Microsoft Defender XDR Rolls Out Major July 2025 Security Updates, Including Advanced Hunting, Multi-Tenant Support, and AI-Powered Threat Intelligence

July 2025 marks another significant milestone for Microsoft Defender XDR, with a series of powerful updates and innovations rolled out across the Defender portfolio. This month’s edition (check out June 2025) highlights advancements in AI-driven security, seamless multi-tenant management, enhanced threat detection, and in-depth intelligence on evolving cyber threats. Here’s everything you need to know about the latest developments from Microsoft’s security suite.

Microsoft Defender XDR Monthly news – July 2025

1. Advanced Hunting: Azure Data Explorer Integration

One of the standout updates is the general availability of the `adx()` operator in advanced hunting within the Microsoft Defender portal. Security analysts can now directly query tables stored in Azure Data Explorer (ADX) without switching to Microsoft Sentinel, streamlining investigations and enabling faster, more comprehensive threat hunting. This integration empowers organizations to leverage the full analytical power of ADX for deeper insights into security events and trends.

Highlights:

• Unified threat hunting across Defender and Sentinel data.
• Faster, more flexible queries for large-scale data analysis.
• Reduced operational friction for security teams.

2. Security Copilot: TITAN-Powered Recommendations

Microsoft continues to invest in AI-driven security with the introduction of TITAN-powered recommendations in Security Copilot’s guided response. TITAN, leveraging Adaptive Networks and threat intelligence, enhances the accuracy and speed of incident triage and response. Security Copilot now provides contextual, actionable guidance, helping analysts make informed decisions under pressure and respond to threats with greater confidence.

Highlights:

• Improved triage accuracy and reduced investigation time.
• Integration of real-time threat intelligence into response workflows.
• Enhanced decision support for security operations centers (SOCs).

3. Multi-Tenant Case Management: Unified Incident Response

Another major advancement is the general availability of multi-tenant support in Microsoft Defender’s case management experience. Security teams, especially those managing complex or multi-client environments, can now view and manage incidents across all tenants from a single, unified interface in the Microsoft Defender Multi-Tenant (MTO) portal.

Highlights:

• Centralized management for MSSPs and large enterprises.
• Streamlined incident response and threat hunting across environments.
• Reduced reliance on third-party SIEM and ticketing systems.

4. Defender for Cloud Apps: Enhanced Threat Detection

Defender for Cloud Apps received notable upgrades:

• Behaviors Data Type (GA): Now generally available, this new data type reduces noise from generic anomalies and surfaces alerts only when patterns match real security scenarios, improving detection accuracy.
• Dynamic Threat Detection Model: This model adapts continuously to the changing SaaS threat landscape, ensuring organizations are protected with the latest detection logic without manual updates.

Defender for Endpoint: Expanded Platform Support and Features

Linux and macOS Improvements

• Global Exclusions for Linux (GA): Organizations can now centrally manage exclusion policies for Linux devices across AV and EDR, simplifying compliance and reducing false positives.
• Support for Alma Linux and Rocky Linux (GA): Defender for Endpoint now fully supports these popular Linux distributions, expanding coverage for diverse environments.
• Behavior Monitoring on macOS (GA): Early detection and prevention of suspicious activities on macOS devices is now available, providing parity with Windows and Linux protection.

Selective Isolation (Public Preview)

This feature enables security teams to exclude specific devices, processes, IPs, or services from isolation actions, maintaining connectivity for critical operations during incidents.

Defender for Identity: Broader Protection and Granular Control

• Domain-Based Scoping for Active Directory (Public Preview): SOC analysts can now define and refine monitoring scopes for Defender for Identity, allowing more targeted and efficient security analysis.
• Okta Identity Protection (Public Preview): Defender for Identity extends its robust protection to Okta identities, in addition to on-premises AD and Entra ID, reflecting Microsoft’s commitment to securing hybrid and multi-cloud identity infrastructures.

Defender for Office 365: Ecosystem Expansion and AI-Powered Responses

• ICES Vendor Ecosystem: A new unified framework for integrating trusted third-party vendors, enabling seamless collaboration and extended protection.
• Auto-Remediation of Malicious Messages (GA): Automated investigation and response capabilities now include auto-remediation, reducing the time to mitigate email threats.
• Mail Bombing Detection: Enhanced detection methods now identify mail bombing attacks in Threat Explorer and Advanced Hunting.
• AI-Powered Submissions Response: Admin email submissions to Microsoft now receive generative AI explanations, improving transparency and understanding for security teams.

Microsoft Security Exposure Management: External Attack Surface Integration

• Enhanced External Attack Surface Management (Public Preview): Organizations can now incorporate detailed external attack surface data from Defender External Attack Surface Management into Exposure Management, providing a holistic view of vulnerabilities and exposures.

Threat Intelligence and Security Blogs: Emerging Threats and Actor Profiles

1. RIFT for Rust Malware: Microsoft introduces RIFT, an open-source tool for analyzing Rust-based malware, addressing the growing adoption of Rust by threat actors.
2. North Korean Remote IT Workers: Microsoft Threat Intelligence reports on North Korean actors using AI to enhance cyber operations, data theft, and revenue generation for the regime.
3. Qilin Ransomware: A ransomware-as-a-service (RaaS) offering impacting healthcare and media, used by groups like Pistachio Tempest and Moonstone Sleet.
4. Emerald Sleet QR Code Phishing: North Korean actors use QR codes for credential harvesting in phishing campaigns.
5. CVE-2025-34028: A critical path traversal vulnerability in Commvault Command Center, allowing remote code execution via malicious ZIP uploads. Organizations are urged to patch affected versions immediately.
6. Forest Blizzard and BlipSlide: Russian military intelligence deploys a new variant of BlipSlide malware in Ukraine, targeting software supply chains.
7. Storm-2416, Storm-0126, Storm-2001: Nation-state actors from China and Russia target IT, government, defense, and NATO-related organizations worldwide.
8. Storm-2561 and SilentRoute: Distribution of trojanized SonicWall NetExtender VPN software to exfiltrate VPN configuration data.

Please note: Access to Defender Portal is required to access links included in #3-#8.

Microsoft Defender XDR’s Future Security Vision

By unifying advanced analytics, multi-tenant management, and threat intelligence, Microsoft Defender XDR empowers organizations to detect, investigate, and respond to threats faster and more effectively than ever before.