Monthly news - April 2025

Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best.

April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast
April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast
April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast

New episodes of the Virtual Ninja Show has been published, covering various products and scenarios.

• Microsoft's Zero Trust approach 
• Resolving high CPU utilization in Microsoft Defender Antivirus
• Microsoft Defender for Endpoint Client Analyzer overview
• Mastering onboarding issues with Defender for Endpoint Client Analyzer
• Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer
• Connecting your Apps to Defender for Cloud Apps

Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel

• What’s new in Microsoft Defender XDR at Secure 2025
• (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro

• (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. 

• (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications.

• Blog post: Transforming public sector security operations in the AI era
  Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense?

• (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details.

• The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365.

• You can now link Threat analytics reports when setting up custom detections. Learn more

Microsoft Defender for Endpoint

• Update to the Microsoft Defender Antivirus group policies documentation. Learn more

• Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more
• New video (9 mins): How Microsoft is redefining endpoint security
• New documentation: Troubleshoot Microsoft Defender Antivirus scan issues
  

Microsoft Defender for Office 365

• User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user.
• Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet.

Microsoft Defender for Cloud Apps

• (GA) Unified Identity inventory now general available. Learn more
• Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. 
• Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. 
  

  Join one of these workshops to learn:

  • Real-world examples of OAuth attacks
  • New pre-built templates and custom rules to simplify app governance
  • How to quickly identify and mitigate risks from high-risk or suspicious apps
  • Best practices for operationalizing app governance to improve your security posture

  These workshops are designed to accommodate global participation, with flexible date and time options.

• Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks.  

Microsoft Defender for Identity

• Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity
• Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment.
• New health issue for cases where sensors running on VMware have network configuration mismatch.
• The Identities page under Assets has been updated to provide better visibility and management of identities across your environment.
• New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment.

Microsoft Security Blogs

• Silk Typhoon targeting IT supply chain
• Malvertising campaign leads to info stealers hosted on GitHub
• New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects
• Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
• StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
• Analyzing open-source bootloaders: Finding vulnerabilities faster with AI

Threat Analytics (Access to the Defender Portal needed)

• Vulnerability Profile: CVE-2024-40711 – Veeam Backup
• Activity profile: Moonstone Sleet using Qilin ransomware
• [TA update] Actor Profile: Secret Blizzard
• Actor profile: Berry Sandstorm
• Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique
• Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices
• [TA update] Actor profile - Swirl Typhoon
• Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software
• Activity profile: Lumma Stealer spreads via YouTube video descriptions
• [TA update] Actor profile: Aqua Blizzard
• Tool profile: Latrodectus
• Vulnerability profile: CVE-2025-26633
• Tool profile: WinRing0
• Activity profile: Storm-0485 phishing activity
• Activity profile: Silk Typhoon targeting IT supply chain
• Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks
• Threat overview: Business Email Compromise
• [Snapshot] Actor profile: Storm-2372
• [TA update] Actor profile: ZigZag Hail
• Actor profile: Storm-0287
• Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service
• Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application
• Actor profile: Yulong Flood
• Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability
• Tool profile: FrostyStash
• [TA update] Tool profile: Mimikatz
• Tool profile: Mamba 2FA
• Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America
• [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway
• [TA update] Actor profile: Silk Typhoon
• Seamless SSO Abuse via AADInternals
• [TA update] SystemBC Tool Profile
• Vulnerability profile: CVE-2025-22224 – VMware