THE PROMPT for Microsoft Security - Issue #72
AI is writing your malware, Entra is losing your config, and Purview is judging your life choices.
Things from Me
Happy Friday, people! (…and AI Agent summarizers)
Welcome back to THE PROMPT for Microsoft Security!
It’s been a busy week in the Microsoft Security space, and this issue is packed with the good stuff. We’ve got a deep dive into tenant governance with Microsoft Entra, a look at how attackers are now using AI chatbots to spread cryptojacking malware (yes, really), and some solid quality-of-life improvements for Purview administrators. If you manage multi-tenant environments, you’re going to want to bookmark a few of the links in this one.
As always, I’ve curated the most relevant and actionable content I could find — so grab your coffee, settle in, and let’s get into it.
-Rod
Things to Watch/Listen To
Things in Techcommunity
Microsoft Security Community Spotlight: Marcel Graewer - Meet Marcel Graewer, a Microsoft Customer and community leader who engages Microsoft Security users and fans around the world, from young students to seasoned practitioners.
Things that are Related
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor - Ransomware that combines robust encryption with rapid lateral movement significantly increases the risk and impact of an attack. The Gentlemen ransomware is a ransomware-as-a-service (RaaS) threat that is distinguished by its ability to pair its strong per-file encryption with an aggressive self-propagation capability designed to enable broad network compromise. In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using series of simultaneous, distinct lateral movement methods, increasing the likelihood of widespread impact once initial access is achieved.
SOC for AI — 01: Your SOC Was Built for a War That Already Ended - A SOC for AI is not a traditional SOC with an AI chatbot bolted on. It is a detection and response capability redesigned from first principles around three realities: attackers operate at machine speed, AI systems are both weapons and attack surfaces, and most modern threats leave no malware signature.
Things from Partners
Partner Case Study | Quorum Cyber - Used Microsoft Sentinel to deliver a unified platform, greater visibility, and 24/7 threat response for election data nonprofit Data Trust.
Defender XDR Things
Organize your multitenant view with Tenant Groups in Microsoft Defender - Managing security across many tenants shouldn’t mean drowning in a single, flat list. We’re excited to share a new capability, now in public preview in the Microsoft Defender multitenant (MTO) portal: Tenant Groups—a flexible way to organize the tenants you manage and switch your view between them with a single click.
Defender Experts Things
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities - Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions. This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations.
Microsoft Purview Things
Purview / IRM / eDiscovery gap-filler pack for Microsoft Sentinel (v2.2) - ARM template that deploys 14 scheduled analytic rules targeting detection gaps not covered by native Microsoft Purview DLP, IRM Adaptive Protection, MDA built-in policies, Activity Explorer, Compliance dashboards, or Sentinel UEBA / Fusion.
Finally: More Clarity for Microsoft Purview Roles - Julian Kusenberg IT Beratung - Microsoft is expanding the Role Groups page in the Purview Compliance Portal with additional lookup views. Administrators will be able to trace and review permissions much more easily.
Defender Vulnerability Management
How to exclude specific CVEs with CVE exceptions in Microsoft Defender Vulnerability Management - A security recommendation can include many CVEs. If only one CVE is out of scope, excluding the full recommendation can hide vulnerabilities that still matter in your environment. CVE exceptions help you make a narrower decision: exclude one specific CVE for a defined scope and duration, while keeping the rest of the recommendation active.
Microsoft Entra Things
Find shadow tenants and reduce risk fast with Microsoft Entra Tenant Governance - Get continuous visibility into related tenants and the signals behind them—so you can reduce blind spots before they turn into incidents.