AzureFeeds

Microsoft Defender XDR
Monthly news – June 2025 Edition

This is our monthly “What’s new” blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it’s own Monthly News post, have a look at their blog space. 

Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel

•  


• From on-premises to cloud: Graph-powered detection of hybrid attacks with Microsoft exposure graph. In this blog, we explain how the exposure graph, an integral part of our pre-breach security exposure solution, supercharges our post-breach threat protection capabilities to detect and respond to such multi-faceted threats. 


• (Public Preview) Unified detections rules list that includes both analytics rules and custom detections is in public preview. Learn more in our docs.


• The Best of Microsoft Sentinel — Now in Microsoft Defender. We are proud to share that the most advanced and integrated SIEM experience from Microsoft Sentinel is now fully available within the Microsoft Defender portal as one unified experience. 


• (General Available) Multi workspace for single and multi tenant is now in General Available.


• (Public Preview) Case management now available for the Defender multitenant portal. For more information, see View and manage cases across multiple tenants in the Microsoft Defender multitenant portal.


• (Public Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the unified security summary. For more information, see Visualize security impact with the unified security summary.


• (Public Preview) New Microsoft Teams table: The MessageEvents table contains details about messages sent and received within your organization at the time of delivery


• (Public Preview) New Microsoft Teams table: The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization


• (Public Preview) New Microsoft Teams table: The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization


• Unified IdentityInfo table in advanced hunting now includes the largest possible set of fields common to both Defender and Azure portals.

Microsoft Defender for Endpoint

• (Webinar – YouTube Link) Secure Your Servers with Microsoft’s Server Protection Solution– This webinar offers an in-depth exploration of Microsoft Defender for Endpoint on Linux. 


• Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test. 


• Discover how automatic attack disruption protects critical assets while ensuring business continuity. 

Microsoft Defender for Office 365

• Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel


• New deployment guide: Quickly configure Microsoft Teams protection in Defender for Office 365 Plan 2


• New SecOps guide: Security Operations Guide for Teams protection in Defender for Office 365


• Video – Ninja Show: Advanced Threat Detection with Defender XDR Community Queries


• Video- Mastering Microsoft Defender for Office 365: Configuration Best Practices


• Video – Ninja Show: Protecting Microsoft Teams with Defender for Office 365


• This blog discussed the new Defender for Office 365 Language AI for Phish Model. 


• SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps. 

Microsoft Defender for Cloud Apps

• New Applications inventory page now available in Defender XDR. The new Applications page in Microsoft Defender XDR provides a unified inventory of all SaaS and connected OAuth applications across your environment. For more information, see Application inventory overview.


• The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications.


• Note: As part of our ongoing convergence process across Defender workloads, Defender for Cloud Apps SIEM agents will be deprecated starting November 2025. Learn more.

Microsoft Defender for Identity

• (Public Preview) Expanded New Sensor Deployment Support for Domain Controllers. Learn more.


• Active Directory Service Accounts Discovery Dashboard. Learn more. 


• Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page. The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor.


• Note: Local administrators collection (using SAM-R queries) feature will be disabled. 

Microsoft Security Blogs

• Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape


• Marbled Dust leverages zero-day in Output Messenger for regional espionage


• Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer


• New Russia-affiliated actor Void Blizzard targets critical sectors for espionage


• Defending against evolving identity attack techniques

Threat Analytics (Access to the Defender Portal needed)

• Activity profile – AITM campaign with brand impersonated OAUTH applications


• Threat overview: SharePoint Server and Exchange Server threats


• Vulnerability profile: CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability


• Actor profile: Storm-0593


• [TA update] Actor profile: Storm-0287


• Activity Profile: Marbled Dust leverages zero-day to conduct regional espionage


• [TA update] Technique profile: ClickFix technique leverages clipboard to run malicious commands


• Technique profile: LNK file UI feature abuse


• Technique profile: Azure Blob Storage threats


• Activity profile: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer


• Vulnerability profile – CVE-2025-30397


• Activity profile: Recent OSINT trends in information stealers