Microsoft 365 Message Center Archive

MC1237728 - Advanced Hunting: new actions to block attachments and top-level URL domains

Message ID

MC1237728

View in Message Center

Service

Microsoft Defender XDR

Last Updated

Mar 6, 2026

Published Feb 23, 2026

Tag

Updated message
Feature update
Admin impact

Summary

Microsoft Defender for Office 365 introduces two new Advanced Hunting remediation actions—blocking attachments and top-level URL domains—to speed SecOps response. Available early March 2026 for Plan 2 and Microsoft 365 E5 users, these features enable direct mitigation from hunting results with no user workflow impact.

More information

Updated March 6, 2026: We have updated the timeline. Thank you for your patience. 

Introduction

We're introducing two new remediation actions as part of the Email table in Advanced Hunting that help security operations (SecOps) teams respond more quickly during investigations:

  • Attachment block action
  • Top-level URL domain block action

These actions let SecOps teams move directly from detection to mitigation within the same workflow, reducing response time and operational friction when addressing malicious campaigns.

These actions will be available through Take action if the query returns all the required columns.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early March 2026 and expect to complete by early April 2026 (previously end of March).

How this affects your organization:

Who is affected:

  • Security operations teams and administrators using Advanced Hunting in Microsoft Defender for Office 365
  • This feature is available to customers with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 licenses.

What will happen:

  • Security teams can block malicious email attachments directly from Advanced Hunting results.
  • Security teams can block top-level URL domains associated with phishing or malicious campaigns.
  • Remediation actions are available in the Advanced Hunting “Take action” wizard.
  • The feature is enabled by default; no configuration changes are required.
  • There is no impact to user workflows unless a security action is taken.

Note:

  • Attachment entries in the Tenant Allow/Block List are supported only if the query results include the Attachment column by joining with the EmailAttachmentInfo table on NetworkMessageId.
  • Submit to Microsoft may be unavailable if required columns are missing. To resolve this issue, select Show empty columns before you select Take actions.

What you can do to prepare:

  • No action is required.
  • Review security investigation and response procedures to include the new remediation options.
  • Inform SecOps teams of the updated Advanced Hunting capabilities.

Learn more: Take action on advanced hunting query results in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn (documentation will be updated before rollout)

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.