Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities

Introduction:

To improve threat detection accuracy and responsiveness, Microsoft Defender for Cloud Apps is expanding its dynamic model for threat protection. This update enhances the signal-to-noise ratio (SNR) of detections and enables faster adaptation to emerging threats, helping security teams stay ahead of evolving risks.

This rollout continues the migration of legacy threat detection policies, following the first batch announced in Message center post MC1061724. The second batch introduces new detections that replace several legacy policies, further aligning with our goal of delivering more precise, research-driven protection.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins early November 2025 and is expected to complete by the end of November 2025.

How this affects your organization:

Who is affected:

Organizations using Microsoft Defender for Cloud Apps, including tenants in Worldwide, GCC, GCC High, and DoD environments.

What will happen:

• The dynamic model will be expanded to include additional research-driven detections.
• These detections are continuously updated by Microsoft security researchers to reflect the evolving threat landscape.
  • Detections may be added, removed, or modified dynamically to ensure optimal protection.
  • These are research-driven and enabled by default, requiring no manual configuration.
• The second batch of legacy policies being migrated includes:
  • “Unusual ISP for an OAuth App”
  • “Suspicious file access activity (by user)”
• These will be replaced with the following detections:
  • Replacing “Unusual ISP for an OAuth App”:
    • “OAuth application activity from an unknown ISP (Preview)”
  • Replacing “Suspicious file access activity (by user)”:
    • “Suspicious file access from untrusted ISP and user agent with malicious IP indicator (Preview)”
    • “Suspicious file access indicative of lateral movement (Preview)”
  • Adding new detection "Activity from a password-spray associated IP address (Preview)”

• These new detections are already available to you in Preview; the "(Preview)" suffix will be removed once legacy policies are disabled.
• Governance actions configured on legacy policies will be disabled. Admins can re-enable them manually after 24 hours.
• Migrated policies will be listed in Create Defender for Cloud Apps anomaly detection policies | Microsoft Learn.
• Eventually, all other out-of-the-box (OOTB) activity-based policies will be migrated to the new dynamic model. Future Message center posts will provide details as additional policies are transitioned.

By applying the new dynamic model, we aim to deliver more accurate and timely threat detections, enhancing your organization’s overall security posture.

In some cases, legacy policies may be split into multiple detections and alerts to provide deeper visibility and context for SOC teams.

During the gradual migration of OOTB policies, disabled policies will remain temporarily visible in Defender for Cloud Apps. Once migration is complete, these legacy policies will be removed from the legacy policies page. A separate Message center post will be published to confirm their removal.

What you can do to prepare:

No admin action is required before rollout.

To prepare:

• Review your current policy configurations to assess impact.
• Notify SOC and helpdesk teams about the updated detections.
• Update internal documentation if referencing legacy policies.
• If you wish to retain governance actions:
  • Wait 24 hours after disablement.
  • Re-enable policies from the legacy policies page at: Defender portal > Cloud apps > Policy management.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.