Week 20 · 6 min read
May 11 – May 18, 2026
What changed
Automatic attack disruption can now isolate a compromised device from the network on its own (preview). When high-confidence incident analysis indicates a device is being used as an active foothold, Defender isolates it automatically — blocking attacker communication and lateral movement while keeping the device connected to security services. The action is time-limited, scoped to devices involved in the incident, and a security operator can release it at any time. For a SOC, this pushes containment ahead of a human decision on the fastest-moving cases, so an attacker loses the box before the on-call analyst has even opened the incident; the trade-off is that you should know where to find and lift the isolation when it fires on something you'd rather investigate live. (Microsoft Learn)
Microsoft Defender Experts for Servers became available as a managed extended detection and response (XDR) option for server workloads (18 May). Microsoft analysts plus automation detect, prioritize, and respond to threats on machines protected by Defender for Servers Plan 1 or Plan 2 across Azure, AWS, GCP, and on-premises, and the offering bundles Defender Experts for Hunting and Ask Defender Experts. Sold separately, it is the same managed service previously offered only as an add-on, now positioned as a standalone way to hand off server-side detection and response. For a SOC without 24/7 coverage on its server estate, this is the option to escalate hands-on-keyboard server threats to Microsoft rather than carrying them alone. (Microsoft Learn)
SQL Vulnerability Assessment Express Configuration entered public preview for Azure SQL Managed Instance and Azure Synapse Analytics workspaces (17 May), extending the Microsoft-managed baseline-and-results experience that already existed for Azure SQL Database. Express Configuration lets you enable SQL VA without standing up a customer-managed storage account, at no extra cost, and a new unified REST API now covers SQL VA across Azure SQL Database, Managed Instance, Synapse, and SQL on machines. For analysts tracking database misconfiguration and drift as part of exposure management, this removes the storage-account friction that often left SQL VA unconfigured on MI and Synapse. (Microsoft Learn)
The advanced hunting graph added identity-focused predefined scenarios. The interactive hunting graph in the Defender portal now ships built-in scenarios that surface attack paths, privilege-escalation routes, and credential-access risks across on-premises and cloud — including Kerberoast and AS-REP roast paths, domain-compromise routes, OAuth application risks, and guest-user access to cloud resources. Instead of writing the traversal query yourself, you pick the scenario and read the graph. For an intern learning how identity attacks actually chain together, these double as a teaching aid: each scenario maps a real technique to the accounts and resources in your own tenant. (Microsoft Learn)
The advanced hunting Take action wizard can now block malicious email indicators straight from query results. After a hunt over email data, you can select rows and allow or block top-level domains and file-attachment hashes in email directly from the wizard, without pivoting to a separate policy blade. For analysts working a phishing or malspam wave, this shortens the loop from "found the bad sender infrastructure" to "blocked it" to a single query-and-action, which matters when you're trying to cut off an active campaign before more users click. (Microsoft Learn)
Defender Vulnerability Management previewed a new exposure-score model that reprioritizes risk using exploit-prediction (EPSS) data and asset-context factors such as whether a device is internet-facing and how critical it is. Rather than ranking by raw CVE count or CVSS alone, the score weights what is actually likely to be exploited on the machines that matter most. For a SOC driving remediation, this is a better first cut at "what do we patch this week" — a critical CVE on an exposed, internet-facing server should now float above the same CVE buried on an isolated workstation. (Microsoft Learn)
A plain-language Defender Chat assistant arrived in the Defender portal (preview). Defender Chat is an open-prompt chat experience built into Microsoft Defender that helps analysts investigate threats, explore incidents, and answer security questions in natural language — without navigating multiple screens or hand-writing KQL. It's the Security Copilot pattern brought to the everyday triage surface; for newer shift staff it lowers the barrier to "why did this incident fire and what's connected to it" before they're fluent in advanced hunting. (Microsoft Learn)
Two endpoint-control changes shipped for Microsoft Defender for Endpoint. Custom data collection reached general availability, letting you expand telemetry beyond the defaults with rule-based filtering for specific events, and the per-rule ceiling rose from 25,000 to 75,000 events per device within a rolling 24 hours — useful when you need deeper visibility on a subset of hosts for a hunt or investigation. Separately, Selective Response Actions entered preview, giving you precise control over how high-impact response actions apply to Tier-0 systems and other high-value assets during onboarding, so containment on a domain controller or jump host doesn't take down something you can't afford to knock offline. (Microsoft Learn)
Worth knowing
May Patch Tuesday landed on 12 May 2026 with roughly 130 CVEs (30 rated Critical) and — for the first time in nearly two years — no zero-days either exploited in the wild or publicly disclosed. Two unauthenticated, no-interaction Windows RCEs top the priority list for a Microsoft estate: CVE-2026-41089 (Netlogon, CVSS 9.8), which lets an attacker run code on a domain controller via a crafted network request, and CVE-2026-41096 (DNS Client, CVSS 9.8), triggerable by a malicious DNS response from an attacker able to influence name resolution. Also worth prioritizing: four Critical Microsoft Word RCEs (CVE-2026-40361/40364/40366/40367) and two Office RCEs (CVE-2026-40358/40363) that all list the Preview Pane as an attack vector, plus an authenticated SharePoint Server RCE (CVE-2026-40365). Watch endpoint and DC patch compliance in Defender Vulnerability Management — and note the new EPSS-weighted exposure score above should help you rank these against everything else already outstanding. (MSRC Security Update Guide)
This was a genuinely lighter week bracketed by RSAC 2026 and Microsoft Build (June 2–3), so the monthly Defender, Sentinel, and Entra roundups cluster in the surrounding weeks and the big platform announcements land on either side. The month's endpoint updates also carried a couple of smaller items worth a glance: scheduled antivirus scans for Defender for Endpoint on Linux entered preview (hourly/interval quick scans and weekly full scans, configurable via managed JSON, the portal, or the mdatp CLI), and the Defender endpoint security solution for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 reached GA via the Defender deployment tool — relevant only if you still carry that debt, but better than leaving those hosts dark. (Microsoft Learn)
Context for interns on where these features live: several of this week's items (Defender Chat, the hunting-graph scenarios, the Take action wizard) are Defender-portal experiences, part of the ongoing consolidation of Microsoft's security tooling into one console at security.microsoft.com. That migration has a hard edge worth remembering — Microsoft Sentinel in the Azure portal sunsets 31 March 2027, after which the Defender portal is the only interface — so if you're learning the ropes now, learn them in the unified portal rather than the older Azure-portal blades. (Microsoft Learn)