< ciso
brief />
Tag Banner

All news with #microsoft defender xdr tag

40 articles · page 2 of 2

Protecting High-Value Assets with Microsoft Defender

🔒 Microsoft Defender uses asset-aware protection powered by Security Exposure Management to identify and defend High-Value Assets such as domain controllers, IIS/Exchange servers, and identity infrastructure. The platform applies HVA-aware anomaly detection, cloud-delivered intelligence, and endpoint protections to detect credential dumping, webshell deployments, and other high-impact TTPs. Defender can also trigger automated disruption to contain threats and recommends prioritizing HVA coverage and remediation.
read more →

Predictive Shielding in Defender Stops GPO-Based Ransomware

🛡️Microsoft Defender's predictive shielding disrupted a GPO-based ransomware campaign targeting a large educational institution with more than a couple thousand devices. The attacker created malicious GPOs to disable protections and deploy scheduled tasks via the SYSVOL share; Defender detected policy tampering and applied GPO hardening, temporarily pausing policy propagation. Roughly 700 devices were hardened within hours, preventing any encryption via the GPO path and contributing to an overall ~97% protection rate. Combined with attack disruption that blocked compromised accounts and lateral movement, the intervention contained the incident and limited impact from concurrent SMB-based ransomware activity.
read more →

CrowdStrike Adds Microsoft Defender Support to Falcon SIEM

🛡️ CrowdStrike is extending Falcon Next‑Gen SIEM to ingest and operationalize telemetry from third‑party EDRs, beginning with Microsoft Defender, without requiring a Falcon sensor. The release embeds real‑time data pipelines via Falcon Onum to filter, enrich, and route telemetry, and expands federated search to include Falcon LogScale, ExtraHop, and cloud archives. It also introduces Third‑Party Indicator Management to operationalize external threat intelligence and a Query Translation Agent to convert legacy searches into CQL. Together these capabilities aim to reduce ingestion costs, accelerate investigations, simplify SIEM migrations, and let teams modernize SOC operations without replacing endpoint agents.
read more →

Scaling SOCs with Microsoft Defender Autonomous Defense

🛡️ The article outlines how organizations can scale security operations by combining Microsoft Defender XDR autonomous defense with Microsoft Security Experts services to reduce manual toil and accelerate containment. It argues agentic SOCs—driven by continuous signal correlation, automated decision making, and AI agents—are required to address alert overload and capacity constraints. Automated protection takes on routine investigation and response while expert-led hunting and managed detection handle escalations and continuously improve platform protections.
read more →

Running OpenClaw Safely: Identity, Isolation, Runtime

🔒 Self-hosted agent runtimes such as OpenClaw shift the execution boundary by ingesting untrusted text, downloading third‑party skills, and acting with the host's credentials. This combination makes the runtime effectively untrusted code execution with persistent tokens and elevated access, unsuitable for standard workstations. Microsoft recommends evaluating OpenClaw only in isolated VMs or dedicated devices, using dedicated non‑privileged credentials, continuous monitoring, and a fast rebuild plan. Prioritize containment, least privilege, and monitoring with solutions like Microsoft Defender XDR.
read more →

Infostealers Expand to macOS, Python, and Platform Abuse

🛡️ Microsoft Defender Experts report a cross-platform surge in infostealers that now target macOS, leverage Python toolchains, and abuse trusted platforms and utilities to deliver credential-stealing malware at scale. Since late 2025, macOS campaigns such as DigitStealer, MacSync, and AMOS have used social engineering, malicious DMGs, AppleScript, and fileless execution to harvest browser credentials, keychain secrets, developer keys, and crypto wallets. Phishing campaigns have delivered Python-based stealers like PXA Stealer, while platform-abuse activity has weaponized WhatsApp and fake PDF installers to propagate Eternidade Stealer and malicious Crystal PDF installers. Microsoft outlines Defender XDR detections, hunting queries, and mitigations to help organizations detect, contain, and remediate these evolving threats.
read more →

Securing AI Application Supply Chains: LangChain Case

🛡️ This case study details a high-severity serialization injection vulnerability (CVE-2025-68664, “LangGrinch”) in LangChain's langchain-core package that arises from improper handling of a reserved lc marker during dumps/dumpd operations. The flaw can enable unauthorized secret extraction, unintended class instantiation, or malicious side effects when attacker-controlled dictionaries are deserialized. Microsoft recommends immediate upgrades to patched versions and demonstrates how Defender for Cloud and Defender XDR can identify, remediate, and detect exposed workloads across code, build, and runtime stages. The post also offers practical hunting queries and remediation workflows to accelerate fixes.
read more →

Microsoft Security Success Stories: Integrated AI Foundation

🔒 Three global organizations—Ford, Icertis, and TriNet—illustrate how embedding security into every layer of the stack enables safer AI adoption and operational agility. Each moved from fragmented point solutions to a unified, Zero Trust platform built on Microsoft Security technologies such as Defender, Sentinel, Purview, Entra, and Security Copilot, using AI-powered telemetry and automation to accelerate detection and response. The result: fewer incidents, faster triage, improved compliance, and measurable cost savings that position them to scale AI responsibly.
read more →

Inside RedVDS: Virtual Desktop Abuse Fuels Global Fraud

📌 Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace that sold inexpensive, unlicensed Windows RDP servers enabling widespread BEC, mass phishing, account takeover, and financial fraud. The service repeatedly cloned a single Windows Server 2022 image (host name WIN-BUNS25TD77J), producing consistent fingerprints defenders could detect. RedVDS tenants deployed mass-mailer tools, harvesters, remote access utilities and AI writing assistants to craft and scale phishing campaigns. In coordination with law enforcement, Microsoft disrupted the infrastructure and published detection and mitigation guidance including Defender XDR telemetry and recommended email and identity controls.
read more →

Microsoft issues replacement Secure Boot certificates

🔒 Microsoft has begun automatically replacing expiring Secure Boot certificates on eligible Windows 11 24H2 and 25H2 systems via Windows Update. The rollout uses high-confidence device targeting and phased signals to ensure only devices with sufficient successful update telemetry receive the new certificates, while administrators can also deploy them using registry keys, WinCS, or Group Policy. Organizations are urged to inventory fleets, verify Secure Boot status, apply firmware updates as needed, and install the certificate updates before existing credentials expire to preserve Secure Boot and pre-boot patching.
read more →

Microsoft Defender Experts Suite: Expert-Led Security

🔒 The new Microsoft Defender Experts Suite combines managed extended detection and response (MXDR), proactive and reactive incident response, and a designated Microsoft security advisor to help organizations counter advanced, AI-accelerated threats. Microsoft analysts deliver 24/7 triage, continuous threat hunting, and on-demand expertise across endpoints, identities, email, cloud apps, and cloud workloads. Enhanced Designated Engineering supports secure deployment and operational modernization, while Incident Response offers planning, simulations, and rapid remediation. Eligible customers can access a limited-time promotional discount through 2026.
read more →

Microsoft Edge adds scareware sensor for faster blocking

🛡️ Microsoft is adding a new scareware sensor to Edge that notifies Defender SmartScreen in real time to speed up indexing and global blocking of tech-support and full-screen scam pages. The sensor is included in Edge 142, disabled by default, and reports suspected scams immediately without sharing screenshots or extra data beyond SmartScreen’s usual telemetry. Edge’s local scareware blocker — introduced at Ignite 2024 and widely enabled since February — still warns users, exits full-screen, stops loud audio, shows a thumbnail, and offers an option to continue. Microsoft plans to enable the sensor for users who have SmartScreen enabled and will add more anonymous detection signals over time.
read more →

Microsoft Security Store Unites Partners and Innovation

🔐 Microsoft Security Store, released to public preview on September 30, 2025, is a unified, AI-powered marketplace that lets organizations discover, buy, and deploy vetted security solutions and AI agents. Catalog items — organized by frameworks like NIST and by integration with products such as Microsoft Defender, Sentinel, Entra, and Purview — address threat protection, identity, compliance, and cloud security. Built on the Microsoft Marketplace, it provides unified billing, MACC eligibility, and guided automated provisioning to streamline deployments.
read more →

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft Threat Intelligence has revoked more than 200 code-signing certificates that were fraudulently used to sign counterfeit Microsoft Teams installers delivering a persistent backdoor and ransomware. The campaign, tracked as Vanilla Tempest (also known as Vice Spider/Vice Society), employed SEO poisoning and malvertising to lure users to spoofed download sites hosting fake MSTeamsSetup.exe files that deployed the Oyster backdoor and ultimately Rhysida ransomware. Microsoft says the actor abused Trusted Signing and services such as SSL.com, DigiCert and GlobalSign to sign malicious binaries. A fully enabled Microsoft Defender Antivirus detects and blocks these threats, and Microsoft provides guidance through Microsoft Defender for Endpoint for mitigation and investigation.
read more →

Securing Agentic AI: Microsoft Ignite Security Guide

🔒 Microsoft Ignite 2025 highlights security-focused sessions and hands-on labs tailored for practitioners and leaders. Join in San Francisco Nov 17–21 (or online Nov 18–20) for briefings, demos, and instructor-led labs covering Microsoft Security Copilot, Sentinel, Defender, Entra, and Purview. A Security Forum (Nov 17) and keynote segments led by senior security executives will explore designing, governing, and protecting agentic AI across the lifecycle.
read more →

Microsoft Named a Leader in IDC MarketScape for XDR

🔒 Microsoft has been named a Leader in the IDC MarketScape: Worldwide Extended Detection and Response Software 2025 assessment. Microsoft Defender XDR is highlighted for broad signal coverage across endpoints, identities, email and collaboration, SaaS apps, cloud workloads, and data, plus AI-driven automation and native SIEM integration that consolidate visibility and accelerate response. IDC also cited Microsoft Security Copilot and automatic attack disruption as key differentiators that reduce dwell time and free SOC teams to focus on higher-value tasks.
read more →

Forrester: Microsoft Defender Delivers 242% ROI Over 3 Years

🔒 Microsoft’s latest Forrester TEI study found a 242% return on investment over three years for organizations using Microsoft Defender. The analysis attributes $17.8 million in total benefits and reports an average payback period of less than six months for a composite organization. Integrated with Microsoft Sentinel, Defender streamlines SecOps by consolidating tooling, lowering false positives, and accelerating response through automation and KQL-enabled detections. Customers cite improved visibility across hybrid and multicloud environments and reduced operational overhead.
read more →

Blueprint for Building Safe and Secure AI Agents at Scale

🔒 Azure outlines a layered blueprint for building trustworthy, enterprise-grade AI agents. The post emphasizes identity, data protection, built-in controls, continuous evaluation, and monitoring to address risks like data leakage, prompt injection, and agent sprawl. Azure AI Foundry introduces Entra Agent ID, cross-prompt injection classifiers, risk and safety evaluations, and integrations with Microsoft Purview and Defender. Join Microsoft Secure on September 30 to learn about Foundry's newest capabilities.
read more →

Analyzing ClickFix: A Rising Click-to-Execute Threat

🛡️ Microsoft Threat Intelligence and Microsoft Defender Experts describe the ClickFix social engineering technique, where attackers trick users into copying and pasting commands that execute malicious payloads. Observed since early 2024 and active through 2025, these campaigns deliver infostealers, RATs, loaders, and rootkits that target Windows and macOS devices. Lures arrive via phishing, malvertising, and compromised sites and often impersonate legitimate services or CAPTCHA verifications. Organizations should rely on user education, device hardening, and Microsoft Defender XDR layered protections to detect and block ClickFix activity.
read more →

Microsoft announces Phishing Triage Agent public preview

🛡️The Phishing Triage Agent is now in Public Preview and automates triage of user-reported suspicious emails within Microsoft Defender. Using large language models, it evaluates message semantics, inspects URLs and attachments, and detects intent to classify submissions—typically within 15 minutes—automatically resolving the bulk of false positives. Analysts receive natural‑language explanations and a visual decision map for each verdict, can provide plain‑language feedback to refine behavior, and retain control via role‑based access and least‑privilege configuration.
read more →