M365 Archive

RM502528 - Microsoft Defender for Office 365: Auto-Remediation of Malicious Similarity Clusters in AIR

Microsoft 365 Roadmap

Roadmap ID

502528

View in M365 Roadmap

Status

Launched

Release

General Availability

Last Updated

Feb 24, 2026

Published Sep 3, 2025

Platforms

Web

Service

Microsoft Defender for Office 365

Tag

Launched
General Availability
Worldwide (Standard Multi-Tenant)

Cloud

Worldwide (Standard Multi-Tenant)

Summary

We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats.

Description

We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats.

GA date: December CY2025