Newly registered domains can of course be legitimate. Every domain is new at some point. But usually there isn’t any content on new domains right away – the content is still being developed, and the launch of the site won’t happen for some time.
But newly registered domains are often a tool for phishing attacks. Such domains are usually used in phishing attacks immediately after registration and usually disappear again after a short time, for example because they are cancelled or blocked by the registrar.
Blocking access to newly registered domains is a relatively popular and effective way of eliminating phishing.
It is possible to block newly registered and parked domains within Defender for Endpoint. Domains within the first 30 days of registration are considered newly registered.
Prerequisites for Web Content Filtering in MDE
In order for blocking newly registered domains to work, you need to have Network protection and Microsoft Defender SmartScreen enabled. You can activate both Microsoft Defender SmartScreen and Network protection, for example, via GPO or Intune.
How to block newly registered domains in Microsoft Defender for Endpoint
In Microsoft 365 Security center, go to Settings – Endpoints and select Web Content Filtering. Create a new policy here and at the very bottom, select Parked domains and Newly Registered Domains.
Then on the next page, select which device groups to apply the policy to. Then just confirm and create the new policy.