Microsoft has rolled out enhanced remediation capabilities in Defender for Office 365 (O365), enabling security teams to initiate automated investigations and other actions directly from the Advanced Hunting interface.
This feature, launched on November 10, 2025, empowers admins and analysts to respond to email threats more swiftly without requiring policy modifications.
The new actions Submit to Microsoft, add entries to the Tenant Allow/Block List, and Initiate Automated Investigation—were previously limited to the Threat Explorer tool but are now integrated into Advanced Hunting.
This allows for programmatic threat hunting using custom Kusto Query Language (KQL) queries, streamlining workflows for security operations centers (SOCs).
By bringing these tools together, Microsoft addresses customer feedback, reducing the time needed to triage and remediate malicious emails.
Microsoft Defender for O365
Advanced Hunting, part of Microsoft Defender XDR, already provides deep visibility into cross-domain threats across email, endpoints, and identities. With this update, users can select query results and trigger responses contextually based on message delivery status, such as purging from inboxes or quarantines.
For bulk selections exceeding 100 messages, options like email purge and proposed remediations remain available, ensuring scalability for large-scale incidents. Threat Explorer continues to operate independently, providing complementary views of real-time detections.
This rollout affects admins and security analysts leveraging Microsoft Defender XDR, with actions enabled by default across worldwide tenants.
No user interface removal is possible, but existing administrative policies, including role-based access control (RBAC), are fully respected to maintain compliance. Organizations can scope access via the Microsoft 365 Defender portal under Settings > Permissions > Roles, preventing unauthorized use.
To prepare, teams should audit current hunting queries and integrate the new actions into playbooks for automated responses. Communicating these changes to SOC stakeholders and providing targeted training will minimize disruptions.
For instance, updating documentation on initiating automated investigations can accelerate adoption, especially in environments handling high volumes of phishing or malware-laden emails.
The enhancement aligns with broader trends in automated investigation and response (AIR) in Defender for O365 Plan 2, where remediation clusters around malicious files or URLs for faster threat neutralization.
By default, AIR actions require approval, but configurations for auto-remediation on message clusters can further reduce manual overhead, though clusters over 10,000 items prompt reviews. In Advanced Hunting schemas like EmailPostDeliveryEvents, auto-remediated items appear with ActionType “Automated Remediation” and ActionTrigger “Automation,” aiding forensic analysis.
This update maintains proactive defense in an era of sophisticated email-based attacks, such as ransomware and business email compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
