US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms
Two weeks ago, the ransomware gangâs darknet extortion sites were seized in an operation involving police from more than nine countries including Germany, France and the United Kingdom.
Air France and KLM disclosed data breaches following the hack of a third-party platform - Security Affairs
Air France and KLM warn of a data breach exposing customer data via unauthorized access to a third-party platform. Air France and KLM reported a data breach after hackers accessed a third-party platform, potentially exposing some customersâ personal information. Both airlines confirmed that threat actors gained access to the platform of an unnamed service provider [âŚ]
Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer's computers.
Agentic AI & Zero Trust | Secure Non-Human Assistants | CSA
AI agents are non-human identities that donât just hold credentialsâthey do something with them. How can we apply Zero Trust to these autonomous actors?
BlackSuit, Royal ransomware group hit over 450 US victims before last monthâs takedown | CyberScoop
The Department of Homeland Security said the Russian cybercrime collective received at least $370 million in ransom payments, based on current cryptocurrency valuations.
CISA orders fed agencies to patch new Exchange flaw by Monday
CISA has issued an emergency directive ordering all Federal Civilian Executive Branch (FCEB) agencies to mitigate a critical Microsoft Exchange hybrid vulnerability tracked as CVE-2025-53786 by Monday morning at 9:00 AM ET.
ChatGPT's GPT-5 models released: everything you need to know
After a long wait, GPT-5 is finally rolling out. It's available for free, Plus, Pro and Team users today. This means everyone gets to try GPT-5 today, but paid users get higher limits.
AI wrote my code and all I got was this broken prototype
Can AI really write safer code? Martin dusts off his software engineer skills to put it it to the test. Find out what AI code failed at, and what it was surprisingly good at. Also, we discuss new research on how AI LLM models can be used to assist in the reverse engineering of malware.
New EDR killer tool used by eight different ransomware groups
A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,'Â developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
Announcing Public Preview: Phishing Triage Agent in Microsoft Defender
At Microsoft Secure 2025, we introduced a new wave of innovations across Microsoft Defender aimed at redefining what AI can do for security operations. At the center of these announcements was the launch of 11 Security Copilot agents, each purpose-built to reduce manual workload and accelerate response through autonomous, adaptive automation. Integrated into existing Microsoft Security infrastructure, they continuously learn and adapt to your unique environment, while keeping your team in control for proactive, end-to-end protection.
Among these is the Phishing Triage Agent in Microsoft Defender, now available in Public Preview. It tackles one of the most repetitive tasks in the SOC: handling reports of user-submitted phish. Instead of manually combing through endless submission, security teams can now rely on an agent that triages thousands of alerts each day, typically within 15 minutes of detection. Early adopters are already seeing accelerated threat response and significant time savings.
Phishing: A top threat and a burden for SOC analysts
Phishing continues to be one of the most pervasive entry points for threat actors, with over 90% of breaches starting from email-based deception. In just twelve months, Microsoft Defender for Office 365 detected more than 775 million malware-laced emails, underscoring the relentless, large-scale nature of the threat. While todayâs security tools are highly effective at blocking most of these attempts, attackers arenât standing still. They continuously adaptâtweaking content, spoofing identities, changing tactics, and exploiting new channels to slip past defenses. Increasingly, theyâre also using generative AI to craft phishing messages that appear more legitimate and personalized, making detection even harder. As a result, a small but dangerous number of phishing emails still manage to slip through and reach usersâ inboxes.
When users report these suspicious messages, they land in SOC queues for further review, creating a significant operational burden for security teams. Most submissions are false alarms, yet analysts must still manually review each one to catch the rare threats buried in the noise. This delays response, drains focus, and raises the risk of a dangerous miss.
Behind the agent: smarter phishing triage
Built to operate autonomously
The Phishing Triage Agent marks a meaningful step forward in autonomous security operations. Powered by large language models (LLMs), it performs sophisticated assessmentsâincluding semantic evaluation of email content, URL and file inspection, and intent detectionâto determine whether a submission is a true phishing threat or a false alarm. Unlike traditional systems based on static rules or pre-coded logic, the agent dynamically interprets the context and artifacts of each email to reach an independent verdict. It is autonomous defense working behind the scenes, cutting through the noise and elevating what truly matters.
Learning from feedback
Equally transformative is the agentâs ability to learn. Rather than relying on fixed conclusions, the Phishing Triage Agent continuously evolves. Analysts can reclassify incidents and provide natural language feedback explaining why a particular verdict was correct or not. The agent incorporates this input, refining its reasoning and adapting to the organizationâs specific needs, patterns, and nuances. With every interaction, it becomes more accurate and better attuned to its environment, creating a feedback loop that drives ongoing improvement.
Transparent by design
One of the most defining features of the Phishing Triage Agent is how clearly it communicates its decisions. For every verdict, the agent provides a natural language explanation that outlines why a message was or wasnât classified as phishing. The rationale is clear and accessible, allowing analysts to quickly comprehend what led to the outcome.
For those seeking deeper understanding, the agent also produces a visual map of its decision logic: a step-by-step breakdown of how it evaluated the submission. Each phase is presented as an expandable card within a structured diagram, detailing the signals analyzed, evidence collected, and logic applied. Teams can drill into any step to view the agentâs reasoning in context, making the entire process traceable and reviewable from start to finish. This level of transparency isnât just helpful, itâs essential for building trust in autonomous security systems.
How the agent works
Quick setup and seamless integration
Getting started is simple. The onboarding experience provides a clear overview of the agentâs capabilities and how it functions in your environment. It can be configured with a dedicated identity and role-based access controls that follow least privilege principles, ensuring it operates strictly within its assigned scope.
Administrators retain full control. They can view, manage, and restrict the agentâs actions, keeping its behavior aligned with the organizationâs security policies and standards.
Autonomous operation in the background
Once deployed, the agent operates in the background, automatically triggering whenever a user reports a suspicious email. As new submissions come in, it analyzes each one and assigns a classification. In most organizations, more than 90% of reported emails turn out to be false positives. The agent resolves these automatically, tagging them so analysts donât have to sort through each one manually. This allows teams to focus on the handful of incidents that truly require their attention.
When the agent is enabled, Microsoft Defender for Office 365âs built-in Automated Investigation and Response (AIR) feature consumes the agentâs output. AIR then builds on that analysis, detecting similar threats and surfacing remediation actions for SOC analysts to review and approve.
Inside a typical incident review
For each incident, the agent provides a natural language summary of its verdict. When it classifies a submission as malicious or benign, it clearly explains whyâciting factors such as sender reputation, message content, attachment behavior, and more.
The Activity tab displays a flow diagram that shows how the agent arrived at its decision, including all intermediate steps and outcomes. This behind-the-scenes process covers everything from text and URL analysis to sandbox evaluation of attachments. And it all happens autonomously, without human intervention or scripting.
Feedback loop
If an analyst disagrees with the agentâs verdict, they can simply reclassify the submission and leave feedback in natural language. No special syntax or training is required. The agent learns from this input and uses it to refine future decisions, continuously improving its accuracy and alignment. Over time, the agent becomes a true extension of the team. It not only reduces manual effort but also adapts to the organizationâs unique environment and the evolving threat landscape it defends against.
Visualized performance
The agentâs performance is tracked in a dedicated dashboard that gives analysts real-time visibility into its impact. It displays the number of incidents handled, mean time to triage (MTTT), and a breakdown of false positives versus true positives over time. This always-on view helps security teams quantify efficiency gains, monitor accuracy, and build confidence in the agentâs ongoing performance.
Responsible AI by default
The Phishing Triage Agent, like all Microsoft Security Copilot agents, adheres to Microsoftâs Responsible AI principles. This includes built-in guardrails for fairness, transparency, security, privacy, and accountability.
Administrators configure the agentâs identity and permissions based on least privilege access, maintaining strict control over what data it can access, how much capacity it consumes, and which actions it is authorized to take. Operating within a Zero Trust framework, the agentâs every action is evaluated against organizational policies before execution. This approach ensures that AI-powered capabilities enhance the SOC without compromising enterprise trust, compliance, or control.
Supercharged SOC efficiency
The Phishing Triage Agent is the first in a new generation of agents designed to bring autonomous intelligence to security operations. By eliminating repetitive, reactive tasks and continuously learning from feedback, it allows teams to focus on what matters mostâinvestigating real threats and strengthening their overall security posture. This marks a leap forward into a more efficient, adaptive era for the SOC.
Organizations that meet the prerequisites can now get started by joining the Phishing Triage Agent Public Preview, available through a trial directly in the Microsoft Defender portal. To learn more, visit the product page for details on how it works, and the Adoption Hub for broader guidance on Security Copilot agents.
Looking to improve response times and support your team more effectively? Sign up to access âWhat generative AI can do for your SOCâ today or read more about Microsoft AI-powered unified security operations.
Sunsetting Circle: Where CSA Communities Are Headed | CSA
CSA is moving toward a more streamlined community experience for joining working groups, connecting with local chapters, and engaging with training communities.
Wave of 150 crypto-draining extensions hits Firefox add-on store
A malicious campaign dubbed 'GreedyBear' has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.
SonicWall finds no SSLVPN zero-day, links ransomware attacks to 2024 flaw
SonicWall says that recent Akira ransomware attacks exploiting Gen 7 firewalls with SSLVPN enabled are exploiting an older vulnerability rather than a zero-day flaw.
[tl;dr sec] #291 - Build a GuardDuty Triage Agent, Scaling Netflix's Threat Detection Pipelines, Claude for Security Review
How to build an AI agent that triages GuardDuty alerts, lessons learned scaling Netflix's detection pipelines, Anthropic releases a slash command and GitHub Action for performing secure code review
Google Among Victims in Ongoing Salesforce Data Theft Campaign
Google confirms it was among the victims of an ongoing data theft campaign targeting Salesforce instances, where publicly available business names and contact details were retrieved by the threat actor
.jpeg?width=350&height=&ar=16:9&mode=crop&format=avif&dpr=2)
.jpeg?width=350&height=&ar=16:9&mode=crop&format=avif&dpr=2)
![[tl;dr sec] #291 - Build a GuardDuty Triage Agent, Scaling Netflix's Threat Detection Pipelines, Claude for Security Review](https://rdl.ink/render/https%3A%2F%2Fbeehiiv-images-production.s3.amazonaws.com%2Fuploads%2Fpublication%2Fthumbnail%2F080a561f-2435-4477-a549-ab9f115e047c%2Flandscape_Screenshot_2024-11-21_at_10.48.21_AM.png?width=350&height=&ar=16:9&mode=crop&format=avif&dpr=2)
