< ciso
brief />
Tag Banner

All news with #defender for endpoint tag

14 articles

New LegacyHive Windows zero-day enables privilege escalation

🔒 A researcher known as Nightmare Eclipse published a proof-of-concept named LegacyHive after Microsoft's July 2026 Patch Tuesday, claiming it exploits a vulnerability in the Windows User Profile Service. The PoC has been intentionally modified to require additional credentials, making exploitation harder than earlier releases. Analysts note successful exploitation allows non-admin users to modify the classes registry hive and achieve code execution on admin login. Detection queries for Microsoft Defender for Endpoint were published shortly after.
read more →

Defender Experts Close the Intelligence‑to‑Action Gap

🛡️ Microsoft announces Defender Experts Threat Intelligence and expands Defender Experts MDR to include third-party and multi-cloud coverage. The expert-led services translate global signals into prioritized, environment-specific guidance and integrate Microsoft Defender Threat Intelligence into the Defender portal for real-time use across detection, investigation, response, and hunting. Defender Experts MDR Plan 2 extends managed detection and response beyond Microsoft products using Microsoft Sentinel, enabling experts to follow threats across heterogeneous estates. These offerings aim to shorten the time from signal to decisive action and will be showcased at Black Hat.
read more →

Microsoft patches Defender RoguePlanet zero‑day

🛡️ Microsoft released a Malware Protection Engine update to fix a Defender zero-day tracked as CVE-2026-50656, dubbed "RoguePlanet." The vulnerability, disclosed by researcher "Nightmare Eclipse," allows spawning a SYSTEM command prompt via a Defender race condition and reportedly works on fully patched Windows 10 and 11 devices. Microsoft shipped version 1.1.26060.3008 to address the issue after confirming work on a patch on June 16.
read more →

Proof-of-Concept for Defender RoguePlanet Zero-Day

🛡️ An anonymous researcher known as Chaotic Eclipse published a proof-of-concept for a Microsoft Defender zero-day dubbed RoguePlanet, a race-condition exploit that can yield SYSTEM-level shells on Windows 10 and 11 with June 2026 patches. The PoC is inconsistent across systems and currently fails on Windows Server due to ISO mounting restrictions. The disclosure follows prior Defender flaws from the same researcher and a public conflict with Microsoft over coordinated disclosure and account revocation.
read more →

Microsoft named Leader in 2026 Endpoint Protection

🛡️ For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection, reflecting customer trust in Microsoft Defender. Defender provides industry-leading EDR backed by global threat intelligence and connects endpoints, identities, email, apps, cloud, and data to enable earlier detection and stronger prevention. Recent advancements include proactive attack disruption, custom telemetry, simplified onboarding, sovereign-ready protection, and agentic endpoint security for local AI agents.
read more →

Microsoft previews automatic device isolation feature

🛡️ Microsoft is previewing an automatic device isolation feature in Defender for Endpoint to help contain active cyberattacks by severing most network traffic while preserving connections to security services. The capability is part of its auto attack disruption tool within Defender XDR, and Microsoft says actions are time-limited and can be tuned or reversed by administrators. A new SANS Institute paper warns threshold-driven autonomous containment can be weaponized to disable user accounts, underscoring the need for careful configuration and governance.
read more →

Microsoft Defender adds automatic endpoint isolation

🛡️ Microsoft is previewing a Defender for Endpoint capability that automatically isolates compromised endpoints as part of automatic attack disruption. Isolated devices are disconnected from the network to limit lateral movement and data exfiltration but remain connected to the Microsoft Defender for Endpoint service for ongoing monitoring. The feature applies to onboarded end-user workstations and can be released by security operators after investigation and remediation.
read more →

ClickFix macOS Campaign Uses Terminal, Delivers Infostealers

🔐 Microsoft describes an evolving ClickFix campaign targeting macOS users by hosting Base64-encoded instructions on blogs and content platforms to trick victims into running Terminal commands. Those one-line commands leverage native utilities (curl, osascript, Base64/Gzip) to fetch and execute infostealers such as Macsync, SHub, and AMOS largely in memory, bypassing Gatekeeper. The malware harvests Keychain entries, iCloud data, browser credentials, media files, and cryptocurrency wallets, and has in some cases replaced legitimate wallet apps with trojanized versions. Organizations should monitor command-line activity and enable EDR/XDR protections and Defender cloud features.
read more →

CISA Adds One Vulnerability to KEV Catalog After Exploitation

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-33825, an Microsoft Defender access-control issue characterized by insufficient granularity and identified as being actively exploited. The agency emphasizes that this class of flaw is a frequent attack vector and presents significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the prescribed due date, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Three Microsoft Defender Zero-Days Exploited in the Wild

🔒 Huntress warns that threat actors are actively exploiting three recently disclosed Microsoft Defender vulnerabilities — codenamed BlueHammer, RedSun, and UnDefend — to gain elevated privileges and disrupt defenses. Microsoft addressed BlueHammer in this week's Patch Tuesday as CVE-2026-33825, but RedSun and UnDefend remain unpatched and have PoCs observed in the wild. Huntress reported weaponization beginning April 10 for BlueHammer and April 16 for RedSun and UnDefend, and said it isolated affected environments while investigating post-exploitation activity.
read more →

RedSun exploit abuses Microsoft Defender to gain SYSTEM

🛡️ A new proof-of-concept called RedSun demonstrates that Microsoft Defender can be manipulated to overwrite protected system files and escalate privileges to SYSTEM on Windows 10 and 11 systems with cloud files features enabled. The exploit leverages Defender’s special handling of cloud-tagged files, which can trigger a rewrite to disk during remediation, allowing attackers to influence timing and destination. Researchers reproduce the issue using the Cloud Files API, oplocks, Volume Shadow Copy race conditions, and directory junctions; detection is limited and Microsoft has not yet commented.
read more →

Microsoft to Remove Office Sandbox MDAG from Enterprise

🔒 Microsoft confirmed that Microsoft Defender Application Guard (MDAG) for Office will be removed from enterprise Office builds, with phased removal beginning in 2026 and final cut-offs through 2027. MDAG used Hyper‑V sandboxing to isolate malicious Office documents but incurred slower load times and carried sandbox escape risks. Microsoft advises enabling Attack Surface Reduction (ASR) rules and Windows Defender Application Control (WDAC), and reviewing any automation, workflows, or SIEM integrations that depended on MDAG’s isolation logs.
read more →

Microsoft to Remove Defender Application Guard from Office

🔒 Microsoft will remove Defender Application Guard for Office (MDAG) from supported Office builds beginning with version 2602 in early February 2026 and expects full removal with version 2612 by mid‑2027. Files that previously opened in Application Guard will open in Protected View instead. Microsoft recommends enabling Defender for Endpoint ASR rules and Windows Defender Application Control to preserve protections; no admin action is required to trigger the removal.
read more →

Microsoft Tops Modern Endpoint Security Market Share

🔒 Microsoft Defender has been ranked number one in modern endpoint security market share for the third consecutive year, according to IDC’s 2024 report. Market share rose from 25.8% in 2023 to 28.6% in 2024, reflecting a 28.2% growth rate. Defender emphasizes cross-platform protection—Windows, macOS, Linux, iOS, Android, and IoT—leveraging AI-powered detection and built-in exposure management to enable rapid SOC response and attack disruption.
read more →