Microsoft Defender for Office 365: Auto-remediation of malicious similarity clusters in AIR

Microsoft Defender for Office 365 expands AIR auto-remediation to malicious similarity clusters, automating approval of remediation actions without manual intervention. Rolling out worldwide mid to late December 2025, this feature reduces SOC workload and speeds threat response. It’s off by default and can be enabled in the Defender portal. Introduction We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats. This message is associated with Microsoft 365 Roadmap ID 502528. When this will happen General Availability (Worldwide): We will begin rolling out in mid-December 2025 and expect to complete by late December 2025. How this will affect your organization Who is affected: Microsoft Defender for Office 365 Plan 2 and Microsoft Defender for Endpoint E5 customers. What will happen: AIR will automatically approve all pending remediation actions for malicious similarity clusters. This feature extends existing auto-remediation for URL and file clusters to include similarity clusters. This feature is not enabled by default. Admins can turn it on in the Microsoft Defender portal by configuring MDO automation settings. No manual intervention will be required for these remediation actions. Key benefits: Increased post-delivery protection by identifying campaigns and removing malicious messages faster. Reduced SOC workload by eliminating manual cleanup actions. What you need to do to prepare Learn more: No admin action is required before rollout. If you want to enable or verify this feature: In the Defender portal (security.microsoft.com), go to Settings > Email & collaboration > MDO automation settings. Select multiple similar attributes (similar files and similar URLs options were previously available and can also be selected). Select Save to enable auto-remediation. View image in new tab Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan […]

The post Microsoft Defender for Office 365: Auto-remediation of malicious similarity clusters in AIR appeared first on M365 Admin.