THE PROMPT for Microsoft Security - Issue #77
Layoffs hit harder than a Sentinel alert... but Maester's got our backs
Things from Me
Happy Friday everyone!
As you’re probably wondering, yes, things have been crazy this last week. The retirement buyouts at Microsoft were followed by layoff week - again. Layoffs at Microsoft are a regular thing and has become (sadly) the rhythm of business. I’ll have more to say about this next week. Suffice to say, personally I lost a lot of great colleagues and friends, and it will take a bit of time to put those feelings into coherent words.
…
There is some exciting news this week, though. I’m excited to amplify some big news from my friend and colleague Merill Fernando!
I’ve long admired Merill’s work in the Microsoft security community — especially his relentless focus on making tenant security practical, automated, and accessible for everyone. So when he shared why he’s stepping away from Microsoft to go full-time on Maester, it made perfect sense.
Why did Merill leave Microsoft?
To work full-time on Maester.
Over 40,000+ tenants already rely on Maester every day to monitor and validate their Microsoft 365 security posture. As the Microsoft 365 and security landscapes continue to evolve rapidly, Merill wanted to ensure the tests stay relevant, comprehensive, and community-driven.
This week he launched Maester.Cloud — the perfect portal companion to the open-source Maester framework.
What is Maester.Cloud?
Track results over time with multi-year history, drift detection, and change alerts.
Multi-tenant support — ideal for enterprises and MSPs.
Runs in your cloud (self-hosted option) or theirs.
Delivers durable evidence for audits, compliance, and continuous security improvement.
Check out the full feature set at maester.cloud.
Even more important: Maester Cloud is how Merill funds the ongoing development of the open-source Maester core and its tests. This keeps the framework free, community-owned, and growing for everyone.
He collaborated with the core team — Fabian Bader, Thomas Naunheim, Mike Soule, and Sam Erde — to publish the Maester Manifesto (highly recommended read: maester.cloud/manifesto). It’s a clear promise to keep security testing open, reusable, and available to all.
If your organization values Maester and wants to help ensure it stays healthy and continues evolving, I’d encourage you to consider becoming a sponsor or Founding Supporter. Every bit helps keep the core open and free while powering innovation around it.
And please — share this announcement with your network. Tools like Maester make all of us in the Microsoft ecosystem stronger.
Huge congrats, Merill! This is a bold and impactful move. The community wins big from your full-time focus.
…
That’s it from me for this week. On to the newsletter…
-Rod
Recent layoffs have left a lot of strong professionals in limbo.
That’s why we built Sponsor a Seeker — a simple way for the community to lift each other up.
For just $29, you can gift a full 3-month Job-Hunt Pass packed with:
• Unlimited resume & job description scans
• AI-powered rewrites that actually beat ATS systems
• Professional cover letter generation
Every dollar goes directly to the seeker.
You can:
→ Sponsor someone like Alex M. (recently laid off front-end engineer)
→ Or request sponsorship for yourself
Either way, you’re helping keep momentum alive in a tough market.
👉 Take action here: pastthebots.com/sponsor
Let’s turn “I was laid off” into “Someone had my back.”
Thank you for being part of this community.
News Things
Microsoft Details How It’s Using AI to Improve Windows Security - Microsoft announced two years ago that it was making security its “top priority,” and the company has been increasing its use of AI to find vulnerabilities earlier. Pavan Davuluri, EVP, Windows + Devices at Microsoft, penned a blog post today to detail the company’s latest efforts to keep Windows users protected against attackers.
Things that are Related
Zero Trust security for AI agents - Extend Conditional Access in Microsoft Entra to evaluate every agent authorization request in real time against the same risk signals as human users. Assign each agent its own managed identity with Entra Agent ID and scope permissions with Access Packages. Govern your MCP catalog as a software supply chain — unapproved tools don’t run, and approved servers lock behind Azure API Management.
Mitigating Microsoft 365 Copilot access risk: Identity and device controls for Zero Trust - Moving from mapping risk to reducing it, this post walks through how to mitigate the six Layer 1 identity and device risks (R1–R6) that determine who can access Microsoft 365 Copilot.
Protecting Microsoft at AI speed: How SFI proactively hardens our cloud - At Microsoft we encompass these security requirements, along with threat knowledge and operational frameworks in our Secure Future Initiative (SFI), to guide what a well-defended cloud service looks like. But defining the requirements is only the start. Meeting them means continuously evaluating our live services against them, at AI speed.
Things to Watch/Listen To
Microsoft Sentinel Things
Sentinel-As-Code 26.07: From Markdown to the Boardroom - Sentinel-As-Code 26.07 renders the Documenter's daily Markdown inventory into a styled Word (.docx) report: numbered table of contents, colour-coded severity tables, and 42 gap-analysis rules across MITRE ATT&CK, cost, and hygiene. Here's what's in it, and what the same day's other pushes mean.
Sentinel GA Releases
Manual Logic App Playbooks Trigger for Entities (Devices & Identities) - SOC analysts can now run Logic App playbooks manually directly from the Device and Identity entity pages, from both the side panel and the main entity page. Same experience as on the Incident page. This closes another Ibiza sunset blocker.
Cross Tenants Sentinel Logic App Playbooks Support in MTO - A new capability that lets Managed Security Service Providers (MSSPs) run Logic App playbooks across managed customer tenants directly from the Multi-Tenant Organization (MTO) view in the Defender portal.
MSSP SOC analysts can now trigger playbooks from one tenant on incidents in another tenant, both manually and through automation rules, while preserving full IP protection so customers do not have access to the MSSP’s playbooks.
What’s new:
Cross-tenant playbook selection from the MSSP tenant or the customer tenant. Customers get the flexibility to use standardized MSSP playbooks or customer-specific ones.
Manual playbook trigger from MTO view: Select a Logic App playbook and run it on a customer incident directly from the MTO view. No tenant switching required.
Automation rules with cross-tenant playbooks: Automation rules in MTO can now auto-trigger Logic App playbooks when incidents match the defined conditions across managed customers.
Defender XDR Things
Microsoft Defender now integrates with Dragos, Forescout, & Armis for OT Security - To support customers in bringing their OT security solutions into their Security Operation (SOC) platform, we’re excited to announce an expansion of the Microsoft ecosystem with new OT security integrations from Dragos, Forescout, and Armis. This gives customers greater flexibility to use the OT security solutions that best fit their environments.
Defender for Office Things
Defending the Inbox Against Prompt Injection Attacks - Today, we’re announcing a new capability in Microsoft Defender that addresses this. Microsoft Defender can now detect and isolate malicious AI instructions embedded in email, commonly referred to as prompt injection, before delivery. This reduces the risk of prompt injection reaching the inbox and activating against AI systems. By detecting these threats, organizations are better protected from prompt injection-driven compromise and unintended data exposure.
Defender Threat Intelligence Things
GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware - In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage.




