Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiedo6lqoepxoajlminjs3evsimen7ferlvpz5kmj7u7fcxr7r6nb4",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mfkxpmcq6ql2"
  },
  "description": "New Advanced Hunting actions in Microsoft Defender for Office 365 allow SecOps teams to block malicious email attachments and top-level URL domains directly from query results, enabling faster response. Available from March 2026 for Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 use...",
  "path": "/m365-message-center/message/mc1237728/",
  "publishedAt": "2026-02-24T01:00:05.000Z",
  "site": "https://blog.tophhie.cloud",
  "tags": [
    "Take action on advanced hunting query results in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn"
  ],
  "textContent": "**[Introduction]**\n\nWe're introducing two new remediation actions as part of the **Email** table in Advanced Hunting that help **security operations (SecOps)** teams respond more quickly during investigations:\n\n  * **Attachment block action**\n  * **Top-level URL domain block action**\n\n\n\nThese actions let SecOps teams move directly from detection to mitigation within the same workflow, reducing response time and operational friction when addressing malicious campaigns.\n\nThese actions will be available through **Take action** if the query returns all the required columns.\n\n**[When this will happen:]**\n\nGeneral Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out **early March 2026** and expect to complete by **the end of March 2026**.\n\n**[How this affects your organization:]**\n\n**Who is affected:**\n\n  * Security operations teams and administrators using Advanced Hunting in Microsoft Defender for Office 365\n  * **T** his feature is available to customers with **Microsoft Defender for Office 365 Plan 2** or**Microsoft 365 E5 licenses.**\n\n\n\n**What will happen:**\n\n  * Security teams can block malicious email attachments directly from Advanced Hunting results.\n  * Security teams can block top-level URL domains**** associated with phishing or malicious campaigns.\n  * Remediation actions are available in the Advanced Hunting “Take action” wizard.\n  * The feature is**enabled by default** ; no configuration changes are required.\n  * There is **no impact to user workflows** unless a security action is taken.\n\n\n\n**Note:**\n\n  * Attachment entries in the Tenant Allow/Block List are supported only if the query results include the **Attachment** column by joining with the **EmailAttachmentInfo** table on **NetworkMessageId**.\n  * **Submit to Microsoft** may be unavailable if required columns are missing. To resolve this issue, select **Show empty columns** before you select **Take actions**.\n\n\n\n**What you can do to prepare:**\n\n  * No action is required.\n  * Review security investigation and response procedures to include the new remediation options.\n  * Inform SecOps teams of the updated**** Advanced Hunting capabilities.\n\n\n\nLearn more: Take action on advanced hunting query results in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn (documentation will be updated before rollout)\n\n\n\n\n**Compliance considerations:**\n\nNo compliance considerations identified, review as appropriate for your organization.",
  "title": "MC1237728: Advanced Hunting: new actions to block attachments and top-level URL domains",
  "updatedAt": "2026-02-24T01:00:05.000Z"
}