{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreihqeuzg22ggtl7il3lhcm3gtde2bygilrlamlhrjj3sb23n4u5qma",
"uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3miff5d5orsv2"
},
"description": "Microsoft Secure Score will add a new recommendation to block outbound traffic from mshta.exe in Microsoft Defender for Endpoint, starting public preview in late March 2026. This reduces risk from attacks using mshta.exe, requires admin action to enable, and impacts compliance monitoring and data...",
"path": "/m365-message-center/message/mc1266905/",
"publishedAt": "2026-04-01T00:00:17.000Z",
"site": "https://blog.tophhie.cloud",
"tags": [
"Microsoft Secure Score | Microsoft Defender XDR | Microsoft Defender | Microsoft Learn"
],
"textContent": "**[Introduction]**\n\nTo help organizations strengthen endpoint security and reduce exposure to common attack techniques, we’re introducing a new **Microsoft Secure Score recommendation** in _Microsoft Defender for Endpoint (MDE)_. This recommendation focuses on **blocking outbound traffic from mshta.exe** , a legitimate Windows binary that is frequently abused by attackers to execute malicious scripts. Implementing this recommendation helps reduce risk from **living-off-the-land binary (LOLBIN)** attacks and improves your overall security posture.\n\n**[When this will happen]**\n\n * **Public Preview:** Rollout begins **late March 2026** and is expected to complete by **early April 2026**.\n * **General Availability (Worldwide):** Rollout begins **late March 2026** and is expected to complete by **late May 2026**.\n\n\n\n**[How this affects your organization]**\n\n_Who is affected_\n\nAdmins managing **Microsoft Defender for Endpoint** and **Microsoft Secure Score**.\n\n_What will happen_\n\n * Secure Score points will reflect whether this recommendation is implemented.\n * The recommendation is **not enabled by default** and **requires admin action** to implement.\n * There is **no direct user experience change** unless your organization enforces the configuration.\n\n\n\nA new Secure Score recommendation titled **“ _Block outbound traffic from mshta.exe_ ”** will appear in _Microsoft Secure Score_ for tenants enrolled in _Public Preview:_\n\n_Why this matters_\n\n * **mshta.exe** is commonly abused by attackers to download and execute malicious payloads from remote sources.\n * Blocking outbound traffic from this binary reduces attack surface and aligns with modern endpoint hardening best practices.\n\n\n\n**[What you can do to prepare]**\n\n * Review the new recommendation in _Microsoft Secure Score_ once available.\n * Evaluate potential line of business or scripting dependencies before enforcement.\n * Implement the recommended configuration to improve your organization’s security posture.\n * Communicate these changes to your security and endpoint management teams.\n\n\n\n**Learn more:** Microsoft Secure Score | Microsoft Defender XDR | Microsoft Defender | Microsoft Learn\n\n**[Compliance considerations]**\n\nQuestion| Answer\n---|---\nDoes the change alter how existing customer data is processed, stored, or accessed? | Yes. Blocking outbound traffic from mshta.exe may prevent certain scripts or applications from accessing external resources.\nDoes the change alter how admins can monitor, report on, or demonstrate compliance activities? | Yes. Microsoft Secure Score will reflect the implementation status of the new recommendation.\nDoes the change include an admin control, and can it be controlled through Entra ID group membership? | Yes. Admins must explicitly implement the recommendation in _Microsoft Defender for Endpoint_.",
"title": "MC1266905: Microsoft Secure Score: New recommendation for Microsoft Defender for Endpoint",
"updatedAt": "2026-04-01T00:00:17.544Z"
}