THE PROMPT for Microsoft Security - Issue #59
Roadmaps, Release Notes, and a Gentle Reminder to Call Your Mom
Things from Me
Happy Friday everyone!
Welcome to this edition of the newsletter. Here you’ll find the usual mix of updates, highlights, and stories. From what we’ve been building together, to what’s coming next, to the voices and moments that continue to shape the Microsoft security community. It’s a snapshot of progress, momentum, and collaboration, and I hope something here sparks an idea, a smile, or a useful takeaway for you.
Before diving in, I wanted to add a brief personal note.
The past few weeks have come with some unexpected and difficult moments involving both my mom and my step‑mom. Nothing dramatic, but enough of a reminder that watching parents get older is… hard. It has a way of quietly rearranging your priorities and forcing you to slow down, reflect, and sit with things you may have been putting off.
It’s made me think a lot about unresolved conversations, about showing up even when life is busy, and about how intentional we have to be with the people we love. The work will always be there. The inbox will refill. But moments and memories don’t wait and they’re worth protecting.
So, as you read through this newsletter, my hope is twofold: that you stay connected to the great work happening here, and that it also serves as a gentle nudge to keep your own circle close. Take the time when you can. Build the memories. Say the things that matter.
Thanks, as always, for being part of this journey—and for the grace, kindness, and humanity that make this community what it is.
That’s it from me for this week.
Talk soon.
-Rod
Things that are Related
How Microsoft builds privacy and security to work hand-in-hand - For decades, Microsoft has consistently prioritized earning and maintaining the trust of the people and organizations that rely on its technologies. The 2025 Axios Harris Poll 100 ranked Microsoft as one of the top three most trusted brands in the United States. At Microsoft, we believe one of the best ways we can build trust is through our long-established core values of respect, accountability, and integrity. We also instill confidence in our approach to regulations by demonstrating rigorous internal compliance discipline—such as regular audits, cross-functional reviews, and executive oversight—that mirrors the reliability we extend to customers externally.
Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations - Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server (VDS) provider used by multiple financially motivated threat actors to commit business email compromise (BEC), mass phishing, account takeover, and financial fraud. Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education in the United States, Canada, United Kingdom, France, Germany, Australia, and countries with substantial banking infrastructure targets that have a higher potential for financial gain. In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.
Introducing the Automated Web Vulnerability Auditor (AWVA): A Simple Tool for Basic Web Security Scanning - I’m excited to talk about a little project called the Automated Web Vulnerability Auditor (AWVA). It’s a straightforward Python-based app built with Streamlit that performs basic passive scans on websites to identify common security issues. But it doesn’t stop there—it integrates with the xAI Grok API to provide remediation steps and up-to-date threat intelligence. Think of it as a quick-and-dirty auditor for spotting potential vulnerabilities without getting too invasive.
Introducing My Deepfake Detection Tool: Spotting AI-Generated Fakes with Grok Vision - From viral videos of celebrities saying things they never said to manipulated images used in scams or political propaganda, the need for accessible tools to detect these fakes has never been greater. That’s why I built the Deepfake Detection Tool – a simple, powerful web app powered by Streamlit and xAI’s Grok Vision API. This tool lets anyone upload an image or video (or paste a URL) and get an AI-assisted analysis on whether it might be a deepfake.
Navigating the Risks of AI Agents: Best Practices for Mitigation and Safety - As we step into 2026, with AI agents becoming more integrated into daily operations, it’s crucial to prioritize risk mitigation. This blog post explores the key risks associated with AI agents and outlines best practices for managing them, drawing on insights from industry experts and frameworks to help you build safer, more reliable systems.
Build Your Phishing Defense Skills with This AI-Powered Simulator - This open-source Streamlit app, powered by xAI’s Grok models, simulates realistic phishing scenarios to train users in spotting malicious emails. Whether you’re an individual sharpening your skills or a team enhancing security awareness, PhishSim turns learning into an engaging game.
Things to Watch/Listen To
Things to Have
Security Detections MCP - An MCP (Model Context Protocol) server that lets LLMs query a unified database of Sigma, Splunk ESCU, Elastic, and KQL security detection rules.
Security Copilot Things
Build Custom Copilot Agents in Seconds: Meet CreateAgentYAML.py – A Hidden Gem for Microsoft 365 Copilot Fans - If you’re deep in the Microsoft 365 Copilot ecosystem (or the new “Agent” wave with Copilot Studio), you know one of the biggest pain points: creating the agent manifest YAML file by hand.
Microsoft Sentinel Things
Kql Toolbox #3: Which Event Id Noises Up Your Logs (and Who’s Causing It)? - This week, we’re building directly on that foundation… Because once you know which log sources and which Event IDs are the most expensive, the very next question becomes: “Okay… but which Event ID fires the most often, and which accounts are responsible for generating it?”
Turn Complexity into Clarity: Introducing the New UEBA Behaviors Layer in Microsoft Sentinel - Today, we're thrilled to announce the release of the UEBA Behaviors layer - a breakthrough AI-based UEBA capability in Microsoft Sentinel that fundamentally changes how SOC teams understand and respond to security events.
ConsentFix: Securing Your Tenant Against OAuth Authorisation Code Theft - There's a new OAuth attack making the rounds that's caught the attention of security professionals. ConsentFix (sometimes called AuthCodeFix) exploits a design quirk in how Microsoft first-party applications handle OAuth flows, and it's very effective. There is a straightforward mitigation that takes about five minutes to implement using PowerShell.
Important Update for Microsoft Sentinel Users: Deprecation of Alert-Triggered Playbooks in Analytics Rules - If you’re managing security operations with Microsoft Sentinel, you’ve likely received a notification about an upcoming change to how playbooks are triggered by analytics rules. Microsoft has announced the deprecation of the classic method for assigning alert-triggered playbooks directly within analytics rules. This change takes effect on March 15, 2026, and it’s time to prepare your environment to avoid disruptions.
Defender for Cloud Things
Microsoft Security Private Link (Preview) - Microsoft Defender for Cloud is announcing Microsoft Security Private Link in Preview. Microsoft Security Private Link enables private connectivity between Defender for Cloud and your workloads. The connection is established by creating private endpoints in your virtual network, allowing Defender for Cloud traffic to remain on the Microsoft backbone network and avoid exposure to the public internet.
Microsoft Purview Things
Microsoft named a Leader in IDC MarketScape for Unified AI Governance Platforms - As organizations rapidly embrace generative and agentic AI, ensuring robust, unified governance has never been more critical. That’s why Microsoft is honored to be named a Leader in the 2025-2026 IDC MarketScape for Worldwide Unified AI Governance Platforms (Vendor Assessment (#US53514825, December 2025). We believe this recognition highlights our commitment to making AI innovation safe, responsible, and enterprise-ready—so you can move fast without compromising trust or compliance.
Microsoft Purview Data Security Investigations (DSI) is now generally available! https://learn.microsoft.com/en-us/purview/data-security-investigations
Defender for Office Things
Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response - With more than 300 million monthly active users on Microsoft Teams, ensuring secure collaboration has become increasingly critical. As the threat landscape continues to change, our security measures must adapt accordingly. To address these challenges, we are pleased to announce enhanced protection and Security Operations response capabilities for enterprise messages containing URLs in Teams, utilizing Microsoft Defender.
Change to auto-remediation in Defender for Office - If you’ve been following the evolution of Automated Investigation and Response (AIR), you know the feature has been steadily moving toward a world where the SOC spends less time clicking “approve” and more time hunting real threats. This latest update is another big step forward.