Monthly news - May 2025
Microsoft Defender XDR Monthly news May 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time. Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try! (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting. Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption. Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs. Microsoft Defender for Endpoint Updated documentation Schedule antivirus scans using Group Policy Schedule antivirus scans using PowerShell Two new ASR rules are now generally available: Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode. Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles: Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers Microsoft Defender for Endpoint on Linux Microsoft Defender for Office 365 Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters. Options to "tune" controls within Defender for Office 365 for an organization to maximize protection and efficacy. We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025. Learn more in this blog post.. Microsoft Defender for Cloud Apps Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API. (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps Microsoft Defender for Identity (General available) Identities guided tour New attack paths tab on the Identity profile page New and updated events in the Advanced hunting IdentityDirectoryEvents table Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others. Deprecation of Defender for Identity alert email notifications (Public Preview) Defender for Identity integration with Entra Privileged Identity Management (PIM) Privileged Access Management (PAM) vendors integration with Defender for Identity – CyberArk, Delinea and BeyondTrust Microsoft Security Blogs Threat actors leverage tax season to deploy tax-themed phishing campaigns As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos. Exploitation of CLFS zero-day leads to ransomware activity Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025. Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. Threat actors misuse Node.js to deliver malware and other malicious payloads Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. Understanding the threat landscape for Kubernetes and containerized assets The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Threat Analytics (Access to the Defender Portal needed) Activity profile: Tax and IRS-themed phishing campaigns [TA update] Tool profile: Grandoreiro banking trojan Activity profile - Threat actors using fake Chrome updates to deliver Lumma Stealer Actor profile: Storm-2256 Actor Profile - Storm-1877 [TA update] Vulnerability profile: CVE-2025-26633 Vulnerability profile - CVE-2025-29824 Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications Technique profile: ClickFix technique leverages clipboard to run malicious commands [TA update] Actor profile: Storm-1249 Tool profile - XCSSET Tool profile: ReedBed Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025) Actor Profile - Storm-1125 Activity profile: Sapphire Sleet using GoLang files to download malware Technique Profile: Device Code PhishingMonthly news - April 2025
Microsoft Defender XDR Monthly news April 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ April 9th & 10th is Microsoft Secure! Make sure you join this virtual event to hear about our latest product announcements. Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best. April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast Microsoft Secure - Home - Microsoft Secure registration home page. New episodes of the Virtual Ninja Show has been published, covering various products and scenarios. Microsoft's Zero Trust approach Resolving high CPU utilization in Microsoft Defender Antivirus Microsoft Defender for Endpoint Client Analyzer overview Mastering onboarding issues with Defender for Endpoint Client Analyzer Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer Connecting your Apps to Defender for Cloud Apps Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. Blog post: Transforming public sector security operations in the AI era Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense? (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details. The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365. You can now link Threat analytics reports when setting up custom detections. Learn more Microsoft Defender for Endpoint Update to the Microsoft Defender Antivirus group policies documentation. Learn more Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more New video (9 mins): How Microsoft is redefining endpoint security New documentation: Troubleshoot Microsoft Defender Antivirus scan issues Microsoft Defender for Office 365 User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet. Microsoft Defender for Cloud Apps (GA) Unified Identity inventory now general available. Learn more Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. Join one of these workshops to learn: Real-world examples of OAuth attacks New pre-built templates and custom rules to simplify app governance How to quickly identify and mitigate risks from high-risk or suspicious apps Best practices for operationalizing app governance to improve your security posture These workshops are designed to accommodate global participation, with flexible date and time options. Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks. Microsoft Defender for Identity Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment. New health issue for cases where sensors running on VMware have network configuration mismatch. The Identities page under Assets has been updated to provide better visibility and management of identities across your environment. New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment. Microsoft Security Blogs Silk Typhoon targeting IT supply chain Malvertising campaign leads to info stealers hosted on GitHub New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware StilachiRAT analysis: From system reconnaissance to cryptocurrency theft Analyzing open-source bootloaders: Finding vulnerabilities faster with AI Threat Analytics (Access to the Defender Portal needed) Vulnerability Profile: CVE-2024-40711 – Veeam Backup Activity profile: Moonstone Sleet using Qilin ransomware [TA update] Actor Profile: Secret Blizzard Actor profile: Berry Sandstorm Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices [TA update] Actor profile - Swirl Typhoon Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software Activity profile: Lumma Stealer spreads via YouTube video descriptions [TA update] Actor profile: Aqua Blizzard Tool profile: Latrodectus Vulnerability profile: CVE-2025-26633 Tool profile: WinRing0 Activity profile: Storm-0485 phishing activity Activity profile: Silk Typhoon targeting IT supply chain Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks Threat overview: Business Email Compromise [Snapshot] Actor profile: Storm-2372 [TA update] Actor profile: ZigZag Hail Actor profile: Storm-0287 Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application Actor profile: Yulong Flood Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability Tool profile: FrostyStash [TA update] Tool profile: Mimikatz Tool profile: Mamba 2FA Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway [TA update] Actor profile: Silk Typhoon Seamless SSO Abuse via AADInternals [TA update] SystemBC Tool Profile Vulnerability profile: CVE-2025-22224 – VMwareMonthly news - January 2025
Microsoft Defender XDR Monthly news January 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results. (Preview) You can now use the adx() operator to query tables stored in Azure Data Explorer. (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs. Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale. You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here. (Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. New documentation library for Microsoft's unified security operations platform. Find centralized documentation about Microsoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. SOC Optimization and Auxiliary Logs collaboration. We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs! Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs. The following new privacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added: Data security and retention in Microsoft Defender XDR Geographical availability and data residency in Microsoft Sentinel Ninja Show Episodes: Attack Disruption: Live demo This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure. Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Threat Analytics - New Tool profile: SectopRAT (You need access to the Defender portal to read this profile.) Microsoft Sentinel (Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs. Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Ninja Show Episode Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Experts for XDR Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support. Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Microsoft Defender for Identity New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the new Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Classification Description Locked Azure Kubernetes Service cluster This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock. Premium tier Azure Kubernetes Service cluster This rule applies to premium tier Azure Kubernetes Service clusters. Azure Kubernetes Service cluster with multiple nodes This rule applies to Azure Kubernetes Service clusters with multiple nodes. Azure Arc Kubernetes cluster with multiple nodes This rule applies to Azure Arc clusters with multiple nodes. For more information, see, Predefined classifications Microsoft Defender for Office 365 Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services. Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent. Read this blog to learn more about it. Microsoft Defender for Endpoint Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version. Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs. Android low-touch onboarding is now General Available. Key benefits Faster setup on Android devices – Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint. Intuitive guidance - A clear and intuitive flow to guide users through each step. Broad coverage with support across multiple Android profiles – Android enterprise BYOD, COPE, and fully managed. Configuring low-touch onboarding Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. See Android low-touch onboarding. . Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.Monthly news - August 2024
Microsoft Defender XDR Monthly news August 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2024.Monthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.Monthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.Monthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.
