Table of Contents
Summary
- Auto-remediation capabilities in Automated Investigations and Response (AIR) will now include malicious similarity clusters, streamlining the response process.
- Microsoft Defender for Office 365 Plan 2 and Microsoft Defender for Endpoint E5 customers will benefit from faster threat remediation without manual intervention.
- Admins must enable this feature in the Microsoft Defender portal; it is not enabled by default.
- Increased protection against malicious messages and reduced workload for security operations center (SOC) teams are key benefits.
Admin Impact: Medium
User Impact: Low
Release Start: 15 Dec 2025
Release End: 31 Dec 2025
Services: Defender XDR
Category: Stay informed
Tags: New Feature, User Adoption, Admin Action
History
12/3/2025 Item Added to Message Center
Microsoft Message
Introduction
We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats.
This message is associated with Microsoft 365 Roadmap ID 502528.
When this will happen
General Availability (Worldwide): We will begin rolling out in mid-December 2025 and expect to complete by late December 2025.
How this will affect your organization
Who is affected: Microsoft Defender for Office 365 Plan 2 and Microsoft Defender for Endpoint E5 customers.
What will happen:
- AIR will automatically approve all pending remediation actions for malicious similarity clusters.
- This feature extends existing auto-remediation for URL and file clusters to include similarity clusters.
- This feature is not enabled by default. Admins can turn it on in the Microsoft Defender portal by configuring MDO automation settings.
- No manual intervention will be required for these remediation actions.
Key benefits:
- Increased post-delivery protection by identifying campaigns and removing malicious messages faster.
- Reduced SOC workload by eliminating manual cleanup actions.
What you need to do to prepare
No admin action is required before rollout.
If you want to enable or verify this feature:
- In the Defender portal (security.microsoft.com), go to Settings > Email & collaboration > MDO automation settings.
- Select multiple similar attributes (similar files and similar URLs options were previously available and can also be selected).
- Select Save to enable auto-remediation.
Learn more
- Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan 2 | Microsoft Learn
- Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 | Microsoft Learn
- Automated remediation in Automated investigation and response (AIR) | Microsoft Learn
- Details and results of automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 | Microsoft Learn
Compliance considerations
No compliance considerations identified. Review as appropriate for your organization.