Safe Attachments Baseline

Octiga has introduced a new Safe Attachments baseline as the next layer in the ongoing Defender baseline rollout. Every email attachment is now opened in a sandbox environment before delivery, catching zero-day threats that traditional signature-based detection misses.

This follows the previously released inbound email filtering baseline and the overall Defender posture baseline, completing another key layer of protection for your clients' Microsoft 365 environments.

• What it does: Detonates attachments in a sandbox before they reach the user's inbox.
• Why it matters: Even if a malicious file bypasses filters, it won't reach the end user.
• What's next: Octiga continues to build out additional Defender baselines to close remaining security gaps.

Public REST API (v1)

Guardz has launched its Public REST API (v1), enabling MSP partners to integrate Guardz data directly into PSA tools, custom BI dashboards, and automated workflows.

What's included in v1 (read endpoints):

• Usage & Tenants: Track licence consumption and manage customer accounts.
• Users & Devices: Access full inventory and status across your portfolio.
• Issues & Incidents: Monitor threats and filter by severity or type for external reporting or ticketing.

Getting started: Navigate to Organisation Settings → API Keys → Create Key. Refer to the Guardz documentation to begin building.

Autonomous Incident Investigation

Guardz has significantly upgraded its Identity Threat Detection and Response (ITDR) capability with an autonomous, AI-driven investigation flow. Rather than static alerts, the platform now actively reasons through security events and surfaces transparent, evidence-backed conclusions.

New incident experience features:

• Investigation Steps & Reasoning: A full breakdown of the automated investigation, including evidence and logic used at every stage.
• Investigation Agent: A real-time, chat-based assistant to answer follow-up questions about specific incidents (top-right of the incident view).
• User-Reported Phishing (M365): M365 users can now report suspicious emails directly. The autonomous analyst triggers a rescan and, if the email is confirmed malicious, automatically removes the threat from all affected inboxes.
• Consolidated Action Centre: A centralised hub for all recommended follow-up actions.
• Organisational Entities & IOCs: Dedicated views to aggregate related users, devices, and indicators of compromise involved in a threat.

Revoke Sessions

A new Revoke Sessions response action provides a surgical way to secure compromised identities without fully suspending an account.

• What it does: Instantly invalidates all active session tokens for a user, logging them out of all devices and requiring immediate re-authentication.
• Why it's better: Stops active threats without disrupting the user for long — legitimate users can log back in immediately.
• Where to find it: Available via the Action Centre within Incidents.
• MDR note: MDR analysts are pre-approved for this action by default. Customers can change this to Approval Required under Security Controls → MDR → MDR Services Configuration.

Role-Based Training Series

MPaware has launched a new Role-Based Training Series — a highly requested enhancement from the partner community. Rather than generic awareness content, training is now aligned to employees' real-world job responsibilities, improving relevance, engagement, and knowledge retention.

Benefits of role-based training:

• Improved engagement and training completion rates.
• More targeted learning experiences based on what employees actually do day-to-day.
• Stronger security awareness with measurable behaviour change outcomes.

How to access: Courses are fully integrated into the Enterprise Breach Prevention & Productivity (EBPP) platform. Employees access role-specific courses via the Training Library.

Email DMARC: New Per-Customer Pricing Model — Effective 1 July 2026

Check Point Email DMARC (formerly Harmony Email DMARC) is transitioning from a per-user model to a per-customer, volume-based model effective 1 July 2026.

How the new model works:

• Each customer is billed in blocks of 100,000 sent/received emails per month.
• Under 100,000 emails/month = 1 unit/licence.
• 100,000–200,000 emails/month = 2 units, and so on.
• New unit price: $14.93 per unit/block.

For questions about how this affects specific clients, contact your Manage Protect account manager.

Two June Enforcement Deadlines

This is the final monthly reminder before two security requirements become mandatory in June. Complete both now to avoid disruption for end users.

• Default Retention Policy: Users are currently prompted (optional) in the end-user portal to set a default retention policy. In June, this becomes mandatory to access the portal. Set this up across all organisations this month.
• MFA Enforcement: MFA prompts now appear on the login page — users can still skip today, but June is when enforcement takes effect. Enable MFA and verify that all users can complete MFA setup before the deadline.

Entra Backup Event Email Notifications

You can now configure email notifications for Entra Backup events directly from the NinjaOne SaaS Backup Partner Portal. Supported notification events include:

• Restore initiation
• Backup or restore errors
• System reauthentication required

Shared Drive in Advanced Search

NinjaOne SaaS Backup's advanced search now extends to Shared Drives, providing more complete search results than the basic dashboard search. Previously, Shared Drive items were excluded from advanced search results.

Bug Fixes

• Resolved an issue preventing IT Admins from retrieving all entities within their authorised scope when searching from the dashboard.
• Improved the error message shown when Microsoft Entra authentication fails due to a conditional access policy — it now clearly explains the cause and the steps to resolve it.