check before: 2026-03-01
Product:
Defender, Defender for Office 365, Defender XDR
Platform:
Online, US Instances, World tenant
Status:
Change type:
Feature update, Admin impact
Links:
Details:
Summary:
New Advanced Hunting actions in Microsoft Defender for Office 365 allow SecOps teams to block malicious email attachments and top-level URL domains directly from query results, enabling faster response. Available from March 2026 for Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 users, enabled by default with no user impact.
Details:
[Introduction]
We're introducing two new remediation actions as part of the Email table in Advanced Hunting that help security operations (SecOps) teams respond more quickly during investigations:
Attachment block action
Top-level URL domain block action
These actions let SecOps teams move directly from detection to mitigation within the same workflow, reducing response time and operational friction when addressing malicious campaigns.
These actions will be available through Take action if the query returns all the required columns.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early March 2026 and expect to complete by the end of March 2026.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-02-24
updated:
2026-02-24
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft Defender for Office 365 will introduce a new feature in March 2026 that allows security teams to quickly block suspicious email attachments and website links, enhancing threat response capabilities for those with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 licenses, without disrupting daily operations.
Direct effects for Operations**
Blocking Malicious Attachments
If the new attachment block action is used without proper preparation, it may lead to unintended blocking of legitimate attachments, disrupting user workflows and causing delays in communication.
- roles: Security Operations Team, IT Administrators
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-take-action
Blocking Top-Level URL Domains
Implementing the top-level URL domain block action without thorough investigation may result in blocking access to legitimate websites, negatively impacting user experience and productivity.
- roles: Security Operations Team, IT Administrators
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-take-action
Configutation Options**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
