< ciso
brief />
Tag Banner

All news with #microsoft defender xdr tag

40 articles

Microsoft patches RoguePlanet Defender flaw

🛡️ Microsoft released a security update addressing a privilege escalation bug in the Microsoft Malware Protection Engine, tracked as CVE-2026-50656. The issue, dubbed RoguePlanet, is a race condition that can allow an attacker to spawn a SYSTEM-level shell to run arbitrary code. The fix is included in engine version 1.1.26060.3008 and includes defense-in-depth hardening.
read more →

Microsoft named a leader in Frost Radar for CARS

🔒 Microsoft highlights its recognition in Frost & Sullivan’s 2026 Frost Radar for Cloud/Application Runtime Security, emphasizing a shift from visibility to contextual risk reduction across cloud infrastructure, applications, APIs, and runtimes. The post explains how Microsoft Defender for Cloud integrated with Microsoft Defender XDR correlates posture, identity, data, and runtime signals to prioritize exploitable attack paths. It argues that unified platforms reduce alert fatigue, speed remediation, and enable continuous risk operations across development and runtime.
read more →

June 2026 Microsoft Security product updates

🔒 This update summarizes June 2026 releases across Microsoft Security that strengthen identity, multicloud, data, and developer protections. Highlights include codename MDASH for multi-model agentic vulnerability scanning, expanded Microsoft Defender agent and MCP detection, GA for Microsoft Entra Backup and Recovery, and extended database threat protection for AWS RDS. New reporting, multicloud coverage, and a unified identity risk score help teams detect, prioritize, and recover faster.
read more →

CISA: BlueHammer bug now exploited by ransomware

🛡️ CISA confirms ransomware actors are exploiting the high-severity Microsoft Defender privilege escalation flaw dubbed BlueHammer (CVE-2026-33825). The bug was leaked with proof-of-concept code by researcher "Nightmare Eclipse" in April and later patched by Microsoft on April 14. CISA added the flaw to its KEV Catalog and ordered federal agencies to patch, and has now flagged it as used in ransomware campaigns.
read more →

Microsoft named Leader in Forrester XDR Wave 2026

🛡️ Microsoft has been named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026, earning the top Strategy and Vision scores. The report highlights Microsoft Defender and Microsoft Threat Intelligence for high marks across identity detection, cloud detection, SIEM replacement, threat hunting, and more. Microsoft emphasizes an XDR foundation that unifies signals across identities, endpoints, email, SaaS, and cloud workloads to enable coordinated, AI-assisted attack disruption and faster SOC operations.
read more →

Microsoft Confirms RoguePlanet Defender Zero-Day

🛡️ Microsoft disclosed it is preparing a patch for a Defender zero-day tracked as RoguePlanet, now identified as CVE-2026-50656 with a CVSS score of 7.8. The company classifies the issue as a privilege escalation in the Microsoft Malware Protection Engine and says it is working on a quality security update. The exploit was publicly released by researcher Chaotic Eclipse (aka Nightmare-Eclipse), who described it as a race condition that can yield SYSTEM-level shells and may work irrespective of real-time protection settings.
read more →

AI-Driven Identity Security: Microsoft Entra Updates

🔒 AI is accelerating cyberattacks, increasing speed and scale across the attack chain while identity remains a primary entry point. Microsoft highlights integrated visibility and response through Microsoft Entra and Microsoft Defender, including a unified identity risk score and an updated Entra ID Protection experience. New features aim to reduce fragmentation, enable least-privilege response roles, and automate policy optimization to help teams prevent, detect, and respond faster.
read more →

Microsoft developing patch for Defender RoguePlanet zero-day

🔒 Microsoft is investigating and preparing a security update for a Microsoft Defender elevation-of-privilege vulnerability publicly dubbed RoguePlanet. The flaw, now tracked as CVE-2026-50656, was disclosed with a proof-of-concept last week and reportedly allows spawning SYSTEM-level command prompts via a Defender race condition on fully patched Windows 10 and 11 devices. Microsoft confirmed it is working on a high-quality security update and will publish details in the CVE entry when available.
read more →

Microsoft previews automatic device isolation feature

🛡️ Microsoft is previewing an automatic device isolation feature in Defender for Endpoint to help contain active cyberattacks by severing most network traffic while preserving connections to security services. The capability is part of its auto attack disruption tool within Defender XDR, and Microsoft says actions are time-limited and can be tuned or reversed by administrators. A new SANS Institute paper warns threshold-driven autonomous containment can be weaponized to disable user accounts, underscoring the need for careful configuration and governance.
read more →

Securing AI Foundations: Microsoft Customer Spotlights

🛡️ This article highlights how St. Luke’s University Health Network and ManpowerGroup modernized security to enable AI-powered operations. It describes how both organizations unified visibility across cloud, identity, endpoint, and email by adopting Microsoft Security Copilot, Microsoft Defender, and Microsoft Sentinel, and how automation reduced noise and accelerated response. The piece frames security as a strategic enabler for scaling AI responsibly under Zero Trust and governance principles.
read more →

Microsoft warns of two actively exploited Defender flaws

🔒 Microsoft disclosed two Microsoft Defender vulnerabilities under active exploitation: CVE-2026-41091, a local privilege escalation rated 7.8 that can allow an attacker to gain SYSTEM privileges via improper link resolution, and CVE-2026-45498, a denial-of-service issue rated 4.0. Both are addressed in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Systems with Defender disabled are not affected; updates are applied automatically through malware definitions and the Microsoft Malware Protection Engine.
read more →

CrowdStrike Launches Falcon OverWatch for Defender

🔍 CrowdStrike has introduced Falcon OverWatch for Defender, a managed threat-hunting service that brings continuous, expert-led hunting to Microsoft Defender environments without replacing existing endpoint protections. Running a lightweight Falcon sensor alongside Microsoft Defender, the offering combines human hunters, deep adversary intelligence, and AI-driven analytics to surface stealthy post‑exploit activity and escalate high-confidence threats. It promises AI-powered analysis at scale—up to 6.2 trillion events per day—broad visibility across millions of endpoints, and operationalized hunting patterns to improve detection and response across customers.
read more →

Multi-stage code of conduct phishing leads to AiTM tokens

🔐 Microsoft Defender Research observed a large-scale, multi-stage phishing campaign that used polished code-of-conduct lures, staged CAPTCHAs, and intermediate pages to deliver an adversary-in-the-middle (AiTM) flow that captured authentication tokens. The campaign targeted over 35,000 users across 13,000+ organizations, mainly in the United States, and employed legitimate delivery services and attacker-controlled domains. Recommended defenses include Microsoft Defender for Office 365, Safe Links, Zero-hour auto purge (ZAP), SmartScreen-enabled browsers, and phishing-resistant MFA.
read more →

Microsoft Defender False-Positives Flag DigiCert Roots

🛡️ Microsoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha after a signature update on April 30, producing widespread false positives and, in some cases, removing certificates from Windows trust stores. Microsoft issued Security Intelligence updates 1.449.430.0 and 1.449.431.0 to resolve the detections and reportedly restore removed certificates. Administrators can force an update via Windows Security > Virus and threat protection > Protection updates.
read more →

Microsoft Security: New Agent 365 and Defender Integrations

🔒 Microsoft previewed new Microsoft Defender capabilities within the Agent 365 tooling gateway to give security teams near real-time visibility and control over agentic workflows, using webhook-based evaluation to detect, block, and investigate anomalous agent actions before execution. Separately, Microsoft Defender for Cloud now integrates with GitHub Advanced Security generally available to map code changes to production, prioritize alerts using runtime context, and enable coordinated remediation. A hands-on Microsoft Purview demo demonstrates AI-powered data security investigations across the data estate.
read more →

Q1 2026 Email Threat Landscape: Phishing Trends and Defenses

🔐 Microsoft Threat Intelligence observed ~8.3 billion email-based phishing threats in Q1 2026, with volumes easing from about 2.9 billion in January to 2.6 billion in March. QR code phishing more than doubled and CAPTCHA-gated phishing surged, while link-based delivery rose to 78% and credential theft dominated payloads. Disruption of the Tycoon2FA PhaaS reduced activity but adversaries adapted; Microsoft Defender detections and mitigations are recommended.
read more →

CISA Orders Patching of Microsoft Defender BlueHammer Flaw

🔒 CISA has ordered federal agencies to urgently patch a high-severity Microsoft Defender privilege escalation vulnerability tracked as CVE-2026-33825 and publicly dubbed BlueHammer, after evidence of active exploitation. Microsoft released a patch on April 14 following public disclosure and proof-of-concept code published by a researcher using the handle 'Chaotic Eclipse', who also revealed related Defender issues. Huntress Labs reported attacks showing hands‑on‑keyboard activity and suspicious FortiGate SSL VPN access tied to a Russia‑geolocated IP. Agencies must apply mitigations or update systems within two weeks, with a compliance deadline of May 7.
read more →

Predictive Shielding Halts Domain Compromise and Lateral

🔒 Microsoft describes how Microsoft Defender’s predictive shielding — part of automatic attack disruption — proactively contains exposed high-privilege identities to stop credential abuse and lateral movement. In a June 2025 public sector incident, automated containment prevented attackers from leveraging exposed domain credentials to escalate and pivot across identity and Exchange infrastructure. The feature evaluates exposure signals and applies just-in-time restrictions to block sign-ins, sessions, and interactive pivots while investigators remediate. It’s available out‑of‑the‑box for Defender for Endpoint P2 customers who meet prerequisites.
read more →

New Microsoft Defender 'RedSun' zero-day grants SYSTEM

⚠️ A proof-of-concept for a second Microsoft Defender zero-day, dubbed RedSun, was published by researcher 'Chaotic Eclipse', demonstrating a local privilege escalation that grants SYSTEM privileges on patched Windows 10, Windows 11, and supported Windows Server releases when Defender is enabled. The PoC exploits Defender's handling of cloud-tagged files via the Cloud Files API to overwrite system binaries and achieve code execution as SYSTEM. Security analyst Will Dormann of Tharros confirmed the exploit works; some antivirus products detect elements of the PoC due to an embedded EICAR test file. The researcher says the publication was a protest over interactions with the Microsoft Security Response Center.
read more →

AI-Enabled Device Code Phishing Campaign Analysis Report

🔒 Microsoft Defender Security Research describes an AI-enabled campaign that abused the OAuth Device Code flow to compromise organizational accounts at scale. Actors used generative AI to craft hyper-personalized lures and automated backend infrastructure (including Railway.com and other PaaS) to generate dynamic device codes at click time, defeating the standard 15-minute expiry. The activity is linked to the PhaaS toolkit EvilToken and shows a marked escalation in automation and scale versus earlier device code phishing campaigns. Post-compromise actions focused on device registration, Microsoft Graph reconnaissance, malicious inbox rules, and email exfiltration.
read more →