Cybersecurity: What Every Business Leader Needs to Know Now
As a Senior Cybersecurity Solution Architect, I’ve had the privilege of supporting organisations across the United Kingdom, Europe, and the United States—spanning sectors from finance to healthcare—in strengthening their security posture. One thing has become abundantly clear: cybersecurity is no longer the sole domain of IT departments. It is a strategic imperative that demands attention at board-level. This guide distils five key lessons drawn from real-world engagements to help executive leaders navigate today’s evolving threat landscape. These insights are not merely technical—they are cultural, operational, and strategic. If you’re a C-level executive, this article is a call to action: reassess how your organisation approaches cybersecurity before the next breach forces the conversation. In this article, I share five lessons (and quotes) from the field that help demystify how to enhance an organisation’s security posture. 1. Shift the Mindset “This has always been our approach, and we’ve never experienced a breach—so why should we change it?” A significant barrier to effective cybersecurity lies not in the sophistication of attackers, but in the predictability of human behaviour. If you’ve never experienced a breach, it’s tempting to maintain the status quo. However, as threats evolve, so too must your defences. Many cyber threats exploit well-known vulnerabilities that remain unpatched or rely on individuals performing routine tasks in familiar ways. Human nature tends to favour comfort and habit—traits that adversaries are adept at exploiting. Unlike many organisations, attackers readily adopt new technologies to advance their objectives, including AI-powered ransomware to execute increasingly sophisticated attacks. It is therefore imperative to recognise—without delay—that the advent of AI has dramatically reduced both the effort and time required to compromise systems. As the UK’s National Cyber Security Centre (NCSC) has stated: “AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.” Similarly, McKinsey & Company observed: “As AI quickly advances cyber threats, organisations seem to be taking a more cautious approach, balancing the benefits and risks of the new technology while trying to keep pace with attackers’ increasing sophistication.” To counter this evolving threat landscape, organisations must proactively leverage AI in their cyber defence strategies. Examples include: Identity and Access Management (IAM): AI enhances IAM by analysing real-time signals across systems to detect risky sign-ins and enforce adaptive access controls. Example: Microsoft Entra Agents for Conditional Access use AI to automate policy recommendations, streamlining access decisions with minimal manual input. Figure 1: Microsoft Entra Agents Threat Detection: AI accelerates detection, response, and recovery, helping organisations stay ahead of sophisticated threats. Example: Microsoft Defender for Cloud’s AI threat protection identifies prompt injection, data poisoning, and wallet attacks in real time. Incident Response: AI facilitates real-time decision-making, removing emotional bias and accelerating containment and recovery during security incidents. Example: Automatic Attack Disruption in Defender XDR, which can automatically contain a breach in progress. AI Security Posture Management AI workloads require continuous discovery, classification, and protection across multi-cloud environments. Example: Microsoft Defender for Cloud’s AI Security Posture Management secures custom AI apps across Azure, AWS, and GCP by detecting misconfigurations, vulnerabilities, and compliance gaps. Data Security Posture Management (DSPM) for AI AI interactions must be governed to ensure privacy, compliance, and insider risk mitigation. Example: Microsoft Purview DSPM for AI enables prompt auditing, applies Data Loss Prevention (DLP) policies to third-party AI apps like ChatGPT, and supports eDiscovery and lifecycle management. AI Threat Protection Organisations must address emerging AI threat vectors, including prompt injection, data leakage, and model exploitation. Example: Defender for AI (private preview) provides model-level security, including governance, anomaly detection, and lifecycle protection. Embracing innovation, automation, and intelligent defence is the secret sauce for cyber resilience in 2026. 2. Avoid One-Off Purchases – Invest with a Strategy “One MDE and one Sentinel to go, please.” Organisations often approach me intending to purchase a specific cybersecurity product—such as Microsoft Defender for Endpoint (MDE)—without a clearly articulated strategic rationale. My immediate question is: what is the broader objective behind this purchase? Is it driven by perceived value or popularity, or does it form part of a well-considered strategy to enhance endpoint security? Cybersecurity investments should be guided by a long-term, holistic strategy that spans multiple years and is periodically reassessed to reflect evolving threats. Strengthening endpoint protection must be integrated into a wider effort to improve the organisation’s overall security posture. This includes ensuring seamless integration between security solutions and avoiding operational silos. For example, deploying robust endpoint protection is of limited value if identities are not safeguarded with multi-factor authentication (MFA), or if storage accounts remain publicly accessible. A cohesive and forward-looking approach ensures that all components of the security architecture work in concert to mitigate risk effectively. Security Adoption Journey (Based on Zero Trust Framework) Assess – Evaluate the threat landscape, attack surface, vulnerabilities, compliance obligations, and critical assets. Align – Link security objectives to broader business goals to ensure strategic coherence. Architect – Design integrated and scalable security solutions, addressing gaps and eliminating operational silos. Activate – Implement tools with robust governance and automation to ensure consistent policy enforcement. Advance – Continuously monitor, test, and refine the security posture to stay ahead of evolving threats. Security tools are not fast food—they work best as part of a long-term plan, not a one-off order. This piecemeal approach runs counter to the modern Zero Trust security model, which assumes no single tool will prevent every breach and instead implements layered defences and integration. 3. Legacy Systems Are Holding You Back “Unfortunately, we are unable to implement phishing-resistant MFA, as our legacy app does not support integration with the required protocols.” A common challenge faced by many organisations I have worked with is the constraint on innovation within their cybersecurity architecture, primarily due to continued reliance on legacy applications—often driven by budgetary or operational necessity. These outdated systems frequently lack compatibility with modern security technologies and may introduce significant vulnerabilities. A notable example is the deployment of phishing-resistant multi-factor authentication (MFA)—such as FIDO2 security keys or certificate-based authentication—which requires advanced identity protocols and conditional access policies. These capabilities are available exclusively through Microsoft Entra ID. To address this issue effectively, it is essential to design security frameworks based on the organisation’s future aspirations rather than its current limitations. By adopting a forward-thinking approach, organisations can remain receptive to emerging technologies that align with their strategic cybersecurity objectives. Moreover, this perspective encourages investment in acquiring the necessary talent, thereby reducing reliance on extensive change management and staff retraining. I advise designing for where you want to be in the next 1–3 years—ideally cloud-first and identity-driven—essentially adopting a Zero Trust architecture, rather than being constrained by the limitations of legacy systems. 4. Collaboration Is a Security Imperative “This item will need to be added to the dev team's backlog. Given their current workload, they will do their best to implement GitHub Security in Q3, subject to capacity.” Cybersecurity threats may originate from various parts of an organisation, and one of the principal challenges many face is the fragmented nature of their defence strategies. To effectively mitigate such risks, cybersecurity must be embedded across all departments and functions, rather than being confined to a single team or role. In many organisations, the Chief Information Security Officer (CISO) operates in isolation from other C-level executives, which can limit their influence and complicate the implementation of security measures across the enterprise. Furthermore, some teams may lack the requisite expertise to execute essential security practices. For instance, an R&D lead responsible for managing developers may not possess the necessary skills in DevSecOps. To address these challenges, it is vital to ensure that the CISO is empowered to act without political or organisational barriers and is supported in implementing security measures across all business units. When the CISO has backing from the COO and HR, initiatives such as MFA rollout happen faster and more thoroughly. Cross-Functional Security Responsibilities Role Security Responsibilities R&D - Adopt DevSecOps practices - Identify vulnerabilities early - Manage code dependencies - Detect exposed secrets - Embed security in CI/CD pipelines CIO - Ensure visibility over organizational data - Implement Data Loss Prevention (DLP) - Safeguard sensitive data lifecycle - Ensure regulatory compliance CTO - Secure cloud environments (CSPM) - Manage SaaS security posture (SSPM) - Ensure hardware and endpoint protection COO - Protect digital assets - Secure domain management - Mitigate impersonation threats - Safeguard digital marketing channels and customer PII Support & Vendors - Deliver targeted training - Prevent social engineering attacks - Improve awareness of threat vectors HR - Train employees on AI-related threats - Manage insider risks - Secure employee data - Oversee cybersecurity across the employee lifecycle Empowering the CISO to act across departments helps organisations shift towards a security-first culture—embedding cybersecurity into every function, not just IT. 5. Compliance Is Not Security “We’re compliant, so we must be secure.” Many organisations mistakenly equate passing audits—such as ISO 27001 or SOC 2—with being secure. While compliance frameworks help establish a baseline for security, they are not a guarantee of protection. Determined attackers are not deterred by audit checklists; they exploit gaps, misconfigurations, and human error regardless of whether an organisation is certified. Moreover, due to the rapidly evolving nature of the cyber threat landscape, compliance frameworks often struggle to keep pace. By the time a standard is updated, attackers may already be exploiting new techniques that fall outside its scope. This lag creates a false sense of security for organisations that rely solely on regulatory checkboxes. Security is a continuous risk management process—not a one-time certification. It must be embedded into every layer of the enterprise and treated with the same urgency as other core business priorities. Compliance may be the starting line, not the finish line. Effective security goes beyond meeting regulatory requirements—it demands ongoing vigilance, adaptability, and a proactive mindset. Conclusion: Cybersecurity Is a Continuous Discipline Cybersecurity is not a destination—it is a continuous journey. By embracing strategic thinking, cross-functional collaboration, and emerging technologies, organisations can build resilience against today’s threats and tomorrow’s unknowns. The lessons shared throughout this article are not merely technical—they are cultural, operational, and strategic. If there is one key takeaway, it is this: avoid piecemeal fixes and instead adopt an integrated, future-ready security strategy. Due to the rapidly evolving nature of the cyber threat landscape, compliance frameworks alone cannot keep pace. Security must be treated as a dynamic, ongoing process—one that is embedded into every layer of the enterprise and reviewed regularly. Organisations should conduct periodic security posture reviews, leveraging tools such as Microsoft Secure Score or monthly risk reports, and stay informed about emerging threats through threat intelligence feeds and resources like the Microsoft Digital Defence Report, CISA (Cybersecurity and Infrastructure Security Agency), NCSC (UK National Cyber Security Centre), and other open-source intelligence platforms. As Ann Johnson aptly stated in her blog: “The most prepared organisations are those that keep asking the right questions and refining their approach together.” Cyber resilience demands ongoing investment—in people (through training and simulation drills), in processes (via playbooks and frameworks), and in technology (through updates and adoption of AI-driven defences). To reduce cybersecurity risk over time, resilient organisations must continually refine their approach and treat cybersecurity as an ongoing discipline. The time to act is now. Resources: https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat Defend against cyber threats with AI solutions from Microsoft - Microsoft Industry Blogs Generative AI Cybersecurity Solutions | Microsoft Security Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles - Microsoft Entra ID | Microsoft Learn AI is the greatest threat—and defense—in cybersecurity today. Here’s why. Microsoft Entra Agents - Microsoft Entra | Microsoft Learn Smarter identity security starts with AI https://www.microsoft.com/en-us/security/blog/2025/06/12/cyber-resilience-begins-before-the-crisis/ https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2023-critical-cybersecurity-challenges https://www.microsoft.com/en-us/security/blog/2025/06/12/cyber-resilience-begins-before-the-crisis/
"Something went wrong. Primary and secondary data missing" when viewing email submission
Does anyone know what causes the "Something went wrong. Primary and secondary data missing" error when viewing an email submission in Microsoft Defender? It happens sporadically, but on I would guess 5% - 10% of our submissions.
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?MVP Champ Spotlight- Pierre Thoor
Pierre is recognized as a Most Valued Professional (MVP) by Microsoft as an exceptional community leader for their technical expertise, leadership, speaking experience, online influence, and commitment to solving real-world problems. Learn more about MVPs and what it takes to become one here: FAQ | Most Valuable Professionals. Within our Security MVPs, Microsoft has hand-selected some of our top collaborative MVPs with a passion for working directly with the Product Group to share community insights with Microsoft and co-create content to help address the community needs. Read the interview below! Picture of Pierre celebrating the publication of his book: Microsoft Defender for Identity in Depth. Link to check it out: https://www.amazon.com/Microsoft-Defender-Identity-Depth-cyberattack/dp/B0DK1HW2KX Personal Story and Credibility Q: Tell us a bit about your role and background: how did you become focused on email security and Microsoft Defender for Office? A: I began my career in 3rd line Windows Server support, where I first developed an interest in cybersecurity through Windows patch management. A few years later, I became more focused on Microsoft Exchange Server and securing mail flow. As the industry moved into Office 365 and Exchange Online, email protection kept improving, but it also became clear to me that email remained the number one attack vector. Most incident response cases I was involved in had a phishing or malicious email component. That’s when I realized that strengthening defenses around email could reduce a huge percentage of overall risk. Microsoft Defender for Office (MDO) naturally became my focus, not just because it protects email, but because it connects detection, protection, and response across the Microsoft 365 ecosystem. Over time, I’ve worked with everything from MDO deployment strategies and securing Microsoft 365 and Azure services to building SOC playbooks, and it’s grown into a real passion area for me. Q: What’s been your proudest moment as a security practitioner where MDO played a critical role? A: My proudest moments are when I can clearly see that MDO has stopped something dangerous before it reached users. For example, watching a phishing campaign get blocked at scale and being able to trace that in the reporting gives real proof that the protections are working as intended. It’s not about one single incident, but about seeing the technology deliver measurable protection in day-to-day use. Blueprint 1: Deployment and Adoption Strategy Q: When organizations are just starting with MDO, what are the first three steps you recommend for a successful rollout? A: I usually recommend three key steps for a successful rollout: Start with email authentication and baseline hygiene. Make sure SPF, DKIM, and DMARC are properly configured, and that your MX records point to Exchange Online. This ensures that MDO has the right signals to work effectively. Run a pilot with Preset Security Policies. Use Microsoft’s Preset Security Policies (Standard or Strict) instead of relying on the default built-in protections. The defaults are often mistaken for being “secure enough”, but they leave important gaps. Start with a smaller pilot group, validate the impact, and make sure you as an admin understand the order of precedence between preset and custom policies. This prevents misconfigurations when you scale out. Leverage hunting and reporting early. Get familiar with the hunting tables in advanced hunting and the reporting capabilities in MDO. Even in the first 30–60 days, learning how to use Threat Explorer, submission reports, and campaign views will give you strong visibility and confidence in the rollout. Q: What common mistakes or misconceptions do you see teams make when deploying MDO? A: One of the most common mistakes I see is treating MDO as a “set it and forget it” product. As an SOC analyst or security administrator, you really need to understand the settings and continuously monitor what types of emails are entering your organization. Another common gap is not using the submission process effectively. Submitting false positives and false negatives is critical, because those signals feed directly back into Microsoft’s protection systems. The machine learning models behind MDO are continuously retrained on customer submissions, which means your input not only improves your own tenant’s protection but also strengthens detections globally. I also see organizations overlook the threat hunting side of MDO. Knowing the advanced hunting tables connected to email, such as EmailEvents, EmailUrlInfo, and EmailAttachmentInfo, is key for proactive defense. These give you the ability to trace campaigns, investigate suspicious patterns, and connect email telemetry with other Defender signals. Finally, many organizations still rely only on the Default Built-in Protection, instead of moving to Preset Security Policies (Standard or Strict) or creating custom ones. On top of that, administrators often don’t understand the policy precedence, and that lack of awareness can leave real gaps in how email is filtered and protected. Q: Can you share your own checklist or framework for configuring MDO to get quick wins in the first 30–60 days? A: In the first 30–60 days, I focus on quick wins that build a strong foundation and give early visibility. My checklist looks like this: Establish the foundation Configure email authentication: SPF, DKIM, and DMARC. Enable Preset Security Policies (Standard at minimum). If you’re using custom policies instead, make sure quarantine policies are in place. Understand policy precedence and configure the Tenant Allow/Block List (TABL). Secure collaboration and file sharing Enable Safe Links and Safe Attachments for all users. Turn on Zero-hour Auto Purge (ZAP) for Teams. Prevent users from downloading malicious files in OneDrive, Teams, and SharePoint Online. Set up administration and controls Enable and understand Unified RBAC to control who can manage MDO and investigate emails in Threat Explorer. Use Configuration Analyzer or the ORCA PowerShell module to validate your setup against best practices. Build operational processes Establish a clear submission process for false positives and false negatives. Review Threat Explorer weekly to build familiarity with reporting and investigation. Expand into hunting and alerting Learn the key advanced hunting tables related to email. Build custom KQL-based alerts in Defender XDR to fit your organization’s workflows. Blueprint 2: Operational Excellence Q: What features or policies have given your SOC team the biggest efficiency gains? A: The features that have given the biggest efficiency gains are Automated Investigation and Response (AIR) and adopting the Strict Preset Security Policies. With AIR, user-reported phishing emails automatically trigger an investigation playbook. The system checks details such as the sender, sending infrastructure, whether similar messages exist in the tenant, and if the campaign is already known. Safe submissions are automatically cleared, while risky ones are enriched with recommended remediation steps. This greatly reduces noise and makes investigations faster and more consistent. Moving to Strict Preset Policies also had a major impact. Instead of relying on the weaker default protections, Strict presets raise the security baseline and block more threats up front, which reduces the overall number of alerts and investigations needed. Q: Could you walk us through one or two “playbooks” that your team uses to detect, respond, and remediate email threats? A: One of our main playbooks is for a compromised user or mailbox. It starts with an incident in Defender XDR, and then we trigger our automation built on Azure Durable Functions. The automation checks for unusual sign-ins in Entra ID, forces a password reset, revokes active tokens, and resets MFA methods. It also reviews mailbox rules for suspicious changes and if the user is blocked from sending email, sends an SMS to the end user with next steps, and finally logs all actions back into the incident for visibility. Blueprint 3: Driving Business Outcomes Q: How do you measure and report the value of MDO back to business stakeholders? A: We highlight MDO’s business value using the Microsoft Defender for Office 365 Overview dashboard, which provides clear, visual metrics, like threats blocked before delivery, items purged post-delivery via ZAP, and any “uncaught” threats. The dashboard also gives insights into phishing, malware, spam, impersonation detections, and risky allows. These visuals help business stakeholders quickly understand how email threats are being prevented, and where improvements are needed. Q: What metrics or KPIs should every MDO practitioner track to prove success? A: For me, the most important KPIs in MDO are: Efficacy – percentage of malicious emails blocked before delivery vs. those removed after delivery. User resilience – phishing click rate and volume of user-reported messages. Operational performance – mean time to detect and remediate email threats. Quality of tuning – false positive and false negative rates. Blueprint 4: Scaling and Maturing Use Q: Once the basics are in place, what’s the path to advanced adoption? A: Once the basics are in place, the path to advanced adoption usually looks like this: Move from presets to custom policies – Microsoft recommends Preset Security Policies, but if your organization requires customization, make sure every user is still covered and protected. Enable Automated Investigation and Response (AIR) – to take advantage of Microsoft’s built-in automation for user-reported phishing and other alerts. Build additional automation playbooks – for example, in Logic Apps (or use Azure Functions), to integrate MDO signals into wider incident response workflows. Use Attack Simulation Training – to measure user resilience and strengthen awareness against phishing. Develop a SecOps guide for MDO – either adopt Microsoft’s guidance or create your own playbook for how to operate MDO in daily security operations. Q: How do you expand MDO’s impact across other tools or workflows (e.g., integration with SIEM, automation)? A: I expand MDO by treating it as a signal source in a SOAR pattern. MDO alerts/events flow into Defender XDR/Sentinel, which trigger Durable Functions. We fan-out to parallel tasks (enrichment, checks, and lookups), then fan-in to make a single decision and take actions. This turns MDO from just email protection into part of an automated response pipeline that also touches identity, endpoints, and collaboration tools. Q: What’s one advanced scenario you’ve implemented that other practitioners could replicate? A: One advanced scenario I’ve implemented is using MDO alerts to trigger an automated workflow in Azure Durable Functions. When a suspected phishing campaign is detected, the workflow enriches the signal with external intelligence sources like PhishTank for URL reputation and VirusTotal for file and hash lookups. From there, it decides on actions such as bulk-removing similar emails, updating the Tenant Allow/Block List, or notifying the SOC in Teams. Other practitioners could easily replicate this pattern, and even extend it with tools like ANY.RUN for sandboxing suspicious attachments. Blueprint 5: Community and Advocacy Q: Why do you want to share your experiences with the wider community? A: I believe sharing is caring – knowledge should be shared. Products like MDO can be complex, and it’s not always obvious how the settings actually work in practice. By sharing my own experiences and lessons learned, I try to make it easier for others to understand the product and configure it the right way. And at the same time, I also learn from the community. In the end, sharing is caring, if I can make MDO easier for someone else, then we all win. Q: One “field lesson” for every new MDO user? A: One field lesson I’d share is: don’t just turn MDO on and leave it. Take the time to understand how the features and settings really work, and share that knowledge with others. The product is powerful, but the real value comes when we as practitioners explain the ins and outs so others can avoid common mistakes. For me, sharing those lessons is just as important as learning them. Q: How can others follow your blueprint to adopt MDO effectively and become champions? A: To adopt MDO effectively, start simple: enable Preset Security Policies, make sure email authentication is in place, and build a process for handling submissions. From there, grow step by step, learn the product, get familiar with the hunting tables, and refine policies so they fit your organization. To become a champion, don’t keep that knowledge to yourself. Share your experiences, what worked and what didn’t, and help others avoid the same mistakes. Whether it’s inside your own company or with the wider community, that sharing is what makes you a go-to person others trust. In my view, that’s how you move from just being a practitioner to being a champion. Looking Forward Q: What feature are you most excited about in the roadmap? A: The feature I’m most excited about is the new ability to take actions directly from Advanced Hunting, submitting messages, adding to the Tenant Allow/Block List, and even triggering AIR investigations. For me, submissions and hunting are key parts of getting the most out of MDO, so bringing those actions together in one place will make it much easier to close the loop between detection and response. It’s a real step toward making MDO not just a filter, but an integrated part of SecOps workflows. Link: Microsoft 365 Roadmap | Microsoft 365 Q: One piece of feedback to influence MDO’s future? A: One piece of feedback I would give is around quarantine policies in Preset Security Policies. Today, if you use presets, you’re locked into Microsoft’s default quarantine settings and can’t attach your own custom quarantine policies. I would like to see more flexibility here, so that organizations can still benefit from the simplicity and strength of presets, but adjust the quarantine experience to fit their own needs. Q: Where do you see the biggest opportunities for Champs like you? A: The biggest opportunity for Champs is to be a bridge – sharing real-world lessons with the community and feedback with Microsoft. In the end, it’s about turning experience into progress for everyone.Hacking Made Easy, Patching Made Optional: A Modern Cyber Tragedy
In today’s cyber threat landscape, the tools and techniques required to compromise enterprise environments are no longer confined to highly skilled adversaries or state-sponsored actors. While artificial intelligence is increasingly being used to enhance the sophistication of attacks, the majority of breaches still rely on simple, publicly accessible tools and well-established social engineering tactics. Another major issue is the persistent failure of enterprises to patch common vulnerabilities in a timely manner—despite the availability of fixes and public warnings. This negligence continues to be a key enabler of large-scale breaches, as demonstrated in several recent incidents. The Rise of AI-Enhanced Attacks Attackers are now leveraging AI to increase the credibility and effectiveness of their campaigns. One notable example is the use of deepfake technology—synthetic media generated using AI—to impersonate individuals in video or voice calls. North Korean threat actors, for instance, have been observed using deepfake videos and AI-generated personas to conduct fraudulent job interviews with HR departments at Western technology companies. These scams are designed to gain insider access to corporate systems or to exfiltrate sensitive intellectual property under the guise of legitimate employment. Social Engineering: Still the Most Effective Entry Point And yet, many recent breaches have begun with classic social engineering techniques. In the cases of Coinbase and Marks & Spencer, attackers impersonated employees through phishing or fraudulent communications. Once they had gathered sufficient personal information, they contacted support desks or mobile carriers, convincingly posing as the victims to request password resets or SIM swaps. This impersonation enabled attackers to bypass authentication controls and gain initial access to sensitive systems, which they then leveraged to escalate privileges and move laterally within the network. Threat groups such as Scattered Spider have demonstrated mastery of these techniques, often combining phishing with SIM swap attacks and MFA bypass to infiltrate telecom and cloud infrastructure. Similarly, Solt Thypoon (formerly DEV-0343), linked to North Korean operations, has used AI-generated personas and deepfake content to conduct fraudulent job interviews—gaining insider access under the guise of legitimate employment. These examples underscore the evolving sophistication of social engineering and the need for robust identity verification protocols. Built for Defense, Used for Breach Despite the emergence of AI-driven threats, many of the most successful attacks continue to rely on simple, freely available tools that require minimal technical expertise. These tools are widely used by security professionals for legitimate purposes such as penetration testing, red teaming, and vulnerability assessments. However, they are also routinely abused by attackers to compromise systems Case studies for tools like Nmap, Metasploit, Mimikatz, BloodHound, Cobalt Strike, etc. The dual-use nature of these tools underscores the importance of not only detecting their presence but also understanding the context in which they are being used. From CVE to Compromise While social engineering remains a common entry point, many breaches are ultimately enabled by known vulnerabilities that remain unpatched for extended periods. For example, the MOVEit Transfer vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group to compromise hundreds of organizations, despite a patch being available. Similarly, the OpenMetadata vulnerability (CVE-2024-28255, CVE-2024-28847) allowed attackers to gain access to Kubernetes workloads and leverage them for cryptomining activity days after a fix had been issued. Advanced persistent threat groups such as APT29 (also known as Cozy Bear) have historically exploited unpatched systems to maintain long-term access and conduct stealthy operations. Their use of credential harvesting tools like Mimikatz and lateral movement frameworks such as Cobalt Strike highlights the critical importance of timely patch management—not just for ransomware defense, but also for countering nation-state actors. Recommendations To reduce the risk of enterprise breaches stemming from tool misuse, social engineering, and unpatched vulnerabilities, organizations should adopt the following practices: 1. Patch Promptly and Systematically Ensure that software updates and security patches are applied in a timely and consistent manner. This involves automating patch management processes to reduce human error and delay, while prioritizing vulnerabilities based on their exploitability and exposure. Microsoft Intune can be used to enforce update policies across devices, while Windows Autopatch simplifies the deployment of updates for Windows and Microsoft 365 applications. To identify and rank vulnerabilities, Microsoft Defender Vulnerability Management offers risk-based insights that help focus remediation efforts where they matter most. 2. Implement Multi-Factor Authentication (MFA) To mitigate credential-based attacks, MFA should be enforced across all user accounts. Conditional access policies should be configured to adapt authentication requirements based on contextual risk factors such as user behavior, device health, and location. Microsoft Entra Conditional Access allows for dynamic policy enforcement, while Microsoft Entra ID Protection identifies and responds to risky sign-ins. Organizations should also adopt phishing-resistant MFA methods, including FIDO2 security keys and certificate-based authentication, to further reduce exposure. 3. Identity Protection Access Reviews and Least Privilege Enforcement Conducting regular access reviews ensures that users retain only the permissions necessary for their roles. Applying least privilege principles and adopting Microsoft Zero Trust Architecture limits the potential for lateral movement in the event of a compromise. Microsoft Entra Access Reviews automates these processes, while Privileged Identity Management (PIM) provides just-in-time access and approval workflows for elevated roles. Just-in-Time Access and Risk-Based Controls Standing privileges should be minimized to reduce the attack surface. Risk-based conditional access policies can block high-risk sign-ins and enforce additional verification steps. Microsoft Entra ID Protection identifies risky behaviors and applies automated controls, while Conditional Access ensures access decisions are based on real-time risk assessments to block or challenge high-risk authentication attempts. Password Hygiene and Secure Authentication Promoting strong password practices and transitioning to passwordless authentication enhances security and user experience. Microsoft Authenticator supports multi-factor and passwordless sign-ins, while Windows Hello for Business enables biometric authentication using secure hardware-backed credentials. 4. Deploy SIEM and XDR for Detection and Response A robust detection and response capability is vital for identifying and mitigating threats across endpoints, identities, and cloud environments. Microsoft Sentinel serves as a cloud-native SIEM that aggregates and analyses security data, while Microsoft Defender XDR integrates signals from multiple sources to provide a unified view of threats and automate response actions. 5. Map and Harden Attack Paths Organizations should regularly assess their environments for attack paths such as privilege escalation and lateral movement. Tools like Microsoft Defender for Identity help uncover Lateral Movement Paths, while Microsoft Identity Threat Detection and Response (ITDR) integrates identity signals with threat intelligence to automate response. These capabilities are accessible via the Microsoft Defender portal, which includes an attack path analysis feature for prioritizing multicloud risks. 6. Stay Current with Threat Actor TTPs Monitor the evolving tactics, techniques, and procedures (TTPs) employed by sophisticated threat actors. Understanding these behaviours enables organizations to anticipate attacks and strengthen defenses proactively. Microsoft Defender Threat Intelligence provides detailed profiles of threat actors and maps their activities to the MITRE ATT&CK framework. Complementing this, Microsoft Sentinel allows security teams to hunt for these TTPs across enterprise telemetry and correlate signals to detect emerging threats. 7. Build Organizational Awareness Organizations should train staff to identify phishing, impersonation, and deepfake threats. Simulated attacks help improve response readiness and reduce human error. Use Attack Simulation Training, in Microsoft Defender for Office 365 to run realistic phishing scenarios and assess user vulnerability. Additionally, educate users about consent phishing, where attackers trick individuals into granting access to malicious apps. Conclusion The democratization of offensive security tooling, combined with the persistent failure to patch known vulnerabilities, has significantly lowered the barrier to entry for cyber attackers. Organizations must recognize that the tools used against them are often the same ones available to their own security teams. The key to resilience lies not in avoiding these tools, but in mastering them—using them to simulate attacks, identify weaknesses, and build a proactive defense. Cybersecurity is no longer a matter of if, but when. The question is: will you detect the attacker before they achieve their objective? Will you be able to stop them before reaching your most sensitive data? Additional read: Gartner Predicts 30% of Enterprises Will Consider Identity Verification and Authentication Solutions Unreliable in Isolation Due to AI-Generated Deepfakes by 2026 Cyber security breaches survey 2025 - GOV.UK Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations | Microsoft Security Blog MOVEit Transfer vulnerability Solt Thypoon Scattered Spider SIM swaps Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters | Microsoft Security Blog Microsoft Defender Vulnerability Management - Microsoft Defender Vulnerability Management | Microsoft Learn Zero Trust Architecture | NIST tactics, techniques, and procedures (TTP) - Glossary | CSRC https://learn.microsoft.com/en-us/security/zero-trust/deploy/overview
Tenant Allow/Block Lists Versus Anti-spam List
Hello, I am an unsophisticated administrator for my account. So if I am posting this information in the wrong location, please forgive me and let me know where it should be posted. I have been getting inundated with financial spam or phishing emails. This spammer creates new domain names on a daily or weekly basis, and then sends new spam from these new domains. I typically get about thirty spam emails a day. And my guess is that, although they come from different domains, there is one organization behind all of them. Often, I get more than one email per domain per day. Fortunately, most of these emails end up in my junk folder. I want to stop these spammers from even reaching my Junk folder in Outlook. I want to keep them completely out of my email system. At first, I went to Microsoft 365 Defender > Email & collaboration > Policies & Rules > Threat policies and added their emails and domains to “Tenant Allow/Block Lists.” While that captured most of the known spam emails, one got through to my Junk folder. Being curious, I contacted Microsoft. I was told to add the spammers’ email addresses and domains to the “Anti-spam” list. I am not sure if this change will solve my concern. My question is as follows: What is the difference between these two lists? And why should I choose one over the other? My recommendations are as follows: For the Anti-spam list, it would be helpful to allow users to add more than one email address or domain name at a time. At present, it is painful manually adding many entries. For the Anti-spam list, it would be helpful to add the date each entry was added and allow for a comment section, similar to the Tenant Allow/Block list. It would be great if users or admins could right mouse click on a spam or phishing email in their Outlook programs and then have that email address or domain name blocked from reaching Outlook in the future. Because this affects the organization, perhaps it is best if this ability is restricted to administrators.Monthly news - August 2025
Microsoft Defender XDR Monthly news - August 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender Microsoft Sentinel is moving to the Microsoft Defender portal to deliver a unified, AI-powered security operations experience. Many customers have already made the move. Learn how to plan your transition and take advantage of new capabilities in the this blog post. Introducing Microsoft Sentinel data lake. We announced a significant expansion of Microsoft Sentinel’s capabilities through the introduction of Sentinel data lake, now rolling out in public preview. Read this blog post for a look at some of Sentinel data lake’s core features. (Public Preview) The GraphApiAuditEvents table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant. (Public Preview) The DisruptionAndResponseEvents table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken. Introducing Summary Rules Templates: Streamlining Data Aggregation in Microsoft Sentinel. Microsoft Sentinel’s new Summary Rules Templates offer a structured and efficient approach to aggregating verbose data - enabling security teams to extract meaningful insights while optimizing resource usage. Automating Microsoft Sentinel: Playbook Fundamentals. This is the third entry of the blog series on automating Microsoft Sentinel. In this post, we’re going to start talking about Playbooks which can be used for automating just about anything. Customer success story: Kuwait Credit Bank boosts threat detection and response with Microsoft Defender. To modernize its security posture, the bank unified its security operations under Microsoft Defender XDR, integrating Microsoft Sentinel and Microsoft Purview. Microsoft Defender for Cloud Apps App Governance is now also available in Brazil, Sweden, Norway, Switzerland, South Africa, South Korea, Arab Emirates and Asia Pacific. For more details, see our documentation.. Updated network requirements for GCC and Gov customers. To support ongoing security enhancements and maintain service availability, Defender for Cloud Apps now requires updated firewall configurations for customers in GCC and Gov environments. To avoid service disruption, take action by August 25, 2025, and update your firewall configuration as described here. Discover and govern ChatGPT and other AI apps accessing Microsoft 365 with Defender for Cloud Apps. In this blog post, we’ll explore how Defender for Cloud Apps helps security teams gain enhanced visibility into the permissions granted to AI applications like ChatGPT as they access Microsoft 365 data. We’ll also share best practices for app governance to help security teams make informed decisions and take proactive steps to enable secure usage of AI apps accessing Microsoft 365 data. Microsoft Defender for Endpoint (General Availability) Microsoft Defender Core service is now generally available on Windows Server 2019 or later which helps with the stability and performance of Microsoft Defender Antivirus. Microsoft Defender for Identity Expanded coverage in ITDR deployment health widget. With this update, the widget also includes deployment status for ADFS, ADCS, and Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure. Time limit added to Recommended test mode. Recommended test mode configuration on the Adjust alert thresholds page, now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already had Recommended test mode enabled, a 60-day expiration was automatically applied. Identity scoping is now available in Governance environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. New security posture assessments for unmonitored identity servers. Defender for Identity has three new security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored. Learn more in our documentation. Microsoft Defender for Office 365 Protection against multi-modal attacks with Microsoft Defender. This blog post showcases how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal. Users can report external and intra-org Microsoft Teams messages from chats, standard and private channels, meeting conversations to Microsoft, the specified reporting mailbox, or both via user reported settings. Microsoft Security Blogs Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats. Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability. Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak sensitive information cached by Apple Intelligence. Disrupting active exploitation of on-premises SharePoint vulnerabilities. Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers.
Quarantine "finger print matching" false positive
Just done my regular quarantine check on our O365 tenant and was surprised to find a couple of legit messages from an external sender which were flagged as High Confidence Phish based on finger print matching, which I understand translates to a close match to a previously detected malicious message. I can see absolutely nothing wrong with the message and it was so very business specific in its content that I cannot see that it would closely match anything else that had ever gone before. The recipient tells me they regularly exchange business emails with the sender without any issue. When I run off a report and look at other recent messages caught by finger print matching on my tenant, they were the usual phishing emails that are probably doing the rounds globally and were correctly trapped. Questions are: 1. Anyone know why something so highly specific in its content would be trapped in this way? 2. I feel I can't trust O365 to correctly quarantine based on this example, but High Confidence Phish is currently set to have the AdminOnlyAccessPolicy applied on my tenant - and this doesn't notify. Is there any way for a sys admin (only) to be notified by email when something goes into quarantine? I can set up a custom policy to allow RECIPIENT notification but I don't really want to involve them when messages are being correctly quarantined almost all of the time. Ours is a non-profit tenant so I can't be sitting around watching it all day - I need it to tell me when something has happened! Thanks for any ideas!
How to Connect MS Secure Scores to Power Query?
The Microsoft 365 Defender Portal (https://security.microsoft.com/) has a 'Secure Score' page, which contains the following: An overall secure score which is then broken down by Identity, Data, Device, and Application secure scores. I would like to be able to pull these four scores into a Power BI report; however, I have had some difficulty in putting together a solution. This data seems like it could be found in the Microsoft Graph API, but https://learn.microsoft.com/en-us/power-query/connecting-to-graph. I've tried other Defender APIs, but they all seem either outdated or out of scope for what I'm trying to pull. Can anyone advise? Thanks for reading.
