Skip to Content

MC1237728: Advanced Hunting: new actions to block attachments and top-level URL domains

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1237728: Advanced Hunting: new actions to block attachments and top-level URL domains

Summary

  • Two new remediation actions for email are being added to Advanced Hunting: attachment block action and top-level URL domain block action.
  • Security teams can directly block malicious email attachments and top-level URL domains within Advanced Hunting results.
  • Remediation actions will be available through the “Take action” feature, enabled by default without requiring configuration changes.
  • Applicable to security operations teams using Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 licenses.
  • No impact on user workflows unless a security action is taken.

Admin Impact: Medium
User Impact: Low
Release Start: 01 Mar 2026
Release End: 31 Mar 2026
Services: Defender XDR
Category: Stay informed
Tags: Feature Update, Admin Action

History

2/23/2026 Item Added to Message Center

Microsoft Message

Introduction

We’re introducing two new remediation actions as part of the Email table in Advanced Hunting that help security operations (SecOps) teams respond more quickly during investigations:

  • Attachment block action
  • Top-level URL domain block action

These actions let SecOps teams move directly from detection to mitigation within the same workflow, reducing response time and operational friction when addressing malicious campaigns.

These actions will be available through Take action if the query returns all the required columns.

When this will happen

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early March 2026 and expect to complete by the end of March 2026.

How this affects your organization

Who is affected:

  • Security operations teams and administrators using Advanced Hunting in Microsoft Defender for Office 365
  • This feature is available to customers with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 licenses.

What will happen:

  • Security teams can block malicious email attachments directly from Advanced Hunting results.
  • Security teams can block top-level URL domains associated with phishing or malicious campaigns.
  • Remediation actions are available in the Advanced Hunting “Take action” wizard.
  • The feature is enabled by default; no configuration changes are required.
  • There is no impact to user workflows unless a security action is taken.

Note:

  • Attachment entries in the Tenant Allow/Block List are supported only if the query results include the Attachment column by joining with the EmailAttachmentInfo table on NetworkMessageId.
  • Submit to Microsoft may be unavailable if required columns are missing. To resolve this issue, select Show empty columns before you select Take actions.

What you can do to prepare

  • No action is required.
  • Review security investigation and response procedures to include the new remediation options.
  • Inform SecOps teams of the updated Advanced Hunting capabilities.

Learn more: Take action on advanced hunting query results in Microsoft Defender XDR – Microsoft Defender XDR | Microsoft Learn (documentation will be updated before rollout)

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.