Mid-week Signal Roundup — 16 May 2026
A short mid-week roundup with three items: Microsoft's AI-assisted synthetic attack log generation for detection engineering, the Exchange Server SE May hotfix that begins the EWS-to-Graph migration for hybrid rich coexistence, and Microsoft's defence-in-depth guidance for autonomous AI agents.
Microsoft details AI-assisted synthetic attack log generation for detection engineering
Microsoft's Defender research team published a technical write-up describing a pipeline that translates MITRE ATT&CK tactics, techniques, and procedures into structured synthetic telemetry — process trees, command lines, parent-child relationships, and the like — without exposing real customer data. The stated goal is to shorten detection rule creation and validation from weeks to hours, particularly for rare or emerging attack patterns where real-world telemetry is scarce. Public preview is expected in June 2026; for teams running Sentinel-based detection content, it's worth watching as a way to build and regression-test KQL analytics against repeatable, shareable data.
Source: Microsoft Security Blog
Exchange Server SE May 2026 hotfix begins the EWS-to-Graph migration for hybrid rich coexistence
The May 2026 hotfix for Exchange Server Subscription Edition adds Microsoft Graph support for hybrid "rich coexistence" features — free/busy, MailTips, and profile photos — which currently rely on Exchange Web Services. Microsoft is requiring hybrid customers to install the hotfix and switch to Graph by October 2026, with a hard cutover no later than April 2027. The transition also requires moving the Exchange hybrid app to a more granular Graph permission model. Exchange 2016 and 2019 are out of support and will not receive a Graph-capable update — tenants still on those versions need an upgrade plan to Exchange Server SE or Exchange Online before the EWS deadline.
Microsoft publishes defence-in-depth guidance for autonomous AI agents
The Microsoft Security Blog laid out a practitioner-oriented model for securing autonomous AI agents across the Microsoft stack — using Entra Agent ID for identity, Defender for runtime controls and detections, and Purview for data boundaries and auditing. The framing is useful for tenants that have begun deploying agents built on Microsoft Foundry or Copilot Studio and need to apply the same controls they already use for service principals and workload identities. It is architecture guidance rather than a product release, but it consolidates the controls available today and signals where additional preview capabilities are being added.
Source: Microsoft Security Blog