Accelerate your Frontier journey: Summit sessions now available on demand
The Frontier Transformation Engineer Summit may be over, but you can keep the momentum going. Revisit the highlights or catch up on sessions you missed. Each session is designed to build the skills you need to advance your Frontier Engineering journey and earn your Frontier Transformation Engineer badge—a clear signal to customers that you can design and deliver agents across Microsoft Copilot Studio, Microsoft Foundry, and the rest of the Frontier stack. Here’s how you can keep building your AI capability: View the summit sessions on demand. Work toward earning the Frontier Transformation Engineer badge. Join us at MCAPS Start for Partners on July 22 to stay ahead of what’s next.Build AI skills at Microsoft AI Skills Fest
Register now for Microsoft AI Skills Fest, a no-cost digital skilling event taking place June 8–12. Designed so partners can stay ahead in the rapidly evolving AI landscape, attendees can build in-demand AI skills, gain practical insights, and discover ways to deliver innovative solutions, deepen customer relationships, and stay competitive in a fast-changing market. Get ready to lead Frontier Transformation If you’re a solution engineer or architect building AI agents across the Frontier stack—including Microsoft 365 Copilot, Microsoft Foundry, Copilot Studio, GitHub Copilot, Fabric, and Agent 365—you can validate your expertise with the Frontier Transformation Engineer badge. Want to fast-track your badge completion? Join us at the Frontier Transformation Engineer Summit on June 9 for a live, expert-led skilling experience where you’ll explore how to use Microsoft Agent Factory at scale, build your expertise, demonstrate organizational readiness, and lead Frontier Transformation for your customers.Oracle Eloqua integration for Teams webinars
Would like to see Microsoft add or support an integration with Oracle Eloqua for Teams Webinars, as our Marketing team needs this integration in order to fully migrate to Microsoft Teams for our customer facing events. They continue to use an antiquated (competitor) platform because it does have the Eloqua integration.Webinar Cancellation
Hi everyone! The webinar originally scheduled for April 14th on "Using distributed content to manage your multi-tenant SecOps" has unfortunately been cancelled for now. We apologize for the inconvenience and hope to reschedule it in the future. Please find other available webinars at: http://aka.ms/securitycommunity All the best, The Microsoft Security Community Team
Teams Webinars: Org name vs brand name – how are people handling this?
Has anyone else hit this with Teams webinars? Microsoft recently changed how webinar emails are sent, and the sender name now seems to come from the tenant Organisation Name. You can change that in M365 admin, but that’s where the problem starts. In a lot of companies, the organisation name is a legal/billing entity, not the public-facing brand. Example: Legal / tenant name: FedEx Corporate Services, Inc. Brand: FedEx Teams webinar emails now go out showing the legal entity, which isn’t great for external, customer-facing events. Changing the org name just to fix webinar emails can have knock-on effects for billing, contracts, and governance. As far as I can see: No way to set a brand-specific sender name No per-webinar or per-mailbox sender identity Org name is global and used across multiple services The only real workaround seems to be not using Teams-generated emails at all, and sending custom emails via Power Automate / Graph / a marketing platform, while still using Teams for the actual event. Curious how others are dealing with this: Are you just living with it? Changing the org name with legal sign-off? Or bypassing Teams emails completely? Feels like a gap for larger, multi-brand orgs.Webinar Rescheduled: AI-Powered Entity Analysis in Sentinel's MCP Server
Hi folks! The webinar: AI-Powered Entity Analysis in Sentinel's MCP Server which was previously scheduled for: January 13th, 2026, has been rescheduled to: January 27th, 2026, at 9:00 AM PT. Please delete the old invite from your calendar and find the new one at aka.ms/securitycommunity. We apologize for the inconvenience and hope to see you there!
Participant (people) pop out window for Team's Events (meeting, webinar, townhall).
It would be so helpful if you can change Team events (meeting, webinar, townhall) to allow the participant list to pop out and away from the main window. There is no way to see who's entering the event & move certain people into a breakout room. Unless you use the notifications that appears as a pop up in the top middle of the window for people joining the room, but that can cause a huge problem if they are joining the room unmuted. When doing an event that allows people to join late, and they may not know or haven't learned how to mute or turn off their camera, it can be very disrupting. It would be greatly appreciated if we could move the participant list around, so we have easy access to both the breakout room tab as well as the main room participation list. This way you would be able to see if co-organizers are in the breakout room since they don't appear on the breakout room list and you would be able to allow attendees to join and make sure you have the capability to mute them. (It would also be appreciated if you could add turn off camera since you already have the ability to mute people).Monthly news - May 2025
Microsoft Defender XDR Monthly news May 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time. Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try! (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting. Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption. Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs. Microsoft Defender for Endpoint Updated documentation Schedule antivirus scans using Group Policy Schedule antivirus scans using PowerShell Two new ASR rules are now generally available: Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode. Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles: Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers Microsoft Defender for Endpoint on Linux Microsoft Defender for Office 365 Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters. Options to "tune" controls within Defender for Office 365 for an organization to maximize protection and efficacy. We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025. Learn more in this blog post.. Microsoft Defender for Cloud Apps Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API. (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps Microsoft Defender for Identity (General available) Identities guided tour New attack paths tab on the Identity profile page New and updated events in the Advanced hunting IdentityDirectoryEvents table Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others. Deprecation of Defender for Identity alert email notifications (Public Preview) Defender for Identity integration with Entra Privileged Identity Management (PIM) Privileged Access Management (PAM) vendors integration with Defender for Identity – CyberArk, Delinea and BeyondTrust Microsoft Security Blogs Threat actors leverage tax season to deploy tax-themed phishing campaigns As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos. Exploitation of CLFS zero-day leads to ransomware activity Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025. Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. Threat actors misuse Node.js to deliver malware and other malicious payloads Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. Understanding the threat landscape for Kubernetes and containerized assets The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Threat Analytics (Access to the Defender Portal needed) Activity profile: Tax and IRS-themed phishing campaigns [TA update] Tool profile: Grandoreiro banking trojan Activity profile - Threat actors using fake Chrome updates to deliver Lumma Stealer Actor profile: Storm-2256 Actor Profile - Storm-1877 [TA update] Vulnerability profile: CVE-2025-26633 Vulnerability profile - CVE-2025-29824 Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications Technique profile: ClickFix technique leverages clipboard to run malicious commands [TA update] Actor profile: Storm-1249 Tool profile - XCSSET Tool profile: ReedBed Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025) Actor Profile - Storm-1125 Activity profile: Sapphire Sleet using GoLang files to download malware Technique Profile: Device Code Phishing
