What is Microsoft Agent 365, really?

Most folks I talk to think agents are just Copilot with extra steps. They’re not.

A Copilot prompt is a single user, asking a single question, in a single session. An agent keeps running. It has tools, it has access, it makes decisions, and it does all of that whether you’re watching or not.

Agents don’t sleep. They also don’t ask permission.

That’s the part nobody seems ready for. Last year your tenant had users. This year it has users and agents. Some you bought, some your developers built, some your staff spun up in Copilot Studio over the weekend and forgot about.

So here’s the question I keep asking MSPs: do you actually know how many agents are running in your client’s tenant right now? If the answer is “probably some”, that’s not governance. That’s hope.

Microsoft Agent 365 is the control plane for agents. That’s it. It’s not a new agent. It’s not a new Copilot. It’s the place you go to see every agent in the tenant, decide what each one is allowed to do, and shut down the ones that shouldn’t be there.

Think of it like the Microsoft 365 admin centre, but for non-human accounts. The agents your team built. The agents your vendors sold you. The agent embedded inside that SaaS app marketing signed up for last quarter. All of them, in one registry, with one set of policies.

It went generally available on 1 May 2026 at USD$15 per user per month, and it pulls Microsoft Entra Agent ID(opens in new window), Microsoft Purview, and Microsoft Defender into a single agent lifecycle story. The official overview lives on Microsoft Learn(opens in new window).

Notice what’s missing? You. The user. Agent 365 isn’t an end-user tool. It’s for admins, MSPs, and security folks. It’s the dashboard your clients don’t see — and the one that keeps them out of trouble.

Step-by-Step: Finding the agents already in your tenant

The first thing I’d do in any tenant is just look. You’ll be surprised.

Sign in to the Microsoft 365 admin centre

Go to admin.microsoft.com as a Global Admin or AI Administrator.

Open the Agents workload

In the left navigation, expand Agents and select Overview. That’s the Agent 365 dashboard. If the tenant has a qualifying licence, you’ll see Agent 365 branding. If it doesn’t, you still get the baseline agent management view.

Review the registry

Select All agents. This lists every agent the tenant knows about — Copilot Studio agents, declarative agents, SharePoint agents, third-party agents, and anything registered via the new Agent 365 API. Each one shows its owner, source, and current status. The admin centre docs(opens in new window) walk through the columns.

Hunt for ownerless agents

Filter by owner. Anything marked ownerless is a red flag — that’s an agent doing things in the tenant with no human accountable for it. Assign an owner or block it. Don’t leave it.

Apply a policy

From an agent card, set access policies — who can run it, what data it can touch, whether it needs review before it publishes. Use the policy templates rather than rolling your own.

Before Agent 365, the question was “what agents are we using?” After Agent 365, the question is “what agents are we allowing?” Different question, different answer.

Why this actually changes the game

Here’s the real win. Agents inherit risk in a way users don’t. A user clicks a phishing link and one mailbox is compromised. An agent with delegated access and a bad prompt can touch SharePoint, send mail, and rewrite records — at machine speed, across hundreds of users — before anyone notices.

That’s why Agent 365 leans on Entra Agent ID to give every agent a first-class identity. No more agents hiding behind a generic service account. Each one shows up in sign-in logs, audit logs, Conditional Access, and Defender. You can revoke an agent the same way you’d revoke a user.

That’s not a feature. That’s a fundamental shift in how you secure a tenant.

My recommendation?

If you’re an MSP, start the conversation with your clients this quarter. Open the admin centre. Show them the agent list. Most of them have no idea what’s in there, and the longer they don’t know, the bigger the eventual cleanup.

If you’re not showing your clients this, somebody else will — and they’ll be the ones writing the agent governance policy on your client’s tenant.

Agent 365 isn’t there to add another dashboard to your day. It’s there to stop the shadow AI mess before it starts.

The Lie Your Planning Workbook Tells You

I’ve watched people spend a year getting ready to start something. New service line, new niche, new offer to clients. Workbooks filled out. Whiteboard sessions. A document called “strategy v7” sitting in OneDrive. Twelve months in, nothing has shipped. No client has been pitched. No post has gone live. And the strangest part is they don’t feel lazy — they feel busy. That’s the trap. The feeling of preparing is almost identical to the feeling of progress, and you can run on that feeling for a very long time before you notice the bank balance hasn’t moved.

Why preparation feels like the work

Preparing is comfortable because it’s measurable in ways that don’t expose you. You can finish a chapter of a workbook. You can refine a niche statement for the eleventh time. You can sit through another planning session in Teams and walk away feeling like the day mattered. Nobody pushes back. Nobody says no. There’s no awkward silence on a call, no email that doesn’t get replied to, no proposal that gets ghosted. It’s all upside, no risk, and it produces just enough output — notes, frameworks, lists — to convince you that you’re moving forward.

The honest test is simple. After all that preparing, can a stranger pay you for it? If the answer is no, you haven’t built anything yet. You’ve built a feeling.

What actually moves the needle

The thing that breaks this loop is uncomfortable, and it always looks the same: do the scary version of the work while it’s still scary. Send the email to the prospect before the offer is perfect. Post on LinkedIn before the niche is fully refined. Quote the client before you’ve memorised every line of the service catalogue. Real signal only comes from real exposure — somebody’s response, or the silence where a response should have been.

This is where Copilot quietly takes the excuse away. You don’t need another month of preparation to draft a cold outreach email — open Copilot in Outlook, give it the rough idea, and you’ve got a working draft in under a minute. You don’t need a workbook to scope a new managed service offer — Copilot in Word can spin up a first-pass outline from a few bullet points. The friction that used to justify months of “getting ready” has mostly been removed. What’s left is the only thing that ever actually mattered: the willingness to put it in front of someone real.

Doing it scared

I’d rather work with someone who has sent ten ugly proposals than someone who has perfected their elevator pitch in a Loop document for half a year. The ugly ten teach you something the workbook never will — what people actually push back on, what they don’t care about, what they’re willing to pay for. You can fold all of that back into a Planner board the next morning and refine in public, while the work is live, instead of refining in private while nothing exists.

The quiet cost

The cost of staying in preparation isn’t just lost revenue. It’s the slow erosion of belief that you’ll ever ship at all. Every month you spend tidying the runway is a month the plane doesn’t take off, and the longer it sits there the heavier it feels to move. The fix isn’t more clarity. It’s a smaller, scarier version of the thing — done today, in public, with whatever you’ve got.

Intune compliance policies + Conditional Access integration

Most people I speak to think the work of locking down devices in Microsoft 365 is creating the Intune compliance policy. They tick the boxes — BitLocker on, minimum OS, no jailbreaks — hit Save, and walk away feeling secure.

They aren’t.

A compliance policy on its own does precisely nothing to a sign-in. It’s a label. Intune looks at a device, decides “compliant” or “not compliant”, and writes that state back to Entra ID. That’s it. Nothing is blocked. Nothing is challenged. The policy is information, not enforcement.

The enforcement lives somewhere else entirely. It lives in Conditional Access.

If you’re not wiring those two things together, you’ve done half a job. And the half you skipped is the half that actually protects the tenant.

What is an Intune compliance policy, really?

Think of a compliance policy as a health check that runs on the device and ships the verdict back to your tenant. Encrypted? Patched? Joined to your tenant? Defender running? Out comes a true/false, and Entra ID writes it onto the device record.

That verdict is now available as a signal. Anything that can read Entra signals — and Conditional Access is the big one — can use it to make access decisions.

So the compliance policy is the sensor. Conditional Access is the gate. You need both, or you have neither.

Step-by-Step: wiring compliance to Conditional Access

Portal only. No PowerShell. This is what I do on every Business Premium tenant I touch.

Fix the tenant default first

Open the Intune admin center, go to Devices > Compliance > Compliance policy settings.

Find the setting Mark devices with no compliance policy assigned as. It ships set to Compliant.

Change it to Not compliant. Save.

That one setting is the difference between “any device in my tenant counts as good” and “a device has to earn it”. You’d be amazed how many tenants I audit where this is still on the default.

Build the compliance policy

Same portal. Devices > Compliance > Policies > Create policy. Pick Windows 10 and later (start there — do iOS and Android next).

Use the settings catalog options to set sensible rules — require BitLocker, a minimum Windows build, Defender real-time protection on, Defender signatures up to date. Don’t try to be heroic on day one. Set what you can defend with a straight face. Microsoft’s own walkthrough is the canonical reference.

In Actions for noncompliance, do not leave the default of “Mark device noncompliant: 0 days”. Give yourself a grace window — 1 to 3 days — and add a Send email to end user action a day earlier. People deserve a heads-up before they’re locked out of email.

Assign to a pilot user group. Not all users. A pilot group.

Build the Conditional Access policy

Now flip over to the Entra admin center: Entra ID > Conditional Access > Policies > New policy.

Users: include your pilot group. Exclude your break-glass account. Always.

Target resources: All resources.

Grant: Require device to be marked as compliant. Save.

And here’s the critical bit — set Enable policy to Report-only. Not On. Report-only.

Users:       Pilot group
Exclude:     Break-glass account
Resources:   All resources
Grant:       Require device to be marked as compliant
Enable:      Report-only

Notice what’s missing? MFA. That belongs in a separate policy. One policy, one job. Stack them, don’t fuse them.

Watch report-only for a week

Sign-in logs > Report-only tab. You’re looking for users who would have been blocked and shouldn’t have been — usually a missing enrollment, a personal device that needs the App Protection path instead, or a service account.

When the report-only data is clean, flip the toggle to On. Microsoft’s compliant-device CA template walks the same path.

Why this actually changes behaviour

“But MFA is already on. Isn’t that enough?”

It isn’t. MFA proves the user. Compliance + CA proves the device. Token theft doesn’t care about your MFA prompt — it cares whether the device the token landed on is one you trust. This is the bit MFA-only tenants are missing.

It also collapses three messy conversations down to one. “Is this laptop ours? Is it patched? Is it encrypted?” All of it rolls into one signal — compliant, or not. Conditional Access reads that one signal and decides. No more inventory spreadsheets. No more guessing.

And if you’re an MSP, this is the most defensible artefact you can show a client during an incident. The device was non-compliant. Access was blocked. That’s a finished sentence.

A compliance policy isn’t there to make a list of bad devices. It’s there to make sure they never sign in.

Why Being Small Is Your Real Advantage With AI

I had a conversation last week with the owner of a twelve-person business who spent the first ten minutes telling me how far behind they were. The big firms in their industry have AI strategies, AI committees, AI roadmaps. He didn’t have any of that. He thought it was a problem.

I told him it was the opposite. The thing he saw as a weakness — being small — is actually the only real advantage he has right now. And he was wasting it by feeling sheepish about it.

The giants are not as far ahead as they look

When you read the announcements from large enterprises about their AI programs, it sounds impressive. The reality on the ground is messier. Inside those organisations there are governance committees, procurement cycles, security reviews, change boards, and three different vendors pitching competing platforms. By the time they finish arguing about which group owns the rollout, eighteen months have gone past.

A small business doesn’t carry that weight. There is no internal committee. There is the owner, the team, and the work. That’s it. Decisions get made on a Tuesday afternoon and acted on by Wednesday morning.

You can turn Copilot on this week

This is where the gap becomes obvious. A small business can switch on Microsoft 365 Copilot for ten people on a Monday and by Friday have someone using it inside Outlook to triage their inbox before lunch, someone else using it in Excel to clean up a messy supplier list that’s been sitting there for two years, and another person catching up on a Teams meeting they missed without watching the recording. None of that requires a steering group. It requires a licence, half an hour of curiosity, and a willingness to have a go.

The big firm down the road is still drafting their pilot scope document. You’re already past the awkward learning phase and into actual benefit.

Pivoting is cheap when there’s nothing in the way

The other thing being small lets you do is change your mind. When a better way of doing something comes along — a new agent in Copilot Studio that automates an approval, a Power Automate flow that handles client onboarding, a smarter way to use SharePoint as a knowledge base — you can swap it in without unwinding a tangle of legacy processes. There’s no 200-page change management plan. There’s a conversation, a test on Thursday, and a rollout next week if it works.

Bigger organisations can’t move like that. Every change touches another change, which touches a third. There’s a process owner who needs to be consulted, a training team that needs to be briefed, an integration that needs to be re-tested. The cost of pivoting goes up sharply the larger you get. For you, that cost is almost nothing — and you should be spending it freely.

Stop trying to look like them

The mistake I see SMB owners making is trying to copy the way big businesses adopt technology. They want a strategy document, a steering committee, a phased rollout plan. They think that’s what serious looks like.

It isn’t. That’s what slow looks like.

Serious, for a small business, is being three steps ahead because you didn’t waste six months talking about it. The bigger players will catch up eventually — they always do. Your job between now and then is to use the head start, not apologise for it. Get Copilot in front of your team, let them break things, and bank the lead while you’ve got it.

Restricted SharePoint Search Is Not the Fix You Think It Is

Most people’s first reaction to Copilot and SharePoint goes something like this: “Wait — Copilot can see all of that?”

Then they panic. Then they Google. Then they find Restricted SharePoint Search and flip it on like it’s a fire extinguisher.

I get it. The instinct is right — you should care about what Copilot can reach. But RSS isn’t a security control. It’s a stalling tactic. And if you leave it on too long, it’ll cause more problems than the one you were trying to solve.

What is Restricted SharePoint Search, really?

RSS lets a SharePoint admin maintain an allowed list of up to 100 SharePoint sites. Only those sites show up in organisation-wide search results and Copilot chat responses.

That’s it. It doesn’t change a single permission on a single site. It doesn’t block anyone from accessing anything. It just hides sites from search and Copilot — unless the user has recently visited the site, or it was shared with them in Teams or Outlook. In which case, it shows up anyway.

That’s not a security boundary. That’s a curtain.

Microsoft’s own documentation on RSS says it plainly: this is designed as a short-term solution while you audit permissions and apply proper governance. It’s not meant to stay on.

Step-by-step: Setting up RSS the right way

If you’re going to use RSS — and there are situations where it makes sense — do it in this order.

Audit your active sites first

Open the SharePoint admin centre > Active sites. Filter by activity in the last 30 days. Customise columns to show page views, file counts, and last activity. Export the list to CSV. This is your starting inventory — the sites people actually use.

Review permissions on each candidate site

For every site you’re considering for the allowed list, open its details and check the Permissions tab. Look for “Everyone except external users” or company-wide groups. Those are the oversharing patterns you’re really worried about.

Enable RSS and build the allowed list

RSS is managed through PowerShell — there’s no toggle in the admin centre GUI for this one.

Set-SPOTenantRestrictedSearchMode -Mode Enabled
Add-SPOTenantRestrictedSearchAllowedList -SitesList @("https://contoso.sharepoint.com/sites/intranet","https://contoso.sharepoint.com/sites/hr")

Notice what’s missing? A portal button. That’s deliberate. Microsoft wants friction here because they don’t want you to leave this on.

Plan your exit from day one

Before you enable RSS, set a calendar reminder for 30 days out. That’s your deadline to fix the permissions that made you turn it on in the first place — and then turn it off.

When RSS backfires

Here’s where most people get into trouble. They enable RSS, breathe a sigh of relief, and forget about it. Months later, three things have gone wrong:

Search breaks for everyone. RSS doesn’t just limit Copilot — it limits all organisation-wide search. Your finance team can’t find the policy site. Your HR team can’t find the onboarding hub. Nobody told them you turned this on, so they log a ticket blaming SharePoint.

Copilot gets dumber. With only 100 sites to draw from, Copilot has less information to reference. Answers get vague. Users lose trust. You’ve just paid for Copilot licences and then blindfolded the thing.

False confidence sets in. The admin thinks the problem is solved. It isn’t. RSS doesn’t stop Copilot from surfacing content a user has already accessed. If someone opened that sensitive spreadsheet last week, Copilot can still reference it — allowed list or not.

The actual fix: permissions, not curtains

RSS buys you time. Use it. But spend that time on the thing that actually matters: fixing your SharePoint permissions.

Start with Data Access Governance reports in SharePoint Advanced Management. These reports show you exactly which sites have broad sharing, “Everyone” links, or sensitivity labels missing. That’s your real oversharing map.

Then work through it site by site. Remove company-wide sharing links. Tighten group memberships. Apply sensitivity labels where they belong. This is the work that actually makes Copilot safe — not hiding sites from search and hoping for the best.

Once permissions are clean, disable RSS. Let Copilot use the full breadth of your tenant. That’s how you get value from it.

“We turned on RSS six months ago and Copilot still isn’t helpful.”

That’s not a Copilot problem. That’s an RSS problem.

My recommendation?

Use RSS if you’re deploying Copilot to a tenant you haven’t audited yet and you need breathing room. Thirty days. Not six months. Not “until we get to it.”

Set the allowed list. Fix the permissions behind the scenes. Then take the training wheels off.

If you’re an MSP and you’re not walking clients through this sequence — temporary RSS, permission remediation, RSS removal — you’re either leaving them exposed or leaving them hobbled. Neither looks good at renewal time.

RSS isn’t there to protect your tenant. It’s there to give you a window to actually protect your tenant. Don’t confuse the window with the wall.

Trust Now Happens Before Contact

Here’s the uncomfortable truth:

By the time a prospect contacts you, the decision is often already made.

They’ve read your blog posts.
They’ve watched your videos.
They’ve scanned your LinkedIn.
They’ve compared you to three other MSPs.

They’re not calling to be convinced.
They’re calling to validate a choice.

That’s why trust has moved upstream — before the sales conversation even starts.

And that’s why we replaced the old model with something radically simpler:

Content → Offer Doc → Decision

No calls.
No chasing.
No closing.

Content Does the Heavy Lifting

Your content is now your best salesperson.

Not polished marketing fluff — real, opinionated, practical content that shows how you think.

Content that answers:

Who this is for
Who it is not for
What problems you actually solve
What you believe about IT, security, risk, and responsibility

When done properly, content pre‑qualifies better than any discovery call ever could.

Bad‑fit prospects self‑select out.
Good‑fit prospects lean in.

That alone removes enormous friction from your pipeline.

The Offer Doc Replaces the Sales Call

Instead of “let’s book a call”, we give prospects an offer document.

Not a proposal.
Not a quote.
An offer.

It clearly spells out:

The problem we solve
The outcome we deliver
Exactly what’s included
Exactly what it costs
Exactly how to say yes

No mystery. No theatre. No “we’ll tailor it after the call”.

If someone needs a call to understand the offer, the offer isn’t clear enough.

Decision Without Pressure

This is the part most MSPs struggle with.

Letting the prospect decide — without pressure.

But when trust is built upstream, and the offer is clear, the decision becomes simple.

They either want it or they don’t.

And that’s a good thing.

Because the clients who say yes without being chased are the same clients who:

Respect boundaries
Value your expertise
Pay on time
Stay longer

What This Means for MSPs

This isn’t about “anti‑sales”.

It’s about modern sales.

Sales that respects how buyers actually behave today.
Sales that removes friction instead of adding it.
Sales that attracts adults who can make decisions.

If your growth still depends on more calls, more follow‑ups, and more convincing — you’re fighting the market.

The MSPs who win next won’t close harder.

They’ll clarify better.

And they’ll let trust do the work.

What Copilot Chat Developer Mode Actually Shows You

I spent a solid hour last month watching a declarative agent ignore an API plugin I’d wired up. The instructions were clear, the manifest looked right, the OpenAPI spec was valid. Every prompt came back with a confident answer that had nothing to do with my data. Copilot was making things up rather than calling my endpoint, and I had no idea why.

Then I typed -developer on into Copilot Chat, and the mystery evaporated in about thirty seconds.

Seeing the Orchestrator Think

Developer mode is a built-in debugging tool in Microsoft 365 Copilot Chat. Type that command and every response from your agent comes back with a debug card — a detailed breakdown of what the orchestrator did behind the scenes to produce its answer.

The card shows three things that matter. First, agent metadata and capabilities: which knowledge sources are active, whether web search is enabled, and the identifiers you need for tracking a specific conversation. Second, function matching: did the orchestrator consider your API plugin’s functions relevant to the user’s prompt? Third, execution details: if a function was selected, what HTTP request did Copilot actually send, what response came back, and how long did it take?

That last section is where most of the debugging value lives. You can see the endpoint that was called, the request headers with auth tokens redacted, and the full response body. When something fails, you’re reading the receipt — not guessing.

The Problem It Actually Solves

Before developer mode, troubleshooting a misbehaving agent in Copilot meant staring at manifest files trying to work out what went sideways. Your agent returned a wrong answer and you couldn’t tell where the chain broke. Was the orchestrator not matching your function? Matching but failing on auth? Getting bad data back from the API? The orchestration layer was a black box.

Now you see exactly where it breaks. In my case, the debug card showed “No matched functions” — meaning the orchestrator never even considered calling my API. The problem wasn’t auth or endpoints or response formatting. It was my description_for_model field. The description said “Returns project data” but my prompt asked “What’s the status of the Henderson build?” The orchestrator couldn’t bridge that semantic gap.

I rewrote the description to cover the ways people actually ask about project status, and the next prompt hit the API cleanly.

Where It Fits in Your Workflow

Developer mode works directly in the browser. Open Copilot Chat, select your agent, type -developer on, and start testing prompts. If you’re using the Microsoft 365 Agents Toolkit in Visual Studio Code, press F5 to launch your agent and the same command activates in the chat window. The debug panel in the toolkit gives you a matching view with downloadable diagnostic logs.

A couple of patterns worth knowing: when the debug card shows “No functions selected for execution,” your function descriptions likely aren’t semantically close enough to the prompt. When it shows a function was selected but execution failed, the HTTP status code in the card usually tells you what went wrong — a 401 means your OAuth registration doesn’t match, a timeout means your API needs to respond faster.

What I’m Watching

Microsoft keeps expanding what the debug card reveals, and the Quick Copy feature now lets you export the full debugging JSON to share with a colleague or attach to a support ticket. For anyone building agents that connect to external APIs through Copilot, this is the single most useful diagnostic tool in the stack. It turns “something’s broken” into “here’s exactly what happened, and here’s why.”

If you haven’t typed -developer on yet, start there.

Microsoft Learn — Test and debug agents using Developer Mode https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/debugging-agents-copilot-studio(opens in new window) The primary documentation page. Covers enabling/disabling developer mode, the debug info card fields, troubleshooting common failures, and how to report issues.
Microsoft Learn — Test and debug agents in Microsoft 365 Agents Toolkit using developer mode https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/debugging-agents-vscode(opens in new window) Focuses on using developer mode alongside the Agents Toolkit in VS Code (F5 launch, debug panel, diagnostic logs).
Microsoft 365 Developer Blog — Introducing the agent debugging experience in Microsoft 365 Copilot (April 9, 2025) https://devblogs.microsoft.com/microsoft365dev/introducing-the-agent-debugging-experience-in-microsoft-365-copilot/(opens in new window) The GA announcement post by Carol Mbasinge Kigoonya. Covers new features including agent configuration insights, execution monitoring, latency tracking, and Quick Copy Debugging JSON.
Microsoft 365 Roadmap — Feature ID 474450 https://www.microsoft.com/microsoft-365/roadmap?featureid=474450(opens in new window) The original roadmap entry for Copilot Chat developer mode, listed as GA from January 2025.
Microsoft Learn — Set up your development environment for Microsoft 365 Copilot https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/prerequisites(opens in new window) Broader context on the Copilot development environment, licensing, and extensibility options that developer mode supports.

CIA Brief 20260530

Introducing Microsoft 365 Business with Copilot: The new standard for small business(opens in new window) Microsoft is launching two new small-business SKUs on 1 July — Business Standard with Copilot and Business Premium with Copilot — with Copilot built directly into Word, Excel, PowerPoint and Outlook. They add 1,000+ connectors (Shopify, Xero, Docusign and more), “Work IQ” business context, and access to OpenAI and Anthropic models. Built-in security controls like sensitivity labels and access revocation ensure Copilot only surfaces what each user is permitted to see.
Introducing a new design for Microsoft 365 Copilot(opens in new window) Microsoft has redesigned the Copilot experience across Microsoft 365, turning the prompt line into a task-aware workspace with a single consistent entry point across apps and a progressive-disclosure interface. Performance improved with load times cut by more than half and complex prompts answering ~10% faster, alongside new agentic modes (Designer, Researcher, and in-app Word/Excel/PowerPoint agents). Microsoft reported usage gains of Word +27%, Excel +33%, PowerPoint +43% and Outlook +30%.

Security / Industry News

The Gentlemen ransomware: Dissecting a self-propagating Go encryptor(opens in new window) Microsoft Threat Intelligence analysed “The Gentlemen,” a ransomware-as-a-service threat (operators tracked as Storm-2697) written in Go that uses per-file Curve25519 + XChaCha20 encryption and spreads aggressively through lateral movement. It employs double extortion, disables Microsoft Defender, and deletes shadow copies and logs to hinder recovery. Activity has been observed globally across education, transport, healthcare and finance sectors.

After hours

Mark Rober’s $60 Million Science Experiment – https://www.youtube.com/watch?v=RDFGkBE2O50

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week