Merge pull request #4595 from MicrosoftDocs/main

[AutoPublish] main to live - 07/28 10:33 PDT | 07/28 23:03 IST

Author: m365-skilling-repo-management[bot]

defender-endpoint/mac-whatsnew.md

@@ -70,12 +70,24 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
 
+### Jul-2025 (Build: 101.25062.0005  | Release version: 20.125062.5.0)
+
+| Build:             | **101.25062.0005**   |
+|--------------------|----------------------|
+| Release version:   | **20.125062.5.0**    |
+| Engine version:    | **1.1.25040.3000**   |
+| Signature version: | **1.427.248.0**      |
+
+##### What's new
+
+- Bug and performance fixes
+
 ### Jun-2025 (Build: 101.25052.0012  | Release version: 20.125052.12.0)
 
-| Build:             | **101.25052.0012**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125052.12.0** |
-| Engine version:    | **1.1.25060.3000**       |
+| Build:             | **101.25052.0012**   |
+|--------------------|----------------------|
+| Release version:   | **20.125052.12.0**   |
+| Engine version:    | **1.1.25060.3000**   |
 | Signature version: | **1.431.226.0**      |
 
 ##### What's new
@@ -84,10 +96,10 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 ### May-2025 (Build: 101.25042.0009  | Release version: 20.125042.9.0)
 
-| Build:             | **101.25042.0009**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125042.9.0** |
-| Engine version:    | **1.1.25040.3000**       |
+| Build:             | **101.25042.0009**   |
+|--------------------|----------------------|
+| Release version:   | **20.125042.9.0**    |
+| Engine version:    | **1.1.25040.3000**   |
 | Signature version: | **1.429.521.0**      |
 
 ##### What's new
@@ -97,10 +109,10 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 ### Apr-2025 (Build: 101.25032.0006  | Release version: 20.125032.6.0)
 
-| Build:             | **101.25032.0006**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125032.6.0** |
-| Engine version:    | **1.1.25020.3000**       |
+| Build:             | **101.25032.0006**   |
+|--------------------|----------------------|
+| Release version:   | **20.125032.6.0**    |
+| Engine version:    | **1.1.25020.3000**   |
 | Signature version: | **1.427.158.0**      |
 
 ##### What's new

defender-office-365/remediate-malicious-email-delivered-office-365.md

@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 search.appverid: MET150
 description: Threat remediation
 ms.service: defender-office-365
-ms.date: 05/19/2025
+ms.date: 07/28/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -31,7 +31,7 @@ Remediation means to take a prescribed action against a threat. Malicious email
   - **Organization limits**: The maximum number of active, concurrent email remediations is 50. Once the limit is reached, no new remediations are triggered until some actions are completed.
   - **Email message limits**: If an active remediation involves more than one million email messages, no new email remediations are allowed.
   - **Recipient requirements in remediations**:
-    - The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. If the remediation requires the deletion of 5,000 email messages, the remediation must target at least 2,000 recipients. Explorer (Threat Explorer) counts each recipient as a unique email message. For example, Threat Exporer counts a message sent to 5 addresses as 5 messages.
+    - The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. If the remediation requires the deletion of 5,000 email messages, the remediation must target at least 2,000 recipients. Explorer (Threat Explorer) counts each recipient as a unique email message. For example, Threat Explorer counts a message sent to 5 addresses as 5 messages.
     - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1,000 messages that were sent to a single recipient.
 
 - You need to be assigned permissions before you can do the procedures in this article. Admins can take the required action on email messages, but the **Search and Purge** role is required to get those actions approved. To assign the **Search and Purge** role, you have the following options:
@@ -77,7 +77,7 @@ Unified Action Center shows remediation actions for the past 30 days. Actions ta
 
 Open any remediation item to view details about it, including its remediation name, approval ID, Investigation ID, creation date, description, status, action source, action type, decided by, status. It also opens a side pane with action details, email cluster details, alert, and Incident details.
 
-- **Open Investigation page**: Opens an admin investigation that contains fewer details and tabs. It shows details like: related alert, entity selected for remediation, action taken, remediation status, entity count, logs, and approver of action. Tracks an investigation manually done by the admin manually and contains details to selections made by the admin. There's no need to act on the investigation and alert (it's already in the Approved state).
+- **Open Investigation page**: Opens an admin investigation that contains fewer details and tabs. It shows details like: related alert, entity selected for remediation, action taken, remediation status, entity count, logs, and approver of action. Tracks an investigation manually done by the admin and contains details to selections made by the admin. There's no need to act on the investigation and alert (it's already in the Approved state).
 - **Email count**: Displays the number of email messages submitted through Explorer. These messages can be actionable or not actionable.
 - **Action logs**: Shows the details of remediation status like successful, failed, and already in destination.
 
@@ -106,7 +106,7 @@ Open any remediation item to view details about it, including its remediation na
 
       **Delete sender's copy**: Also try to soft delete the message from the sender's Sent Items folder if the sender is the organization.
 
-    - **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
+    - **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items). If you use [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac), you also need the **Email & collaboration metadata (read)** permission to hard delete messages.
 
   > [!NOTE]
   > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take the actions **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**, and **Move to inbox**. The actions **Delete sender's copy** and **Move to inbox** from quarantine folder aren't available. Also, the action logs are available only at <https://security.microsoft.com/threatincidents>, not in the **Action Center** at <https://security.microsoft.com/action-center>.