{"id":15103,"date":"2026-02-24T09:02:02","date_gmt":"2026-02-24T00:02:02","guid":{"rendered":"https:\/\/m365jp.net\/?p=15103"},"modified":"2026-02-24T09:02:10","modified_gmt":"2026-02-24T00:02:10","slug":"mc1237728-advanced-hunting-new-actions-to-block-attachments-and-top-level-url-domains","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2026-02-24-mc1237728-advanced-hunting-new-actions-to-block-attachments-and-top-level-url-domains","title":{"rendered":"MC1237728 | Advanced Hunting: new actions to block attachments and top-level URL domains"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1237728 | Advanced Hunting: new actions to block attachments and top-level URL domains<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>stayInformed<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>02\/23\/2026 23:48:46<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>02\/23\/2026 23:48:43<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>05\/01\/2026 07:00:00<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p><b>[Introduction]<\/b><\/p>\n<p>We&#8217;re introducing two new remediation actions as part of the <b>Email<\/b> table in&nbsp;Advanced Hunting that help&nbsp;<b>security operations (SecOps)  <\/b>teams respond more quickly during investigations:<\/p>\n<ul>\n<li><b>Attachment block action<br \/>  <\/b><\/li>\n<li><b>Top-level URL domain block action<br \/>  <\/b><\/li>\n<\/ul>\n<p>These actions let SecOps teams move directly from detection to mitigation within the same workflow, reducing response time and operational friction when addressing malicious campaigns.<\/p>\n<p>These actions will be available through <b>Take action<\/b> if the query returns all the required columns.<\/p>\n<p><b>[When this will happen:]<\/b><\/p>\n<p>General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out  <b>early March 2026<\/b> and expect to complete by <b>the end of March 2026<\/b>.<\/p>\n<p><b>[How this affects your organization:]<\/p>\n<p>  <\/b><\/p>\n<p><b>Who is affected:<\/b><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>Security operations teams and administrators using Advanced Hunting in Microsoft Defender for Office 365<\/li>\n<li><b>T<\/b>his feature is available to customers with <b>Microsoft Defender for Office 365 Plan 2  <\/b>or<b> Microsoft 365 E5 licenses.<\/b><\/li>\n<\/ul>\n<p><b>What will happen:<\/b><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>Security teams can block malicious email attachments directly from Advanced Hunting results.<\/li>\n<p>  <\/p>\n<li>Security teams can block top-level URL domains<b> <\/b>associated with phishing or malicious campaigns.<\/li>\n<p>  <\/p>\n<li>Remediation actions are available in the Advanced Hunting \u201cTake action\u201d wizard.<\/li>\n<p>  <\/p>\n<li>The feature is<b> enabled by default<\/b>; no configuration changes are required.<\/li>\n<p>  <\/p>\n<li>There is <b>no impact to user workflows<\/b> unless a security action is taken.<\/li>\n<\/ul>\n<p><b>Note: <\/b><\/p>\n<ul>\n<li>Attachment entries in the Tenant Allow\/Block List are supported only if the query results include the  <b>Attachment <\/b>column by joining with the <b>EmailAttachmentInfo<\/b> table on <b>  NetworkMessageId<\/b>.<\/li>\n<li><b>Submit to Microsoft<\/b> may be unavailable if required columns are missing.&nbsp;To resolve this issue, select  <b>Show empty columns<\/b> before you select <b>Take actions<\/b>.<\/li>\n<p>  <\/ul>\n<p><b>What you can do to prepare:<\/b><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>No action is required.<\/li>\n<p>  <\/p>\n<li>Review security investigation and response procedures to include the new remediation options.<\/li>\n<p>  <\/p>\n<li>Inform SecOps teams of the updated<b> <\/b>Advanced Hunting capabilities.<\/li>\n<\/ul>\n<p>Learn more: <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/advanced-hunting-take-action\" target=\"_blank\">  Take action on advanced hunting query results in Microsoft Defender XDR &#8211; Microsoft Defender XDR | Microsoft Learn<\/a>&nbsp;(documentation will be updated before rollout)<\/p>\n<ul>  <\/ul>\n<p><b>Compliance considerations:<\/b><\/p>\n<p>  <\/p>\n<p>No compliance considerations identified, review as appropriate for your organization.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1237728 | Advanced Hunting: new actions to block attachments and top-level URL domains Classification stayIn [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15103","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/15103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=15103"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/15103\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=15103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=15103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=15103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}