Merge branch 'main' into diannegali-phishingtriage

Author: diannegali

CloudAppSecurityDocs/protect-github.md

@@ -129,7 +129,7 @@ These steps can be completed independently of the [Configure GitHub Enterprise C
 
    1. Select the **GitHub Profile picture** -> **your enterprises**.
    1. Select **your enterprise account** and choose the account you want to connect to Microsoft Defender for Cloud Apps.
-   1. Confirm that the URL is the enterprise slug. For instance, in this example `https://github.com/enterprises/testEnterprise` *testEnterprise* is the enterprise slug.
+   1. Confirm that the URL is the enterprise slug. For instance, in this example `https://github.com/enterprises/testEnterprise` *testEnterprise* is the enterprise slug. Enter only the enterprise slug, not the entire URL.
 
 1. Select **Next**.
 
@@ -142,7 +142,7 @@ These steps can be completed independently of the [Configure GitHub Enterprise C
     - **admin:org** - required for synchronizing your organization's audit log
     - **read:user** and **user:email** - required for synchronizing your organization's members
     - **repo:status** - required for synchronizing repository-related events in the audit log
-    - **admin:enterprise** - required for SSPM capabilities, Note that provided user must be the owner of the enterprise account.
+    - **read:enterprise** - required for SSPM capabilities. Note that provided user must be the owner of the enterprise account.
 
     For more information about OAuth scopes, see [Understanding scopes for OAuth Apps](https://docs.github.com/developers/apps/building-oauth-apps/scopes-for-oauth-apps).
 

defender-endpoint/mac-whatsnew.md

@@ -64,6 +64,19 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
+### Apr-2025 (Build: 101.25032.0006  | Release version: 20.125032.6.0)
+
+| Build:             | **101.25032.0006**         |
+|--------------------|-----------------------|
+| Release version:   | **20.125032.6.0** |
+| Engine version:    | **1.1.25020.3000**       |
+| Signature version: | **1.427.158.0**      |
+
+##### What's new
+
+- Hardware UUID is now displayed in the Security Portal
+- Bug and performance fixes
+
 ### Mar-2025 (Build: 101.25022.0003  | Release version: 20.125022.3.0)
 
 | Build:             | **101.25022.0003**    |

defender-office-365/mdo-support-teams-sec-ops-guide.md

@@ -16,7 +16,7 @@ ms.collection:
   - tier1
 description: A prescriptive playbook for SecOps personnel to manage Microsoft Teams protection in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 04/16/2025
+ms.date: 04/22/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -83,6 +83,10 @@ SecOps team members can proactively hunt for potentially malicious Teams message
   - **URL click** tab: This tab contains all user clicks on URLs in email, in supported Office files in SharePoint and OneDrive, and in Microsoft Teams. You can use the [available filters](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-url-clicks-view-in-threat-explorer) to hunt on detection data.
 
 - On the **Advanced hunting** page in the Defender portal at <https://security.microsoft.com/v2/advanced-hunting>. The following hunting tables are available for Teams-related threats:
+
+  > [!NOTE]
+  > The hunting tables are currently in Preview.
+
   - [MessageEvents](/defender-xdr/advanced-hunting-messageevents-table): Contains raw data about every internal and external Teams message that included a URL. Sender address, Sender display name, Sender type, and more are available in this table.
   - [MessagePostDeliveryEvents](/defender-xdr/advanced-hunting-messagepostdeliveryevents-table): Contains raw data about ZAP events on Teams messages.
   - [MessageUrlInfo](/defender-xdr/advanced-hunting-messageurlinfo-table): Contains raw data about URLs in Teams messages.

defender-xdr/pilot-deploy-defender-office-365.md

@@ -18,7 +18,7 @@ ms.collection:
   - highpri
   - tier1
 ms.topic: concept-article
-ms.date: 05/31/2024
+ms.date: 04/22/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: To learn how to pilot and deploy Microsoft Defender for Office 365 in your production Microsoft 365 tenant. 
@@ -32,14 +32,12 @@ This article assumes you have a production Microsoft 365 tenant and are piloting
 
 Defender for Office 365 contributes to a Zero Trust architecture by helping to prevent or reduce business damage from a breach. For more information, see the [Prevent or reduce business damage from a breach](/security/zero-trust/adopt/prevent-reduce-business-damage-breach) business scenario in the Microsoft Zero Trust adoption framework.
 
-<!---
 > [!TIP]
 > For information about configuring protection for Microsoft Teams, see the following articles:
 >
 > - [Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams](/defender-office-365/mdo-support-teams-about)
 > - [Quickly configure Microsoft Teams protection in Microsoft Defender for Office 365 Plan 2](/defender-office-365/mdo-support-teams-quick-configure)
 > - [Security Operations Guide for Teams protection in Microsoft Defender for Office 365](/defender-office-365/mdo-support-teams-sec-ops-guide)
---->
 
 ## End-to-end deployment for Microsoft Defender XDR
 

unified-secops-platform/microsoft-threat-actor-naming.md

@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 3/5/2025
+ms.date: 4/22/2025
 ---
 
 # How Microsoft names threat actors
@@ -59,6 +59,7 @@ The following table lists publicly disclosed threat actor names with their origi
 |Amethyst Rain|Lebanon|Volatile Cedar|
 |[Antique Typhoon](https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/)|China|Storm-0558|
 |[Aqua Blizzard](https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/)|Russia|ACTINIUM, Gamaredon, Armageddon, UNC530, shuckworm, SectorC08, Primitive Bear|
+|Berry Sandstorm|Iran|Storm-0852|
 |Blue Tsunami|Israel, Private sector offensive actor||
 |Brass Typhoon|China|BARIUM, APT41|
 |Brocade Typhoon|China|BORON, UPS, Gothic Panda, APT3, OLDCARP, TG-0110, Red Sylvan, CYBRAN|
@@ -125,7 +126,7 @@ The following table lists publicly disclosed threat actor names with their origi
 |Pumpkin Sandstorm|Iran|DEV-0146|
 |Purple Typhoon|China|POTASSIUM, GOLEM, Evilgrab, AEON, LIVESAFE, ChChes, APT10, Haymaker, Webmonder, STONE PANDA, Foxtrot, Foxmail, MenuPass, Red Apollo|
 |Raspberry Typhoon|China|RADIUM, LotusBlossom, APT30|
-|Red Sandstorm|Iran|Void Manticore|
+|Red Sandstorm|Iran|Void Manticore, Storm-0842|
 |Ruby Sleet|North Korea|CERIUM|
 |Ruza Flood|Russia, Influence operations||
 |Salmon Typhoon|China|SODIUM, APT4, MAVERICK PANDA|
@@ -147,6 +148,7 @@ The following table lists publicly disclosed threat actor names with their origi
 |Storm-0247|China|ToddyCat, Websiic|
 |Storm-0288|Group in development|FIN8|
 |Storm-0302|Group in development|Narwhal Spider, TA544|
+|[Storm-0408](https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/)|Group in development||
 |[Storm-0501](https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/)|Financially motivated|DEV-0501|
 |Storm-0538|Group in development|FIN6|
 |[Storm-0539](https://www.microsoft.com/en-us/security/blog/2024/05/23/cyber-signals-inside-the-growing-risk-of-gift-card-fraud/)|Financially motivated||
@@ -163,6 +165,7 @@ The following table lists publicly disclosed threat actor names with their origi
 |[Storm-1674](https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/)|Financially motivated||
 |[Storm-1679](https://blogs.microsoft.com/on-the-issues/2024/09/17/russian-election-interference-efforts-focus-on-the-harris-walz-campaign/)|Influence operations||
 |[Storm-1811](https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/)|Financially motivated||
+|[Storm-1865](https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/)|Group in development||
 |Storm-1982|China|SneakyCheff, UNK_SweetSpecter|
 |[Storm-2035](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf)|Iran, Influence operations||
 |[Storm-2077](https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/#storm-2077)|China|TAG-100|
@@ -180,6 +183,7 @@ The following table lists publicly disclosed threat actor names with their origi
 |[Volt Typhoon](https://www.microsoft.com/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques)|China|BRONZE SILHOUETTE, VANGUARD PANDA|
 |Wheat Tempest|Financially motivated|GOLD, Gatak|
 |Wisteria Tsunami|India, Private sector offensive actor|DEV-0605|
+|Yulong Flood|China,, Influence operations|Storm-1852|
 |Zigzag Hail|South Korea|DUBNIUM, Nemim, TEMPLAR, TieOnJoe, Fallout Team, Purple Pygmy, Dark Hotel, Egobot, Tapaoux, PALADIN, Darkhotel|
 
 Read our announcement about this taxonomy for more information: [https://aka.ms/threatactorsblog](https://aka.ms/threatactorsblog)