Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Advanced Hunting: new actions to block attachments and top-level URL domains

Message ID
MC1237728
View in Message Center
Service
Microsoft Defender XDR
Category
Stay Informed
Tags
Feature updateAdmin impact
Rollout
March 2026

Summary

New Advanced Hunting actions in Microsoft Defender for Office 365 allow SecOps teams to block malicious email attachments and top-level URL domains directly from query results, enabling faster response. Available from March 2026 for Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 users, enabled by default with no user impact.

Details

[Introduction]

We're introducing two new remediation actions as part of the Email table in Advanced Hunting that help security operations (SecOps) teams respond more quickly during investigations:

  • Attachment block action
  • Top-level URL domain block action

These actions let SecOps teams move directly from detection to mitigation within the same workflow, reducing response time and operational friction when addressing malicious campaigns.

These actions will be available through Take action if the query returns all the required columns.

[When this will happen:]

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early March 2026 and expect to complete by the end of March 2026.

[How this affects your organization:]

Who is affected:

  • Security operations teams and administrators using Advanced Hunting in Microsoft Defender for Office 365
  • This feature is available to customers with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 licenses.

What will happen:

  • Security teams can block malicious email attachments directly from Advanced Hunting results.
  • Security teams can block top-level URL domains associated with phishing or malicious campaigns.
  • Remediation actions are available in the Advanced Hunting “Take action” wizard.
  • The feature is enabled by default; no configuration changes are required.
  • There is no impact to user workflows unless a security action is taken.

Note:

  • Attachment entries in the Tenant Allow/Block List are supported only if the query results include the Attachment column by joining with the EmailAttachmentInfo table on NetworkMessageId.
  • Submit to Microsoft may be unavailable if required columns are missing. To resolve this issue, select Show empty columns before you select Take actions.

What you can do to prepare:

  • No action is required.
  • Review security investigation and response procedures to include the new remediation options.
  • Inform SecOps teams of the updated Advanced Hunting capabilities.

Learn more: Take action on advanced hunting query results in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn (documentation will be updated before rollout)

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Change History

Show
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.