Microsoft Defender for Office 365: Auto-remediation of malicious similarity clusters in AIR

Microsoft Defender for Office 365 expands AIR auto-remediation to malicious similarity clusters, automating approval of remediation actions without manual intervention. Rolling out worldwide mid to late December 2025, this feature reduces SOC workload and speeds threat response. It’s off by default and can be enabled in the Defender portal.

Introduction

We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats.

This message is associated with Microsoft 365 Roadmap ID 502528.

When this will happen

General Availability (Worldwide): We will begin rolling out in mid-December 2025 and expect to complete by late December 2025.

How this will affect your organization

Who is affected: Microsoft Defender for Office 365 Plan 2 and Microsoft Defender for Endpoint E5 customers.

What will happen:

• AIR will automatically approve all pending remediation actions for malicious similarity clusters.
• This feature extends existing auto-remediation for URL and file clusters to include similarity clusters.
• This feature is not enabled by default. Admins can turn it on in the Microsoft Defender portal by configuring MDO automation settings.
• No manual intervention will be required for these remediation actions.

Key benefits:

• Increased post-delivery protection by identifying campaigns and removing malicious messages faster.
• Reduced SOC workload by eliminating manual cleanup actions.

What you need to do to prepare

No admin action is required before rollout.

If you want to enable or verify this feature:

• In the Defender portal (security.microsoft.com), go to Settings > Email & collaboration > MDO automation settings.
• Select multiple similar attributes (similar files and similar URLs options were previously available and can also be selected).
• Select Save to enable auto-remediation.

Learn more:

• Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan 2 | Microsoft Learn
  
• Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 | Microsoft Learn
  
• Automated remediation in Automated investigation and response (AIR) | Microsoft Learn
• Details and results of automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 | Microsoft Learn
  

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.