M365 Archive

RM502528 - Microsoft Defender for Office 365: Auto-Remediation of Malicious Similarity Clusters in AIR

Microsoft 365 Roadmap

Summary

We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats.

Roadmap ID

502528

View in M365 Roadmap

Last Updated

Feb 24, 2026

Published Sep 3, 2025

Status

Launched

Release

General Availability

Platforms

Web

Service

Microsoft Defender for Office 365

Tag

Launched
General Availability
Worldwide (Standard Multi-Tenant)

Cloud

Worldwide (Standard Multi-Tenant)

Description

We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats.

GA date: December CY2025