All news with #microsoft defender xdr tag

🛡️ This article highlights how St. Luke’s University Health Network and ManpowerGroup modernized security to enable AI-powered operations. It describes how both organizations unified visibility across cloud, identity, endpoint, and email by adopting Microsoft Security Copilot, Microsoft Defender, and Microsoft Sentinel, and how automation reduced noise and accelerated response. The piece frames security as a strategic enabler for scaling AI responsibly under Zero Trust and governance principles.

🔒 Microsoft disclosed two Microsoft Defender vulnerabilities under active exploitation: CVE-2026-41091, a local privilege escalation rated 7.8 that can allow an attacker to gain SYSTEM privileges via improper link resolution, and CVE-2026-45498, a denial-of-service issue rated 4.0. Both are addressed in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Systems with Defender disabled are not affected; updates are applied automatically through malware definitions and the Microsoft Malware Protection Engine.

🔍 CrowdStrike has introduced Falcon OverWatch for Defender, a managed threat-hunting service that brings continuous, expert-led hunting to Microsoft Defender environments without replacing existing endpoint protections. Running a lightweight Falcon sensor alongside Microsoft Defender, the offering combines human hunters, deep adversary intelligence, and AI-driven analytics to surface stealthy post‑exploit activity and escalate high-confidence threats. It promises AI-powered analysis at scale—up to 6.2 trillion events per day—broad visibility across millions of endpoints, and operationalized hunting patterns to improve detection and response across customers.

🔐 Microsoft Defender Research observed a large-scale, multi-stage phishing campaign that used polished code-of-conduct lures, staged CAPTCHAs, and intermediate pages to deliver an adversary-in-the-middle (AiTM) flow that captured authentication tokens. The campaign targeted over 35,000 users across 13,000+ organizations, mainly in the United States, and employed legitimate delivery services and attacker-controlled domains. Recommended defenses include Microsoft Defender for Office 365, Safe Links, Zero-hour auto purge (ZAP), SmartScreen-enabled browsers, and phishing-resistant MFA.

🛡️ Microsoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha after a signature update on April 30, producing widespread false positives and, in some cases, removing certificates from Windows trust stores. Microsoft issued Security Intelligence updates 1.449.430.0 and 1.449.431.0 to resolve the detections and reportedly restore removed certificates. Administrators can force an update via Windows Security > Virus and threat protection > Protection updates.

🔒 Microsoft previewed new Microsoft Defender capabilities within the Agent 365 tooling gateway to give security teams near real-time visibility and control over agentic workflows, using webhook-based evaluation to detect, block, and investigate anomalous agent actions before execution. Separately, Microsoft Defender for Cloud now integrates with GitHub Advanced Security generally available to map code changes to production, prioritize alerts using runtime context, and enable coordinated remediation. A hands-on Microsoft Purview demo demonstrates AI-powered data security investigations across the data estate.

🔐 Microsoft Threat Intelligence observed ~8.3 billion email-based phishing threats in Q1 2026, with volumes easing from about 2.9 billion in January to 2.6 billion in March. QR code phishing more than doubled and CAPTCHA-gated phishing surged, while link-based delivery rose to 78% and credential theft dominated payloads. Disruption of the Tycoon2FA PhaaS reduced activity but adversaries adapted; Microsoft Defender detections and mitigations are recommended.

🔒 CISA has ordered federal agencies to urgently patch a high-severity Microsoft Defender privilege escalation vulnerability tracked as CVE-2026-33825 and publicly dubbed BlueHammer, after evidence of active exploitation. Microsoft released a patch on April 14 following public disclosure and proof-of-concept code published by a researcher using the handle 'Chaotic Eclipse', who also revealed related Defender issues. Huntress Labs reported attacks showing hands‑on‑keyboard activity and suspicious FortiGate SSL VPN access tied to a Russia‑geolocated IP. Agencies must apply mitigations or update systems within two weeks, with a compliance deadline of May 7.

🔒 Microsoft describes how Microsoft Defender’s predictive shielding — part of automatic attack disruption — proactively contains exposed high-privilege identities to stop credential abuse and lateral movement. In a June 2025 public sector incident, automated containment prevented attackers from leveraging exposed domain credentials to escalate and pivot across identity and Exchange infrastructure. The feature evaluates exposure signals and applies just-in-time restrictions to block sign-ins, sessions, and interactive pivots while investigators remediate. It’s available out‑of‑the‑box for Defender for Endpoint P2 customers who meet prerequisites.

⚠️ A proof-of-concept for a second Microsoft Defender zero-day, dubbed RedSun, was published by researcher 'Chaotic Eclipse', demonstrating a local privilege escalation that grants SYSTEM privileges on patched Windows 10, Windows 11, and supported Windows Server releases when Defender is enabled. The PoC exploits Defender's handling of cloud-tagged files via the Cloud Files API to overwrite system binaries and achieve code execution as SYSTEM. Security analyst Will Dormann of Tharros confirmed the exploit works; some antivirus products detect elements of the PoC due to an embedded EICAR test file. The researcher says the publication was a protest over interactions with the Microsoft Security Response Center.

🔒 Microsoft Defender Security Research describes an AI-enabled campaign that abused the OAuth Device Code flow to compromise organizational accounts at scale. Actors used generative AI to craft hyper-personalized lures and automated backend infrastructure (including Railway.com and other PaaS) to generate dynamic device codes at click time, defeating the standard 15-minute expiry. The activity is linked to the PhaaS toolkit EvilToken and shows a marked escalation in automation and scale versus earlier device code phishing campaigns. Post-compromise actions focused on device registration, Microsoft Graph reconnaissance, malicious inbox rules, and email exfiltration.

🔒 Microsoft Defender uses asset-aware protection powered by Security Exposure Management to identify and defend High-Value Assets such as domain controllers, IIS/Exchange servers, and identity infrastructure. The platform applies HVA-aware anomaly detection, cloud-delivered intelligence, and endpoint protections to detect credential dumping, webshell deployments, and other high-impact TTPs. Defender can also trigger automated disruption to contain threats and recommends prioritizing HVA coverage and remediation.

🛡️Microsoft Defender's predictive shielding disrupted a GPO-based ransomware campaign targeting a large educational institution with more than a couple thousand devices. The attacker created malicious GPOs to disable protections and deploy scheduled tasks via the SYSVOL share; Defender detected policy tampering and applied GPO hardening, temporarily pausing policy propagation. Roughly 700 devices were hardened within hours, preventing any encryption via the GPO path and contributing to an overall ~97% protection rate. Combined with attack disruption that blocked compromised accounts and lateral movement, the intervention contained the incident and limited impact from concurrent SMB-based ransomware activity.

🛡️ CrowdStrike is extending Falcon Next‑Gen SIEM to ingest and operationalize telemetry from third‑party EDRs, beginning with Microsoft Defender, without requiring a Falcon sensor. The release embeds real‑time data pipelines via Falcon Onum to filter, enrich, and route telemetry, and expands federated search to include Falcon LogScale, ExtraHop, and cloud archives. It also introduces Third‑Party Indicator Management to operationalize external threat intelligence and a Query Translation Agent to convert legacy searches into CQL. Together these capabilities aim to reduce ingestion costs, accelerate investigations, simplify SIEM migrations, and let teams modernize SOC operations without replacing endpoint agents.

🛡️ The article outlines how organizations can scale security operations by combining Microsoft Defender XDR autonomous defense with Microsoft Security Experts services to reduce manual toil and accelerate containment. It argues agentic SOCs—driven by continuous signal correlation, automated decision making, and AI agents—are required to address alert overload and capacity constraints. Automated protection takes on routine investigation and response while expert-led hunting and managed detection handle escalations and continuously improve platform protections.

🔒 Self-hosted agent runtimes such as OpenClaw shift the execution boundary by ingesting untrusted text, downloading third‑party skills, and acting with the host's credentials. This combination makes the runtime effectively untrusted code execution with persistent tokens and elevated access, unsuitable for standard workstations. Microsoft recommends evaluating OpenClaw only in isolated VMs or dedicated devices, using dedicated non‑privileged credentials, continuous monitoring, and a fast rebuild plan. Prioritize containment, least privilege, and monitoring with solutions like Microsoft Defender XDR.

🛡️ Microsoft Defender Experts report a cross-platform surge in infostealers that now target macOS, leverage Python toolchains, and abuse trusted platforms and utilities to deliver credential-stealing malware at scale. Since late 2025, macOS campaigns such as DigitStealer, MacSync, and AMOS have used social engineering, malicious DMGs, AppleScript, and fileless execution to harvest browser credentials, keychain secrets, developer keys, and crypto wallets. Phishing campaigns have delivered Python-based stealers like PXA Stealer, while platform-abuse activity has weaponized WhatsApp and fake PDF installers to propagate Eternidade Stealer and malicious Crystal PDF installers. Microsoft outlines Defender XDR detections, hunting queries, and mitigations to help organizations detect, contain, and remediate these evolving threats.

🛡️ This case study details a high-severity serialization injection vulnerability (CVE-2025-68664, “LangGrinch”) in LangChain's langchain-core package that arises from improper handling of a reserved lc marker during dumps/dumpd operations. The flaw can enable unauthorized secret extraction, unintended class instantiation, or malicious side effects when attacker-controlled dictionaries are deserialized. Microsoft recommends immediate upgrades to patched versions and demonstrates how Defender for Cloud and Defender XDR can identify, remediate, and detect exposed workloads across code, build, and runtime stages. The post also offers practical hunting queries and remediation workflows to accelerate fixes.

🔒 Three global organizations—Ford, Icertis, and TriNet—illustrate how embedding security into every layer of the stack enables safer AI adoption and operational agility. Each moved from fragmented point solutions to a unified, Zero Trust platform built on Microsoft Security technologies such as Defender, Sentinel, Purview, Entra, and Security Copilot, using AI-powered telemetry and automation to accelerate detection and response. The result: fewer incidents, faster triage, improved compliance, and measurable cost savings that position them to scale AI responsibly.

📌 Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace that sold inexpensive, unlicensed Windows RDP servers enabling widespread BEC, mass phishing, account takeover, and financial fraud. The service repeatedly cloned a single Windows Server 2022 image (host name WIN-BUNS25TD77J), producing consistent fingerprints defenders could detect. RedVDS tenants deployed mass-mailer tools, harvesters, remote access utilities and AI writing assistants to craft and scale phishing campaigns. In coordination with law enforcement, Microsoft disrupted the infrastructure and published detection and mitigation guidance including Defender XDR telemetry and recommended email and identity controls.