Microsoft 365 Message Center Archive

MC1237728 - Advanced Hunting: new actions to block attachments and top-level URL domains

Message ID

MC1237728

View in Message Center

Service

Microsoft Defender XDR

Published

Feb 23, 2026

Tag

Feature update
Admin impact

Summary

New Advanced Hunting actions in Microsoft Defender for Office 365 allow SecOps teams to block malicious email attachments and top-level URL domains directly from query results, enabling faster response. Available from March 2026 for Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 users, enabled by default with no user impact.

More information

Introduction

We're introducing two new remediation actions as part of the Email table in Advanced Hunting that help security operations (SecOps) teams respond more quickly during investigations:

  • Attachment block action
  • Top-level URL domain block action

These actions let SecOps teams move directly from detection to mitigation within the same workflow, reducing response time and operational friction when addressing malicious campaigns.

These actions will be available through Take action if the query returns all the required columns.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early March 2026 and expect to complete by the end of March 2026.

How this affects your organization:

Who is affected:

  • Security operations teams and administrators using Advanced Hunting in Microsoft Defender for Office 365
  • This feature is available to customers with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 licenses.

What will happen:

  • Security teams can block malicious email attachments directly from Advanced Hunting results.
  • Security teams can block top-level URL domains associated with phishing or malicious campaigns.
  • Remediation actions are available in the Advanced Hunting “Take action” wizard.
  • The feature is enabled by default; no configuration changes are required.
  • There is no impact to user workflows unless a security action is taken.

Note:

  • Attachment entries in the Tenant Allow/Block List are supported only if the query results include the Attachment column by joining with the EmailAttachmentInfo table on NetworkMessageId.
  • Submit to Microsoft may be unavailable if required columns are missing. To resolve this issue, select Show empty columns before you select Take actions.

What you can do to prepare:

  • No action is required.
  • Review security investigation and response procedures to include the new remediation options.
  • Inform SecOps teams of the updated Advanced Hunting capabilities.

Learn more: Take action on advanced hunting query results in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn (documentation will be updated before rollout)

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.