Microsoft Defender for Office 365 Empowers Security Teams with Automated Investigation Capabilities
Microsoft has recently enhanced its Defender for Office 365 (O365) suite by introducing advanced remediation capabilities that allow security teams to initiate automated investigations directly from the Advanced Hunting interface. This update, launched on November 10, 2025, aims to streamline the response to email threats, enabling administrators and analysts to act swiftly without the need for policy modifications.
Integration of New Actions in Advanced Hunting
The latest enhancement integrates several critical actions into the Advanced Hunting interface:
– Submit to Microsoft: Allows security teams to send suspicious emails directly to Microsoft for further analysis.
– Add to Tenant Allow/Block List: Enables the addition of specific email addresses or domains to the organization’s allow or block lists, facilitating better control over incoming communications.
– Initiate Automated Investigation: Triggers an automated investigation into potential threats, expediting the identification and mitigation of malicious activities.
Previously, these actions were confined to the Threat Explorer tool. By incorporating them into Advanced Hunting, Microsoft addresses customer feedback, reducing the time required to triage and remediate malicious emails.
Enhancing Security Operations with Advanced Hunting
Advanced Hunting, a component of Microsoft Defender XDR, offers deep visibility into cross-domain threats across email, endpoints, and identities. With the new update, users can select query results and trigger responses contextually based on message delivery status, such as purging from inboxes or quarantines.
For bulk selections exceeding 100 messages, options like email purge and proposed remediations remain available, ensuring scalability for large-scale incidents. Threat Explorer continues to operate independently, providing complementary views of real-time detections.
Implementation and Access Control
This rollout affects administrators and security analysts leveraging Microsoft Defender XDR, with actions enabled by default across worldwide tenants. While the user interface cannot be removed, existing administrative policies, including role-based access control (RBAC), are fully respected to maintain compliance. Organizations can scope access via the Microsoft 365 Defender portal under Settings > Permissions > Roles, preventing unauthorized use.
Preparation and Integration
To prepare for this enhancement, security teams should audit current hunting queries and integrate the new actions into playbooks for automated responses. Communicating these changes to Security Operations Center (SOC) stakeholders and providing targeted training will minimize disruptions. For instance, updating documentation on initiating automated investigations can accelerate adoption, especially in environments handling high volumes of phishing or malware-laden emails.
Alignment with Automated Investigation and Response (AIR)
This enhancement aligns with broader trends in automated investigation and response (AIR) in Defender for O365 Plan 2, where remediation clusters around malicious files or URLs for faster threat neutralization. By default, AIR actions require approval, but configurations for auto-remediation on message clusters can further reduce manual overhead, though clusters over 10,000 items prompt reviews. In Advanced Hunting schemas like EmailPostDeliveryEvents, auto-remediated items appear with ActionType “Automated Remediation” and ActionTrigger “Automation,” aiding forensic analysis.
Conclusion
This update maintains proactive defense in an era of sophisticated email-based attacks, such as ransomware and business email compromise. By empowering security teams with automated investigation capabilities, Microsoft Defender for Office 365 enhances the efficiency and effectiveness of threat response, ensuring organizations can swiftly address and mitigate potential security incidents.
