Week 28 · 5 min read
July 6 – July 13, 2026
What changed
Microsoft Defender for Endpoint expanded its AI agent runtime protection, the endpoint capability that inspects an agent's loop — user prompts, tool calls, and tool responses — and can block risky activity such as prompt injection before it executes. Vendor-supported agent event interfaces now work over the standard platform and engine update channels, so the Beta channel configuration the preview required is no longer needed, and agent-native event inspection now covers Codex CLI and the GitHub Copilot app. For agents that don't expose a vendor-supported event interface, Defender now falls back to network inspection, including for OpenClaw and similar Node.js-based Claw agents. As coding agents and local runtimes do more real work on endpoints, this widens the set of agents a SOC can actually see and gate at runtime. (Microsoft Learn)
Microsoft Defender for Office 365 began detecting prompt injection attacks hidden in inbound email. As mailboxes increasingly feed AI assistants and agents that summarize or act on messages, an attacker can plant instructions in a message body meant to hijack that downstream model rather than the human reading it. Surfacing this as a detection in the mail flow gives the SOC a signal for a threat class that ordinary phishing and malware rules don't cover, and it lands the same week Defender for Endpoint widened its own agent-loop inspection. (Microsoft Learn)
The Domain investigation page in Microsoft Defender for Identity reached general availability. It gives analysts a single view of an Active Directory domain's security posture — domain properties, deployment health, an identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships — so triaging a domain-scoped incident no longer means stitching that context together from separate tools. For identity-tier investigations, having the trust and privileged-account picture on one page shortens the path from alert to blast radius. (Microsoft Learn)
Microsoft Entra Agent ID's governance capabilities reached general availability, extending the identity controls that already apply to users and workloads to AI agent identities. Agents now get adaptive access policies, real-time risk detection, lifecycle management, and network-level controls, and Entitlement Management access packages govern how an agent's access is requested, approved, scoped, reviewed, and expired — the same request-and-review machinery a SOC already relies on for human accounts. As agents accumulate standing access to mailboxes, files, and Graph, treating them as first-class governed identities means an over-permissioned or orphaned agent surfaces in access reviews and risk signals instead of living as an unmanaged secret. The capabilities are surfaced as part of Microsoft Agent 365. (Microsoft Entra Blog)
Microsoft Defender opened public-preview integrations with Dragos, Forescout, and Armis, letting a SOC pull OT and IoT security signals from whichever of those platforms it already runs into the unified Defender portal. Asset inventory, vulnerabilities, and alerts from the partner platform flow into Defender and are correlated automatically with the identity, endpoint, and cloud signals already there, so OT assets surface alongside IT in the same incident queue rather than in a bolt-on console. Teams keep their partner's deep OT expertise while gaining enterprise-wide correlation, and the integrations are enabled from the Defender portal. For a SOC that has historically triaged plant-floor alerts in a separate tool, this puts cross-domain intrusions — IT foothold to OT impact — into one investigation view. (Microsoft Defender XDR Blog)
Worth knowing
Microsoft Threat Intelligence published a teardown of GigaWiper, a Golang backdoor that stitches command-and-control together with several destructive payloads — a standalone disk wiper, fake ransomware that encrypts files with throwaway random keys so nothing can be recovered, and logic lifted from the Crucio ransomware and FlockWiper families. Microsoft attributes it to the same developer behind Crucio and FlockWiper; Google Threat Intelligence Group and Binary Defense track the malware as BLUERABBIT, with activity seen in compromised, wiped environments since October 2025. Defender Antivirus flags samples as Giga, Wiper, and FlockWiper, and Defender for Endpoint raises WprFlock, WprCree, and GigaWiper detections alongside ransomware-behavior alerts. Microsoft's guidance is the standard destructive-attack posture: turn on tamper protection tenant-wide, run cloud-delivered protection and EDR in block mode, enable automated investigation and remediation, and block the listed C2 at 185.182.193[.]21 and 212.8.248[.]104. (Microsoft Security Blog)
Microsoft's July Secure Future Initiative progress report is mostly about Microsoft's own posture, but two threads are worth a SOC's attention. First, the AI-versus-AI trajectory: Microsoft says a new multi-agent system now finds composite vulnerabilities spanning code, identity, network, and runtime configuration with more than 90% of findings confirmed, echoing the same week's deep dive on how it hardens its cloud at machine speed — a preview of the tooling defenders and attackers alike are adopting. Second, the post-quantum clock: Microsoft accelerated its Quantum Safe Program to target post-quantum cryptography in critical products and services by 2029, with ML-KEM and ML-DSA now available across major platforms, and it advises organizations to start inventorying cryptographic dependencies now. The report also notes phishing-resistant MFA now covers 99.97% of its user/device pairs. (Microsoft Security Blog)
Microsoft published a build pattern for a portable, autonomous malware investigation agent — a single user-invocable workflow that carries an incident from Investigate to Decide to Act, retrieving incident structure, alert context, and timelines from Sentinel in the unified Defender portal, correlating the evidence, reaching a verdict, and, where warranted, taking a response action. It runs on the Microsoft Sentinel MCP server's Triage and Data Lake exploration tools plus Defender for Endpoint device hunting tables, with API permissions scoping any action it takes. Because it is defined as a portable agent, the same logic, standardized outputs, and automation boundaries move across environments instead of being rebuilt per tenant. It is a walkthrough rather than a shipped SKU, but it is a concrete, bounded on-ramp to the agentic-SOC tooling Microsoft keeps steering investigation workflows toward — worth a look if your team is scoping where autonomous triage fits alongside analysts. (Microsoft Sentinel Blog)