a tapestry of different identity solutions spanning multiple environments and vendors, making identity protection more challenging than ever. Because of this, security professionals understand that identity threat detection and response (ITDR) is a fundamental piece of their security practice that helps them to comprehensively secure their unique identity fabric across identity solutions, environments, and vendors. What is changing? Today, I am excited to announce that Microsoft Defender for Identity is extending its identity protection to protect Okta identities, that’s in addition to the already robust protection for on-premises Active Directory and Entra ID identities. As a leader in both Identity (IAM) and security, Microsoft provides comprehensive visibility, posture recommendations, and detection and response capabilities for our customer’s unique identity fabric - now including Okta. With these new protections from Defender, our customers will benefit from enhanced visibility and control for their Okta environments, including: Holistic identity visibility – A unified identity inventory with correlated view of accounts across Active Directory, Entra ID, and Okta. For instance, a user with an Entra ID and an Okta account would appear as one entity - meaning SOC professionals can easily zoom into a specific identity to see all their related accounts, their privileges, and any related security alerts. This holistic perspective is crucial for maintaining robust security postures and allows IT and security teams to identify potential vulnerabilities across different platforms seamlessly. Identity Threat Detection and Response (ITDR) – Alert on identity threats in Okta and trigger corresponding response actions, including detection of lateral movement between on-premises and cloud environments. This capability is crucial for mitigating sophisticated attacks that seek to exploit the transition between different identity platforms. The integration will also surface Okta logs and data within the Advanced Hunting like we already do for Active Directory and Entra ID, allowing security teams to delve into threats across the different platforms in a single place. Identity-specific posture recommendations (ISPM) - Expand the already robust set of identity security posture recommendations to include recommendations for Okta identities (e.g. dormant Okta accounts), and map how those posture gaps can be leveraged into attack paths. Adhering to these posture recommendations enables organizations to proactively prevent threats, rather than responding reactively. How can I take advantage of these new capabilities? Defender for Identity customers looking to take advantage of these new capabilities can read more here. Be advised that to get the full potential of enhanced integration, make sure your organization has Okta for Workforce with Identity Enterprise license.Monthly news - June 2025
Microsoft Defender XDR Monthly news - June 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel From on-premises to cloud: Graph-powered detection of hybrid attacks with Microsoft exposure graph. In this blog, we explain how the exposure graph, an integral part of our pre-breach security exposure solution, supercharges our post-breach threat protection capabilities to detect and respond to such multi-faceted threats. (Public Preview) Unified detections rules list that includes both analytics rules and custom detections is in public preview. Learn more in our docs. The Best of Microsoft Sentinel — Now in Microsoft Defender. We are proud to share that the most advanced and integrated SIEM experience from Microsoft Sentinel is now fully available within the Microsoft Defender portal as one unified experience. (General Available) Multi workspace for single and multi tenant is now in General Available. (Public Preview) Case management now available for the Defender multitenant portal. For more information, see View and manage cases across multiple tenants in the Microsoft Defender multitenant portal. (Public Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the unified security summary. For more information, see Visualize security impact with the unified security summary. (Public Preview) New Microsoft Teams table: The MessageEvents table contains details about messages sent and received within your organization at the time of delivery (Public Preview) New Microsoft Teams table: The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization (Public Preview) New Microsoft Teams table: The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization Unified IdentityInfo table in advanced hunting now includes the largest possible set of fields common to both Defender and Azure portals. Microsoft Defender for Endpoint (Webinar - YouTube Link) Secure Your Servers with Microsoft's Server Protection Solution- This webinar offers an in-depth exploration of Microsoft Defender for Endpoint on Linux. Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test. Discover how automatic attack disruption protects critical assets while ensuring business continuity. Microsoft Defender for Office 365 Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel New deployment guide: Quickly configure Microsoft Teams protection in Defender for Office 365 Plan 2 New SecOps guide: Security Operations Guide for Teams protection in Defender for Office 365 Video - Ninja Show: Advanced Threat Detection with Defender XDR Community Queries Video- Mastering Microsoft Defender for Office 365: Configuration Best Practices Video - Ninja Show: Protecting Microsoft Teams with Defender for Office 365 This blog discussed the new Defender for Office 365 Language AI for Phish Model. SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps. Microsoft Defender for Cloud Apps New Applications inventory page now available in Defender XDR. The new Applications page in Microsoft Defender XDR provides a unified inventory of all SaaS and connected OAuth applications across your environment. For more information, see Application inventory overview. The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications. Note: As part of our ongoing convergence process across Defender workloads, Defender for Cloud Apps SIEM agents will be deprecated starting November 2025. Learn more. Microsoft Defender for Identity (Public Preview) Expanded New Sensor Deployment Support for Domain Controllers. Learn more. Active Directory Service Accounts Discovery Dashboard. Learn more. Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page. The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. Note: Local administrators collection (using SAM-R queries) feature will be disabled. Microsoft Security Blogs Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape Marbled Dust leverages zero-day in Output Messenger for regional espionage Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer New Russia-affiliated actor Void Blizzard targets critical sectors for espionage Defending against evolving identity attack techniques Threat Analytics (Access to the Defender Portal needed) Activity profile - AITM campaign with brand impersonated OAUTH applications Threat overview: SharePoint Server and Exchange Server threats Vulnerability profile: CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability Actor profile: Storm-0593 [TA update] Actor profile: Storm-0287 Activity Profile: Marbled Dust leverages zero-day to conduct regional espionage [TA update] Technique profile: ClickFix technique leverages clipboard to run malicious commands Technique profile: LNK file UI feature abuse Technique profile: Azure Blob Storage threats Activity profile: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer Vulnerability profile - CVE-2025-30397 Activity profile: Recent OSINT trends in information stealersExpanding the Identity perimeter: the rise of non-human identities
Expanding the Identity perimeter With the rise of cloud applications and AI, machine-to-machine access and authentication has become even more prevalent. From automating workflows, integrating applications, managing cloud services and even powering AI agents, non-human identity (NHI) has become vital to modern work. These digital constructs come in many different varieties, each with their own unique characteristics, but because they are foundational elements of many critical business processes, they represent a prime target for cyber-criminals. Not only do NHI greatly outnumber their human counterparts but they are also often highly privileged, eliminating the need for the attacker to elevate this status themselves. AI agents are expected to drive even faster growth machine identities. Copilot Studio alone has more than 230,000 organizations — including 90% of the Fortune 500- already using it to build AI agents and automations. What are non-human Identities? Non-human identities or machine identities like service accounts in Active Directory, Entra registered service principals and third-party OAuth apps, cloud workload identities, AI agents and Secrets each have their own unique roles, responsibilities and vulnerabilities. Despite their importance, there is no team dedicated to securing them holistically, leading to a lack of: Visibility: Different teams are often responsible for the creation of the various types of NHI. Due to this, organizations are often blind to what accounts exist, where, and who owns them. Governance and Management: Limited policies and regulations on how these accounts should be set up, used and managed can create situations where accounts are overprivileged or shared across multiple applications and even where their credentials are stored in plain text or their passwords become stale and susceptible to exploitation. Gaps like these in policy and the lifecycle management of NHI expose organizations to increased risk. Protection: Without dedicated security controls, non-human identities (NHIs) are often left exposed to threats such as credential theft, misuse, or unauthorized access. Many of these identities operate with elevated privileges, making them attractive targets for attackers. A lack of consistent monitoring, anomaly detection, and automated response mechanisms further increases the risk. Effective protection requires implementing least privilege access, rotating credentials regularly, encrypting secrets, and integrating NHIs into a broader identity threat detection and response strategy. How can Microsoft help protect your NHI? While NHIs are a recent term, they have been a critical focus area within Microsoft Security for a long time. Today, Microsoft Security delivers an end-to-end solution for monitoring, securing, and managing non-human identities across their entire lifecycle. Organizations benefit from a comprehensive set of unified capabilities, including: Full-spectrum discovery and visibility: Identify all non-human identities and secrets - including service principals, tokens, keys, and application credentials, across hybrid and multi-cloud environments. Enrichment and risk analysis: Gain deep insights into each identity’s privileges, activity patterns, ownership, and authentication methods to prioritize risks and streamline remediation. Secrets management: Detect secrets in insecure or inappropriate locations, validate their usage, and provide actionable recommendations for protection and remediation. Lifecycle and access governance: Monitor for stale or orphaned accounts, govern OAuth enabled and third-party connections, enforce credential rotation, manage ownership transfer, and ensure secure decommissioning of machine identities. Threat detection and response: Get alerts on suspicious activity or policy deviations, such as unusual privilege escalation, excessive app permissions, or risky machine-to-machine communications. Together, these integrated capabilities empower organizations to proactively identify and mitigate NHI risks, reduce attack surfaces, and strengthen access controls, no matter where identities live or how fast they change. Microsoft brings these protections together, so you can secure every identity -– human and non-human -– across your digital estate. For example, automatic classification rules help organizations quickly find and secure Service Accounts within their organization. 1: Service Account classification capabilities from Defender for Identity And the Microsoft's "Attack Paths" capabilities allow users to see all their NHIs, their connections, associated risks and context, as well as potential lateral movement paths. 2: Attack path mapping in Microsoft Defender illustrates a scenario where a resource contains a service principal certificate that can authenticate asa service principal with permissions to a sensitive database. This represents a risky lateral movement path — one that is now visible and can be proactively secured. What does this mean for you? Non-human identities (NHI) have become a critical yet overlooked component of modern security practices. While each type of NHI poses distinct challenges, they are tightly interconnected and require expertise across the security landscape. This is what makes Microsoft such a powerful partner. Our leadership in identity, security and now AI make us uniquely qualified to help your organization, and your machine identities, stay protected against threats. Our unified approach: consolidating visibility, control, and protection across AI, cloud, apps, data, devices and identities helps comprehensively secure all NHI and your organization. And this is only the beginning. Our team is already hard at work building the cohesive, intelligent defense layer our customers will need to remain protected today and, in the future, including leveraging our leadership in AI to help our customers secure their organizations, and their AI agents, against attacks.Monthly news - May 2025
Microsoft Defender XDR Monthly news May 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time. Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try! (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting. Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption. Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs. Microsoft Defender for Endpoint Updated documentation Schedule antivirus scans using Group Policy Schedule antivirus scans using PowerShell Two new ASR rules are now generally available: Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode. Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles: Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers Microsoft Defender for Endpoint on Linux Microsoft Defender for Office 365 Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters. Options to "tune" controls within Defender for Office 365 for an organization to maximize protection and efficacy. We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025. Learn more in this blog post.. Microsoft Defender for Cloud Apps Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API. (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps Microsoft Defender for Identity (General available) Identities guided tour New attack paths tab on the Identity profile page New and updated events in the Advanced hunting IdentityDirectoryEvents table Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others. Deprecation of Defender for Identity alert email notifications (Public Preview) Defender for Identity integration with Entra Privileged Identity Management (PIM) Privileged Access Management (PAM) vendors integration with Defender for Identity – CyberArk, Delinea and BeyondTrust Microsoft Security Blogs Threat actors leverage tax season to deploy tax-themed phishing campaigns As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos. Exploitation of CLFS zero-day leads to ransomware activity Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025. Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. Threat actors misuse Node.js to deliver malware and other malicious payloads Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. Understanding the threat landscape for Kubernetes and containerized assets The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Threat Analytics (Access to the Defender Portal needed) Activity profile: Tax and IRS-themed phishing campaigns [TA update] Tool profile: Grandoreiro banking trojan Activity profile - Threat actors using fake Chrome updates to deliver Lumma Stealer Actor profile: Storm-2256 Actor Profile - Storm-1877 [TA update] Vulnerability profile: CVE-2025-26633 Vulnerability profile - CVE-2025-29824 Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications Technique profile: ClickFix technique leverages clipboard to run malicious commands [TA update] Actor profile: Storm-1249 Tool profile - XCSSET Tool profile: ReedBed Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025) Actor Profile - Storm-1125 Activity profile: Sapphire Sleet using GoLang files to download malware Technique Profile: Device Code Phishing
