Merge branch 'main' into mde-content-freshness

Author: padmagit77

defender-office-365/anti-phishing-policies-about.md

@@ -17,7 +17,7 @@ ms.custom:
 description: Admins can learn about the anti-phishing policies that are available in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 01/07/2025
+ms.date: 03/26/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -255,7 +255,7 @@ You can use protected users to add internal and external sender email addresses
 > [!NOTE]
 > You can specify a maximum of 350 users for user impersonation protection in each anti-phishing policy.
 >
-> User impersonation protection doesn't work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.
+> When both **Enable mailbox intelligence** and **Enable intelligence for impersonation protection** are turned on, User impersonation protection doesn't work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.
 >
 > You might get the error "The email address already exists" if you try to add a user to user impersonation protection when that email address is already specified for user impersonation protection in another anti-phishing policy. This error occurs only in the Defender portal. You don't get the error if you use the corresponding _TargetedUsersToProtect_ parameter in the **New-AntiPhishPolicy** or **Set-AntiPhishPolicy** cmdlets in Exchange Online PowerShell.
 
@@ -284,6 +284,8 @@ Domain impersonation protection prevents specific domains **in the sender's emai
 
 > [!NOTE]
 > You can specify a maximum of 50 custom domains for domain impersonation protection in each anti-phishing policy.
+>
+> When both **Enable mailbox intelligence** and **Enable intelligence for impersonation protection** are turned on, domain impersonation protection doesn't work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.
 
 Messages from **senders** in the specified domains are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Users, groups, and domains** recipients in custom policies). If impersonation is detected in the domain of the sender's email address, the action for domain impersonation is applied to the message.
 

defender-xdr/investigate-incidents.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 03/11/2025
+ms.date: 03/27/2025
 appliesto: 
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -105,19 +105,24 @@ If the incident or related alerts were the result of an analytics rule you've se
 
 ### Attack paths
 
-The incident graph also contains information about **attack paths**. These paths allow security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **Show attack paths**. Attack paths are available for entities with the **critical asset** tag.
+> [!NOTE]
+> To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). </br></br>
+> To view attack path details with Microsoft Sentinel in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
+
+The incident graph also contains information about **attack paths**. These paths allow security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **View attack paths**. The top attack paths are shown within the incident graph. Here's an example.
+
+:::image type="content" source="/defender/media/investigate-incidents/attack-path-small.png" alt-text="Highlighting a critical asset and a top attack path in the incident graph" lightbox="/defender/media/investigate-incidents/attack-path.png":::
 
-:::image type="content" source="/defender/media/investigate-incidents/attack-path-small.png" alt-text="Highlighting the Show attack paths action in the incident graph." lightbox="/defender/media/investigate-incidents/attack-path.png":::
+To view all the possible attack paths, select **View all attack paths** on the incident graph. A flyout pane opens containing the list of all possible attack paths for the selected entity. The attack paths can be filtered based on the attack path name, entry point, entry point type, target, target type, and target criticality. Here's an example.
 
-Upon selecting **Show attack paths**, a side pane opens, displaying a list of attack paths for the selected entity. The attack paths are displayed in a table format, showing the attack path name, entry point, entry point type, target, target type, the target criticality.
+:::image type="content" source="/defender/media/investigate-incidents/attack-paths-flyout-small.png" alt-text="Screenshot highlighting the view attack paths option and the flyout pane list of attack paths" lightbox="/defender/media/investigate-incidents/attack-paths-flyout.png":::
 
-Selecting an attack path from the list displays the attack path graph, which shows the attack path from the entry point to the target. Selecting **View map** opens a new window to view the attack path in full.
+Selecting an attack path from the list displays the details of that attack path, showing the attack path from the entry point, possible entities involved, and the target. Selecting **View map** opens a new window to view the attack path in full.
 
 :::image type="content" source="/defender/media/investigate-incidents/attack-path-pane-small.png" alt-text="An example of the attack path graph shown in the side pane." lightbox="/defender/media/investigate-incidents/attack-path-pane.png":::
 
-> [!NOTE]
-> To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). </br></br>
-> To view attack path details with Microsoft Sentinel in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
+> [!TIP]
+> To view the details of an attack path, you must have permissions for the workloads that are part of the attack path. For example, to view an attack path that includes a managed device, you must have permissions for Microsoft Defender for Endpoint.
 
 ### Incident details