The CIS Microsoft 365 Benchmark continues to evolve alongside the threat landscape, and Version 7 introduces several important new controls that reflect where attackers—and Microsoft—are headed.

This release continues the trend of strengthening Microsoft 365 against modern identity attacks, AI-related data leakage, and automated threat containment.

Here are five of the most impactful additions organizations should be paying attention to.

1. Token Protection: Defending Against Session Hijacking

Control 5.2.2.16 — Ensure Token Protection is enforced for session tokens (Automated)

One of the more dangerous modern attack techniques is session token theft.

Attackers no longer need your password if they can steal your active session token.

This can happen through:

• Sophisticated phishing attacks

• Browser token theft malware

• Remote access to a compromised workstation

• Session hijacking tools

  
  

The attack works like this:

1. A user successfully signs in

2. Microsoft issues a session token

3. The attacker steals that token

4. The attacker imports it into their own browser

5. The attacker resumes the victim’s authenticated session

   
   

No password needed. No MFA challenge. Just instant access.

This new control helps address that risk through Token Protection, which binds the Primary Refresh Token (PRT) to the physical device that issued it.

That means even if the token is stolen, it becomes much harder—or impossible—for the attacker to replay it elsewhere.

Current supported workloads include:

• Exchange Online

• SharePoint Online

• Microsoft Teams

This is a major step forward in defending against modern identity compromise.

2. Automated Investigation & Response (AIR): Faster Containment at Scale

Control 2.4.5 — Ensure 'AIR' remediation is enabled (Manual)

Speed matters during an incident.

If a malicious email lands in one inbox, the real question is:

How fast can you remove it from the other 500 inboxes before users click it?

Microsoft’s Automated Investigation & Response (AIR) helps solve that.

AIR can:

• Detect malicious emails, files, and URLs

• Look for similar artifacts across the environment

• Automatically investigate related indicators

• Remediate similar threats across the organization

Example: A phishing email reaches 300 users.

Without AIR:

• Security manually investigates

• Analysts search mailboxes

• Responses take time

• Users continue clicking

With AIR:

• One detection can trigger automatic containment

• Similar messages are removed organization-wide

• Exposure windows shrink dramatically

This reduces:

• User interaction with malicious content

• Security team workload

• Time to containment

Automation that meaningfully reduces risk? That’s a strong addition.

3. Copilot Data Loss Prevention (DLP): Security for the AI Era

Control 3.2.3 — Ensure DLP policies are published for Copilot users (Automated)

AI adoption introduces a new class of security concerns.

If your users have Microsoft Copilot access, sensitive data protection becomes even more important.

Without proper controls, users may unintentionally expose:

• Personally identifiable information (PII)

• Financial data

• Internal confidential business data

• Sensitive HR or legal content

This control ensures Data Loss Prevention (DLP) policies are extended to:

• Microsoft Copilot

• Copilot Chat

The goal is simple:

Prevent sensitive data from being surfaced, mishandled, or incorporated into AI interactions where it shouldn’t be.

As organizations adopt AI faster than governance can keep up, this is a timely and necessary addition.

4. Periodic Reauthentication: Reducing Credential Lifespan

Control 5.2.2.13 — Ensure that periodic reauthentication is required for all users (Automated)

Persistent sessions are convenient.

They’re also risky.

If credentials or tokens are compromised, long session lifetimes give attackers more time to operate undetected.

This control reduces that exposure by requiring users to sign in again at least every 7 days.

Benefits include:

• Reducing the lifespan of stolen credentials

• Limiting usefulness of stolen session tokens

• Increasing the chances of detecting compromise sooner

Important note:

This applies to standard users.

Administrative users should already be governed by stricter controls under:

Control 5.2.2.4 — Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

That benchmark recommendation remains significantly tighter: Reauthentication every 4 hours for admins.

5. Disable Microsoft Authenticator Companion Applications

Control 5.2.3.10 — Ensure Microsoft Authenticator on companion applications is disabled (Automated)

This one may be less flashy, but it’s still important.

Reducing unnecessary authentication pathways improves security.

Companion application authentication methods can expand the attack surface and create alternate workflows that may not align with your intended authentication strategy.

This control helps organizations tighten identity controls by ensuring authentication flows remain predictable, governed, and aligned with modern security best practices.

Final Thoughts

CIS v7 continues its shift toward defending against:

• Modern identity attacks

• Session hijacking

• Automated threat response

• AI-era data leakage

• Stronger authentication governance

The benchmark is evolving because attackers are evolving.

If your Microsoft 365 environment hasn’t kept pace, now is the time to reassess.

At Redeemer Cyber, we help organizations implement the latest CIS benchmark recommendations using both expert-driven assessments and real-world remediation experience.

If you want to know whether these controls are in place—or how to implement them responsibly—we’d be happy to help.

Contact Redeemer Cyber today for a Microsoft 365 Security Assessment.