Microsoft 365 Message Center Archive

MC1061724 - Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities

Message ID

MC1061724

View in Message Center

Service

Microsoft Defender XDR

Published

Apr 24, 2025

Tag

Major change
Feature update
Admin impact

Summary

Microsoft Defender for Cloud Apps will enhance threat protection with a new dynamic model for detections and alerts, rolling out from June to July 2025. This model allows faster response to threats and will be implemented seamlessly. Legacy policies will be disabled but visible temporarily. No admin action is required.

More information

Coming soon for Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities. We will implement a new dynamic model for threat protection detections and alerts. This change aims to improve and maintain a high signal-to-noise Ratio (SNR) for detections.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out the first batch of policies early June 2025 and expect to complete by early July 2025.

How this will affect your organization:

Our new dynamic model allows our security researchers an ability to respond faster to new threats, to update detection logic based on the evolving threat landscape. This means that detections can be added, removed, or modified dynamically to ensure optimal protection against emerging threats. Note: These are research-driven detections, so Customers will enjoy the protection without the need to actively configure them.

This rollout will be seamless, and you will continue to receive the same standard of protection without disruption to the provided security coverage. After rollout begins, we will include the migrated policies in Create anomaly detection policies - Microsoft Defender for Cloud Apps | Microsoft Learn (to be updated).

The first batch of policies will be:

  1. Suspicious inbox manipulation rule
  2. Suspicious email deletion activity
  3. Suspicious email forwarding rule
  4. Activity from an anonymous proxy
  5. Activity from a botnet-associated IP address

Note: In addition to the policies in the first batch mentioned above, all other OOTB policies will eventually be migrated to the new dynamic model.

After this rollout:

  • By applying the new dynamic model, we aim to provide more accurate and timely threat detections, enhancing your overall organization security.
  • In some cases, policies may be split into several different detections and alerts in order to provide an additional degree of protection and better understanding for the SOC teams on the threat etymology.
  • For several months during the gradual migration of OOTB policies, the policies will be disabled but still temporarily visible in Defender for Cloud Apps. After the migration has completed, we will remove the policies from the legacy policies page, and we will send a separate MC post about this removal.

This migration will be seamless and available by default. However, please note that we will disable legacy policies and their configured governance actions. If you wish to retain governance actions, please re-enable the policies from the legacy policies page at Defender portal > Cloud apps > Policy management page.

admin settings:> </p><p><b>What you need to do to prepare:</b></p><p>This <span style=

This rollout will happen automatically by the specified dates with no admin action required before the rollout. Review your current configuration to assess the impact on your organization. You may want to notify your users about this change and update any relevant documentation.