MicrosoftDocs
diff --git a/‎defender-xdr/alert-classification-malicious-exchange-connectors.md‎
Lines changed: 7 additions & 7 deletions b/‎defender-xdr/alert-classification-malicious-exchange-connectors.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎defender-xdr/alert-classification-password-spray-attack.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-xdr/alert-classification-password-spray-attack.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-xdr/alert-classification-playbooks.md‎
Lines changed: 2 additions & 1 deletion b/‎defender-xdr/alert-classification-playbooks.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎defender-xdr/alert-classification-suspicious-ip-password-spray.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-xdr/alert-classification-suspicious-ip-password-spray.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-xdr/alert-grading-playbook-email-forwarding.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-xdr/alert-grading-playbook-email-forwarding.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-xdr/alert-grading-playbook-inbox-forwarding-rules.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-xdr/alert-grading-playbook-inbox-forwarding-rules.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-xdr/alert-grading-playbook-inbox-manipulation-rules.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-xdr/alert-grading-playbook-inbox-manipulation-rules.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-xdr/api-access.md‎
Lines changed: 3 additions & 5 deletions b/‎defender-xdr/api-access.md‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎defender-xdr/api-advanced-hunting.md‎
Lines changed: 3 additions & 5 deletions b/‎defender-xdr/api-advanced-hunting.md‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎defender-xdr/api-articles.md‎
Lines changed: 2 additions & 1 deletion b/‎defender-xdr/api-articles.md‎
Lines changed: 2 additions & 1 deletion
@@ -1,6 +1,6 @@
 ---
-title: Alert classification for malicious exchange connectors
-description: Alert grading recipients from malicious exchange connectors activity and protect their network from malicious attack.
+title: Alert classification for malicious Exchange connectors
+description: Learn how to classify alerts on malicious Exchange connectors activity and protect your network from attacks.
 ms.service: defender-xdr
 f1.keywords:
   - NOCSH
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - MET150
-ms.date: 03/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to investigate and classify alerts for malicious Exchange connectors so that I can take the necessary actions to remediate the attack and protect my network.
@@ -27,7 +27,7 @@ appliesto:
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-Threat actors use compromised exchange connectors for sending out spam and phishing emails in bulk to unsuspecting recipients by masquerading legitimate emails. Since the connector is compromised, the emails would usually be trusted by the recipients. These kinds of phishing emails are common vectors for phishing campaigns, and business email compromise (BEC) scenario. Hence, such emails need to be monitored heavily due to the likelihood of successful recipients' compromises being high.
+Threat actors use compromised Microsoft Exchange connectors for sending out spam and phishing emails in bulk to unsuspecting recipients by masquerading legitimate emails. Since the connector is compromised, the emails would usually be trusted by the recipients. These kinds of phishing emails are common vectors for phishing campaigns, and business email compromise (BEC) scenario. Hence, such emails need to be monitored heavily due to the likelihood of successful recipients' compromises being high.
 
 This playbook helps in investigating instances where malicious connectors are setup/deployed by malicious actors. Accordingly, they take necessary steps to remediate the attack and mitigate the security risks arising from it. The playbook helps in classifying the alerts as either true positive (TP) or false positive (FP). If alerts are TP, the playbook lists necessary recommended actions for remediating the attack. This playbook is available for security teams who review, handle/manage, and grade the alerts.
 
@@ -44,15 +44,15 @@ Connectors are used to route mail traffic between remote email systems and Offic
 
 ### Malicious Exchange connectors
 
-Attackers may compromise an existing exchange connector or compromise an admin, and set up a new connector by sending phish or spam/bulk emails.
+Attackers may compromise an existing Exchange connector or compromise an admin, and set up a new connector by sending phish or spam/bulk emails.
 
 The typical indicators of a malicious connector can be found when looking at email traffic and its headers. For example, when email traffic is observed from a connector node with a mismatch in P1 (header sender) and P2 (envelope sender) sender addresses along with no information on Sender's AccountObjectId.
 
 This alert tries to identify such instances of mail flow, wherein the mail sending activity seems suspicious adding to that relevant information on sender is unavailable.
 
 ## Playbook workflow
 
-You must follow the sequence to identify malicious exchange connectors:
+You must follow the sequence to identify malicious Exchange connectors:
 
 - Identify which accounts are sending emails:
   - Do accounts appear to be compromised?
@@ -69,7 +69,7 @@ You must follow the sequence to identify malicious exchange connectors:
 This section describes the steps to investigate an alert and remediate the security risk due to this incident.
 
 - Determine whether the connector demonstrates bad (malicious) behavior.
-  - Look for events indicating unusual mail traffic and identify, whether any new exchange connector was added recently.
+  - Look for events indicating unusual mail traffic and identify, whether any new and recently added Exchange connector.
     - For mail traffic observed, determine if the email accounts are compromised by inspecting whether the accounts are responsible for unusual mail traffic.
   - Look for mail content containing malicious artifacts (bad links/attachments).
   - Look for domains that are not part of your environment.
 
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 02/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to investigate and classify alerts for password spray attacks so that I can take the necessary actions to remediate the attack and protect my network.
 
@@ -18,7 +18,7 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
-ms.date: 02/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify alerts by using alert classification playbooks so that I can take the necessary actions to remediate the attack and protect my network.
@@ -89,6 +89,7 @@ See these playbooks for steps to more quickly classify alerts for the following
 - [Suspicious inbox forwarding rules](alert-grading-playbook-inbox-forwarding-rules.md)
 - [Suspicious IP addresses related to password spray activity](alert-classification-suspicious-ip-password-spray.md)
 - [Password spray attacks](alert-classification-password-spray-attack.md)
+- [Malicious Exchange connectors](alert-classification-malicious-exchange-connectors.md)
 
 See [Investigate alerts](investigate-alerts.md) for information on how to examine alerts with the Microsoft Defender portal.
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
@@ -1,6 +1,6 @@
 ---
 title: Alert classification for suspicious IP address related to password spraying activity
-description: Alert classification for suspicious IP address related to password spraying activity to review the alerts and take recommended actions to remediate the attack and protect your network.
+description: Investigate and review alerts related to suspicious IP address related to password spraying activity and take recommended actions to protect your network.
 ms.service: defender-xdr
 f1.keywords:
   - NOCSH
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 02/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to investigate and classify alerts for suspicious IP addresses related to password spray attacks that I can take the necessary actions to remediate the attack and protect my network.
 
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 04/03/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify alerts about suspicious email forwarding activity so that I can take the necessary actions to remediate the attack and protect my network.
 
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid: 
   - MOE150
   - met150
-ms.date: 07/26/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify suspicious inbox forwarding rules alerts so that I can take the necessary actions to remediate the attack and protect my network.
 
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 04/05/2023
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify suspicious inbox manipulation rules alerts so that I can take the necessary actions to remediate the attack and protect my network.
 
@@ -18,17 +18,15 @@ search.appverid:
   - MOE150
   - MET150
 ms.custom: api
-ms.date: 02/08/2024
+ms.date: 04/15/2025
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Access the Microsoft Defender XDR APIs
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 > [!NOTE]
 > **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).
 
 
@@ -18,17 +18,15 @@ search.appverid:
   - MOE150
   - MET150
 ms.custom: api
-ms.date: 04/01/2024
+ms.date: 04/18/2025
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Microsoft Defender XDR Advanced hunting API
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 > [!WARNING]
 > This advanced hunting API is an older version with limited capabilities. A more comprehensive version of the advanced hunting API is already available in the **[Microsoft Graph security API](/graph/api/resources/security-api-overview)**. See **[Advanced hunting using Microsoft Graph security API](/graph/api/resources/security-api-overview#advanced-hunting)**
 
 
@@ -37,7 +37,8 @@ ms.date: 02/08/2024
 
 The following resources provide more information about APIs available for other Microsoft security solutions, beyond the Microsoft Defender XDR API.
 
-- [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/apis-intro)
+- [Microsoft Defender for Endpoint](/defender-endpoint/api/apis-intro)
 - [Microsoft Defender for Office 365](/office/office-365-management-api/)
 - [Microsoft Defender for Cloud Apps](/cloud-app-security/api-introduction)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]