Merge branch 'main' into docs-editor/mac-device-control-overview-1762488000

Author: KesemSharabi

defender-endpoint/indicators-overview.md

@@ -119,6 +119,11 @@ When your security team creates a new indicator (IoC), the following actions are
 > [!NOTE]
 > Using Warn mode prompts users with a warning if they open a risky app or website. The prompt doesn't block them from allowing the application or website to run, but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if necessary. For more information, see [Govern apps discovered by Microsoft Defender for Endpoint](/defender-cloud-apps/mde-govern).
 
+> [!NOTE]
+> For Warn action, To receive the toast notification to be able to bypass the IoC, make sure the **“Files or activities are blocked”** option is enabled under **Virus & Threat Protection notifications**. The corresponding registry key should be set as follows: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender Security Center\Virus and threat protection\FilesBlockedNotificationDisabled = 0.  
+>   
+>  More details see **[Windows Security app settings](https://support.microsoft.com/windows/windows-security-app-settings-1ec98620-4e41-4b6b-b055-3c4bb115d4ee#bkmk_notifications)**.
+
 You can create an indicator for:
 
 - [Files](indicator-file.md)

defender-endpoint/network-protection.md

@@ -147,14 +147,19 @@ When an end user attempts to visit a website in an environment in which network
 A user visits a website. If the url has an unknown or uncertain reputation, a toast notification presents the user with the following options:
 
 - **Ok**: The toast notification is released (removed), and the attempt to access the site is ended.
-- **Unblock**: The user has access to the site for 24 hours; at which point the block is reenabled. The user can continue to use **Unblock** to access the site until such time that the administrator prohibits (blocks) the site, thus removing the option to **Unblock**.
+- **Unblock**: The user has access to the site for 24 hours; at which point the block is re-enabled. The user can continue to use **Unblock** to access the site until such time that the administrator prohibits (blocks) the site, thus removing the option to **Unblock**.
 - **Feedback**: The toast notification presents the user with a link to submit a ticket, which the user can use to submit feedback to the administrator in an attempt to justify access to the site.
 
 :::image type="content" source="media/network-protection-phishing-warn-2.png" alt-text="Shows a network protection phishing content warn notification.":::
 
 > [!NOTE]
 > The images shown in this article for both the `warn` experience and `block` experience use "blocked url" as example placeholder text. In a functioning environment, the actual url or domain is listed.  
 
+> [!NOTE]
+> To receive this toast notification, make sure the **“Files or activities are blocked”** option is enabled under **Virus & Threat Protection notifications**. The corresponding registry key should be set as follows:
+> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender Security Center\Virus and threat protection\FilesBlockedNotificationDisabled = 0
+> More details see [Windows Security app settings](https://support.microsoft.com/windows/windows-security-app-settings-1ec98620-4e41-4b6b-b055-3c4bb115d4ee#bkmk_notifications). 
+
 #### Use CSP to enable `Convert warn verdict to block`
 By default, SmartScreen verdicts for malicious sites result in a warning that can be overridden by the user. A policy can be set to convert the warning to blocks, preventing such overrides.
 

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -33,13 +33,46 @@ This article provides information on inaccuracies that have been reported. You c
  
 The following tables present the relevant vulnerability information organized by month.
 
+## October 2025
+
+| Inaccuracy report ID | Description | Fix date |
+|---|---|---|
+| - | Improved accuracy for Oracle VM Virtual Box | 05-October-25 |
+| 116830 | Fixed bad detections in FlashPlayer | 21-October-25 |
+| - | Added Microsoft Defender Vulnerability Management support for AutoHotKey | 21-October-25 |
+| 113625 | Improved accuracy for Notion | 21-October-25 |
+| 109514 | Added Microsoft Defender Vulnerability Management support for Snowflake SnowSQL | 21-October-25 |
+| 111269 | Fixed inaccuracy in Veritas System Recovery vulnerability- CVE-2024-35204 | 21-October-25 |
+| - | Fixed accuracy for Sangoma | 21-October-25 |
+| 113612 | Fixed inaccuracy in Teamviewer vulnerability- CVE-2025-44002 | 21-October-25 |
+| 113545 | Updated CVSS Score for CVE-2024-5921 | 21-October-25 |
+| 111394 | Fixed inaccuracy in Symantec VIP Access vulnerability- CVE-2017-6329 | 22-October-25 |
+| 116012 | Updated LibreOffice logic to include gengal.exe | 22-October-25 |
+| - | Fixed inaccurate affected version details for 12 Python CVEs | 22-October-25 |
+| 111340 | Added accurate EOS details for MySQL | 27-October-25 |
+| 107205 | Added accurate EOS details for Windows 11 | 27-October-25 |
+| - | Fixed inaccuracy in Kernel-uek vulnerabilities- CVE-2025-38203, CVE-2025-38204 and CVE-2025-38237 | 28-October-25 |
+| - | Fixed inaccuracy in WPS Office vulnerability- CVE-2024-57096 | 28-October-25 |
+| 111645 | Added accurate EOS details for Adobe Acrobat Elements | 28-October-25 |
+| 115217 | Fixed incorrect identification of BizGuard as MS Teams | 28-October-25 |
+| 118676 | Fixed inaccuracy in Forescout Secureconnector vulnerability- CVE-2024-9950 | 28-October-25 |
+| - | Fixed incorrect detections in Vendor- Oracle | 28-October-25 |
+| 113650 | Fixed inaccuracy in CheckPoint Identity Agent vulnerability- CVE-2024-24910 | 28-October-25 |
+| 114611 | Added Microsoft Defender Vulnerability Management support for Microsoft Purview Information Protection | 28-October-25 |
+| - | Improved accuracy for Cisco Identity Services Engine | 28-October-25 |
+| 116694 | Defender Vulnerability Management doesn't currently support for Visual Studio Express For Web | 29-October-25 |
+
 ## September 2025
 
 | Inaccuracy report ID | Description | Fix date |
 |---|---|---|
 | - | Added MDVM support for Zoom vulnerability- CVE-2025-49457 | 03-September-25 |
 | - | Added MDVM support for 8 Tableau Server vulnerabilities- CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454 and CVE-2025-52455 | 09-September-25 |
 | - | Defender Vulnerability Management has completely rolled back support for Microsoft Visual C++ | 18-September-25 |
+| - | Fixed bad normalization in Grafana | 29-September-25 |
+| - | Fixed incorrect detections in Vendor- Dia | 29-September-25 |
+| - | Added Microsoft Defender Vulnerability Management support for Fortra GoAnywhere Managed File Transfer | 29-September-25 |
+| - | Added accurate EOS details for Visual C++ | 30-September-25 |
 
 ## August 2025
 

unified-secops-platform/microsoft-threat-actor-naming.md

@@ -18,7 +18,7 @@ ms.custom:
 - cx-ti
 ms.topic: article
 search.appverid: met150
-ms.date: 10/15/2025
+ms.date: 11/07/2025
 ---
 
 # How Microsoft names threat actors
@@ -118,11 +118,13 @@ The following table lists publicly disclosed threat actor names with their origi
 |Night Tsunami|Israel|DEV-0336|
 |Nylon Typhoon|China|NICKEL, VIXEN PANDA, Playful Dragon, RedRiver, ke3chang, APT15, Mirage|
 |[Octo Tempest](https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/)|Financially motivated| SCATTERED SPIDER, 0ktapus|
+|[Oka Flood](https://blogs.microsoft.com/on-the-issues/2024/09/17/russian-election-interference-efforts-focus-on-the-harris-walz-campaign/)|Russia, Influence operations|Storm-1679|
 |Onyx Sleet|North Korea|PLUTONIUM, SILENT CHOLLIMA, StoneFly, Tdrop2 campaign, DarkSeoul, Black Chollima, Andariel, APT45|
 |Opal Sleet|North Korea|OSMIUM, VELVET CHOLLIMA, Planedown, Konni, APT43|
 |Patched Lightning||Storm-0113|
 |[Peach Sandstorm](https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/)|Iran|HOLMIUM, REFINED KITTEN, APT33, Elfin|
 |Pearl Sleet|North Korea|LAWRENCIUM|
+|Pepper Typhoon|China|LIMINAL PANDA, CL-STA-0969|
 |Periwinkle Tempest|Russia|DEV-0193, WIZARD SPIDER|
 |Phlox Tempest|Israel, Financially motivated|DEV-0796|
 |Pink Sandstorm|Iran|AMERICIUM, SPECTRAL KITTEN, Agrius, Deadwood, BlackShadow, SharpBoys, FireAnt, Justice Blade|
@@ -174,7 +176,6 @@ The following table lists publicly disclosed threat actor names with their origi
 |[Storm-1567](https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/)|Financially motivated|PUNK SPIDER|
 | [Storm-1607](https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/) | Group in development ||
 |[Storm-1674](https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/)|Financially motivated||
-|[Storm-1679](https://blogs.microsoft.com/on-the-issues/2024/09/17/russian-election-interference-efforts-focus-on-the-harris-walz-campaign/)|Influence operations||
 |[Storm-1811](https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/)|Financially motivated|CURLY SPIDER|
 |Storm-1849|China|UAT4356|
 |[Storm-1865](https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/)|Group in development||
@@ -183,7 +184,10 @@ The following table lists publicly disclosed threat actor names with their origi
 |[Storm-2077](https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/#storm-2077)|China|TAG-100|
 |[Storm-2246](https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/)|Group in development||
 |[Storm-2372](https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/)|Group in development||
+|[Storm-2460](https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/)|Group in development||
+|[Storm-2477](https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/)|Group in development|Lumma Stealer|
 |[Storm-2603](https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/)|China||
+|[Storm-2657](https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/)|United States, Financially motivated|Payroll Pirates|
 |Strawberry Tempest|Financially motivated|DEV-0537, SLIPPY SPIDER, LAPSUS$|
 |Sunglow Blizzard||DEV-0665|
 |Swirl Typhoon|China|TELLURIUM, STALKER PANDA, Tick, Bronze Butler, REDBALDKNIGHT|