Week 2 · 5 min read
January 5 – January 12, 2026
What changed
Microsoft launched the Microsoft Defender Experts Suite, a bundled managed-services offering that combines Defender Experts for XDR (24x7 managed detection and response plus Defender Experts for Hunting), Microsoft Incident Response (proactive and reactive), and Enhanced Designated Engineering — a designated Microsoft security advisor. It's positioned for organizations that co-source SOC work rather than a new product capability, and eligible customers can save up to 66% on the suite during 2026. If your org buys in, expect triage, hunting leads, and posture recommendations to arrive from Defender Experts inside the Defender portal, so know who owns escalations before an incident hits. (Microsoft Security Blog)
Microsoft also outlined refreshed Microsoft Incident Response proactive services — IR planning, readiness assessments, simulation exercises, and advisory work meant to build resilience before a breach. These are the engagements that produce the runbooks, tabletop findings, and response playbooks an analyst actually executes during a live incident, so it's worth knowing whether your environment has been through one. (Microsoft Security Blog)
January's Microsoft Defender for Identity update adds a large batch of new detection alerts, most of them squarely in scope for a SOC watching hybrid-identity attacks. On the Entra ID side they include a possible adversary-in-the-middle (AiTM) attack (ConsentFix), OAuth code theft through consent abuse, skipped MFA on a remembered device from an uncommon ISP, and suspicious sign-ins tied to the Entra ID sync application. On the Active Directory side they cover Pass-the-Ticket (now generally available), AD Certificate Services enumeration, AD enumeration via ADWS, suspicious NTLM authentication, Kerberoasting via a stealthy LDAP search, and a suspicious Kerberos TGT-request-using-TGS-REQ. Expect these to surface as new alert titles in the Defender portal incident queue; review your suppression and automation rules so the new detections aren't unintentionally muted. (What's new in Microsoft Defender for Identity)
Also in the January Defender for Identity release, the Identity inventory enhancements reached general availability. A new Accounts tab consolidates every account tied to a single identity — Active Directory, Microsoft Entra ID, and supported non-Microsoft providers — you can manually link or unlink accounts to correct correlation, and you can now run identity-level remediation (disable accounts, reset passwords) across the linked accounts from one place. Advanced hunting gains the matching IdentityAccountInfo table so you can pivot from an account to the owning identity in KQL. The same release adds new posture assessments worth running against AD: stale accounts (no logon in 90 days), Entra ID privileged users who are also privileged in AD, service accounts sitting in privileged groups, and accounts in built-in Operator groups. (What's new in Microsoft Defender for Identity)
On the Entra side, service principal creation audit logs for alerting and monitoring reached general availability this month. New audit-log properties surface why a service principal was created and who or what triggered it — the provisioning mechanism, the specific SKUs or service plans that enabled just-in-time creation, and the home tenant of the app registration. That lets you distinguish Microsoft-driven provisioning from tenant-driven activity when a newly created service principal shows up, which is exactly the signal you want when hunting for consent-grant abuse and rogue app registrations. (Microsoft Entra releases and announcements)
Entra Conditional Access also tightened enforcement this month: policies that target All resources with one or more resource exclusions (or that explicitly target Azure AD Graph) will now be enforced in a narrow set of sign-in flows where the client requests only OIDC or specific directory scopes — flows that previously slipped past those policies. It's a security-strengthening change, but if you rely on resource-exclusion CA policies, review them now so the newly-enforced behavior doesn't surprise you with unexpected blocks. (Microsoft Entra releases and announcements)
For detection engineers, custom detection rules in Microsoft Defender now support Near Real-Time (NRT) frequency on Microsoft Sentinel data (public preview), extending continuous NRT scheduling to rules that run over Sentinel tables. NRT closes the gap between an event landing and a detection firing for the highest-priority queries, so it's a candidate for your most time-sensitive Sentinel-backed custom detections rather than a blanket default. (What's new in Microsoft Defender XDR)
Worth knowing
Microsoft Threat Intelligence published analysis of phishing actors abusing complex mail-routing scenarios and misconfigured spoof protections to deliver messages that appear to be sent internally (same address in the To and From fields). This is not a Direct Send vulnerability: it only affects tenants whose MX records are not pointed directly to Office 365 and that haven't strictly enforced spoof protections. Most campaigns ride the Tycoon2FA phishing-as-a-service platform (AiTM, MFA-bypass), with voicemail, password-expiry, HR, and fake-invoice/BEC lures. The fix is strict DMARC reject plus SPF hard fail (not soft fail) and correctly configured third-party connectors with enhanced filtering; on the detection side the post ships ready-to-run EmailEvents and ASIM (_Im_NetworkSession / _Im_WebSession) hunting queries plus IOCs — worth running against your workspace and checking header values like reason=905/reason=451 and compauth=fail. (Microsoft Security Blog)
Two threads tie this week's identity news together on the Defender-portal side. The new Defender for Identity alerts and the GA identity inventory both live in the unified Microsoft Defender portal, and the ConsentFix/OAuth-consent-abuse detections above map directly onto the same AiTM and MFA-bypass tradecraft that the MTI phishing post describes — so a Tycoon2FA-style intrusion should now light up both the email and the identity sides of an incident. If your team still triages Entra sign-in risk and identity alerts in separate consoles, the January releases are another nudge to consolidate the investigation in the unified portal where the account-to-identity correlation and remediation actions now live.
Heads-up for next shift: January Patch Tuesday lands Tuesday 13 Jan 2026, one day outside this window — review the release notes and prioritize any actively exploited Microsoft CVEs across your estate. (MSRC Security Update Guide)