Microsoft Defender for Office 365: Auto-remediation of malicious similarity clusters in AIR

Originally posted by Microsoft Dec 3, 2025 Uncategorized 0 Comments

Microsoft Defender for Office 365 expands AIR auto-remediation to malicious similarity clusters, automating approval of remediation actions without manual intervention. Rolling out worldwide mid to late December 2025, this feature reduces SOC workload and speeds threat response. It’s off by default and can be enabled in the Defender portal.

Introduction

We are expanding the auto-remediation capabilities in Automated Investigations and Response (AIR) to fully automate the remediation of malicious similarity clusters. Earlier this year, we introduced auto-remediation for malicious URL and file clusters. Building on that foundation, this enhancement enables AIR to automatically approve all pending remediation actions it generates—eliminating the need for manual intervention and streamlining the response process for SOC teams. This advancement significantly reduces response time and operational overhead, allowing security teams to focus on higher-priority threats.

This message is associated with Microsoft 365 Roadmap ID 502528.

When this will happen

General Availability (Worldwide): We will begin rolling out in mid-December 2025 and expect to complete by late December 2025.

How this will affect your organization

    Who is affected: Microsoft Defender for Office 365 Plan 2 and Microsoft Defender for Endpoint E5 customers.

    What will happen:

      • AIR will automatically approve all pending remediation actions for malicious similarity clusters.
      • This feature extends existing auto-remediation for URL and file clusters to include similarity clusters.
      • This feature is not enabled by default. Admins can turn it on in the Microsoft Defender portal by configuring MDO automation settings.
      • No manual intervention will be required for these remediation actions.

        Key benefits:

        • Increased post-delivery protection by identifying campaigns and removing malicious messages faster.
        • Reduced SOC workload by eliminating manual cleanup actions.

        What you need to do to prepare

        Learn more:

        No admin action is required before rollout.

        If you want to enable or verify this feature:

        • In the Defender portal (security.microsoft.com), go to Settings > Email & collaboration > MDO automation settings.
        • Select multiple similar attributes (similar files and similar URLs options were previously available and can also be selected).
        • Select Save to enable auto-remediation.

          • user settingsView image in new tab

        Compliance considerations

        No compliance considerations identified. Review as appropriate for your organization.

        Message ID: MC1191613

        Comments are closed.

        Joao Ferreira

        I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

        %d bloggers like this: