All news with #defender for endpoint tag

🛡️ For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection, reflecting customer trust in Microsoft Defender. Defender provides industry-leading EDR backed by global threat intelligence and connects endpoints, identities, email, apps, cloud, and data to enable earlier detection and stronger prevention. Recent advancements include proactive attack disruption, custom telemetry, simplified onboarding, sovereign-ready protection, and agentic endpoint security for local AI agents.

🛡️ Microsoft is previewing an automatic device isolation feature in Defender for Endpoint to help contain active cyberattacks by severing most network traffic while preserving connections to security services. The capability is part of its auto attack disruption tool within Defender XDR, and Microsoft says actions are time-limited and can be tuned or reversed by administrators. A new SANS Institute paper warns threshold-driven autonomous containment can be weaponized to disable user accounts, underscoring the need for careful configuration and governance.

🛡️ Microsoft is previewing a Defender for Endpoint capability that automatically isolates compromised endpoints as part of automatic attack disruption. Isolated devices are disconnected from the network to limit lateral movement and data exfiltration but remain connected to the Microsoft Defender for Endpoint service for ongoing monitoring. The feature applies to onboarded end-user workstations and can be released by security operators after investigation and remediation.

🔐 Microsoft describes an evolving ClickFix campaign targeting macOS users by hosting Base64-encoded instructions on blogs and content platforms to trick victims into running Terminal commands. Those one-line commands leverage native utilities (curl, osascript, Base64/Gzip) to fetch and execute infostealers such as Macsync, SHub, and AMOS largely in memory, bypassing Gatekeeper. The malware harvests Keychain entries, iCloud data, browser credentials, media files, and cryptocurrency wallets, and has in some cases replaced legitimate wallet apps with trojanized versions. Organizations should monitor command-line activity and enable EDR/XDR protections and Defender cloud features.

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-33825, an Microsoft Defender access-control issue characterized by insufficient granularity and identified as being actively exploited. The agency emphasizes that this class of flaw is a frequent attack vector and presents significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the prescribed due date, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

🔒 Huntress warns that threat actors are actively exploiting three recently disclosed Microsoft Defender vulnerabilities — codenamed BlueHammer, RedSun, and UnDefend — to gain elevated privileges and disrupt defenses. Microsoft addressed BlueHammer in this week's Patch Tuesday as CVE-2026-33825, but RedSun and UnDefend remain unpatched and have PoCs observed in the wild. Huntress reported weaponization beginning April 10 for BlueHammer and April 16 for RedSun and UnDefend, and said it isolated affected environments while investigating post-exploitation activity.

🛡️ A new proof-of-concept called RedSun demonstrates that Microsoft Defender can be manipulated to overwrite protected system files and escalate privileges to SYSTEM on Windows 10 and 11 systems with cloud files features enabled. The exploit leverages Defender’s special handling of cloud-tagged files, which can trigger a rewrite to disk during remediation, allowing attackers to influence timing and destination. Researchers reproduce the issue using the Cloud Files API, oplocks, Volume Shadow Copy race conditions, and directory junctions; detection is limited and Microsoft has not yet commented.

🔒 Microsoft confirmed that Microsoft Defender Application Guard (MDAG) for Office will be removed from enterprise Office builds, with phased removal beginning in 2026 and final cut-offs through 2027. MDAG used Hyper‑V sandboxing to isolate malicious Office documents but incurred slower load times and carried sandbox escape risks. Microsoft advises enabling Attack Surface Reduction (ASR) rules and Windows Defender Application Control (WDAC), and reviewing any automation, workflows, or SIEM integrations that depended on MDAG’s isolation logs.

🔒 Microsoft will remove Defender Application Guard for Office (MDAG) from supported Office builds beginning with version 2602 in early February 2026 and expects full removal with version 2612 by mid‑2027. Files that previously opened in Application Guard will open in Protected View instead. Microsoft recommends enabling Defender for Endpoint ASR rules and Windows Defender Application Control to preserve protections; no admin action is required to trigger the removal.

🔒 Microsoft Defender has been ranked number one in modern endpoint security market share for the third consecutive year, according to IDC’s 2024 report. Market share rose from 25.8% in 2023 to 28.6% in 2024, reflecting a 28.2% growth rate. Defender emphasizes cross-platform protection—Windows, macOS, Linux, iOS, Android, and IoT—leveraging AI-powered detection and built-in exposure management to enable rapid SOC response and attack disruption.