AzureFeeds

Microsoft Defender XDR Monthly news May 2025 Edition

This is our monthly “What’s new” blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it’s own Monthly News post, have a look at their blog space. 

Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel

• What’s new in Microsoft Defender XDR at Secure 2025


• New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. 


• (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time.  


• Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try!


• (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability.


• The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting.


• Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption.


• Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. 


• (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. 


• (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs.

Microsoft Defender for Endpoint

• Updated documentation
  
  
  
  • Schedule antivirus scans using Group Policy
  
  
  • Schedule antivirus scans using PowerShell 
  
  
  
  


• 
  

  Two new ASR rules are now generally available:

  
  
  
  
  • Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode.
  
  
  • Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.
  
  
  
  


• 
  

  (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles:

  
  
  
  
  • Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers
  
  
  • Microsoft Defender for Endpoint on Linux
  
  
  
  

Microsoft Defender for Office 365

• Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters.


• Options to “tune” controls within Defender for Office 365 for an organization to maximize protection and efficacy. 


• We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis.


• The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025.  Learn more in this blog post..

Microsoft Defender for Cloud Apps

• Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API.


• (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps

Microsoft Defender for Identity

• 
  

  (General available)

  
  
  
  
  • 
    

    Identities guided tour

    
    
  
  
  • 
    

    New attack paths tab on the Identity profile page

    
    
  
  
  • 
    

    New and updated events in the Advanced hunting IdentityDirectoryEvents table

    
    
  
  
  • 
    

    Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others.

    
    
  
  
  • 
    

    Deprecation of Defender for Identity alert email notifications

    
    

     

    
    
  
  
  
  


• 
  

  (Public Preview)

  
  
  
  
  • Defender for Identity integration with Entra Privileged Identity Management (PIM)
  
  
  • 
    

    Privileged Access Management (PAM) vendors integration with Defender for Identity  – CyberArk, Delinea and BeyondTrust

    
    
  
  
  
  

Microsoft Security Blogs

• 
  

  Threat actors leverage tax season to deploy tax-themed phishing campaigns
  As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos.

  
  


• 
  

  Exploitation of CLFS zero-day leads to ransomware activity
  Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025.

  
  


• 
  

  Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI
  Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks.

  
  


• 
  

  Threat actors misuse Node.js to deliver malware and other malicious payloads
  Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.

  
  


• 
  

  Understanding the threat landscape for Kubernetes and containerized assets
  The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments.

  
  

Threat Analytics (Access to the Defender Portal needed)

• Activity profile: Tax and IRS-themed phishing campaigns


• [TA update] Tool profile: Grandoreiro banking trojan


• Activity profile – Threat actors using fake Chrome updates to deliver Lumma Stealer


• Actor profile: Storm-2256


• Actor Profile – Storm-1877


• [TA update] Vulnerability profile: CVE-2025-26633


• Vulnerability profile – CVE-2025-29824


• Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications


• Technique profile: ClickFix technique leverages clipboard to run malicious commands


• [TA update] Actor profile: Storm-1249


• Tool profile – XCSSET


• Tool profile: ReedBed


• Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025)


• Actor Profile – Storm-1125


• Activity profile: Sapphire Sleet using GoLang files to download malware


• Technique Profile: Device Code Phishing