Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities

Microsoft Defender for Cloud Apps will expand its dynamic threat detection model in November 2025, replacing legacy policies with more accurate, research-driven detections. This update improves threat detection accuracy and responsiveness, requires no admin action before rollout, and includes new detections enabled by default. To improve threat detection accuracy and responsiveness, Microsoft Defender for Cloud Apps is expanding its dynamic model for threat protection. This update enhances the signal-to-noise ratio (SNR) of detections and enables faster adaptation to emerging threats, helping security teams stay ahead of evolving risks. This rollout continues the migration of legacy threat detection policies, following the first batch announced in Message center post MC1061724. The second batch introduces new detections that replace several legacy policies, further aligning with our goal of delivering more precise, research-driven protection. When this will happen: General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins early November 2025 and is expected to complete by the end of November 2025. How this affects your organization: Who is affected: Organizations using Microsoft Defender for Cloud Apps, including tenants in Worldwide, GCC, GCC High, and DoD environments. What will happen: The dynamic model will be expanded to include additional research-driven detections. These detections are continuously updated by Microsoft security researchers to reflect the evolving threat landscape. Detections may be added, removed, or modified dynamically to ensure optimal protection. These are research-driven and enabled by default, requiring no manual configuration. The second batch of legacy policies being migrated includes: “Unusual ISP for an OAuth App” “Suspicious file access activity (by user)” These will be replaced with the following detections: Replacing “Unusual ISP for an OAuth App”: “OAuth application activity from an unknown ISP (Preview)” Replacing “Suspicious file access activity (by user)”: “Suspicious file access from untrusted ISP and user agent with malicious IP indicator (Preview)” “Suspicious file access indicative of lateral movement (Preview)” Adding new detection “Activity from a password-spray associated IP address (Preview)” These new detections are already available to you in Preview; the “(Preview)” suffix will be removed once legacy policies are disabled. Governance actions configured on legacy policies will be disabled. Admins can […]

The post Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities appeared first on M365 Admin.