Product
Pathfinder AI - Cluster-context investigation
Pathfinder AI investigations have gained a significant new capability: the ability to execute investigations using context derived from similar leads within the same cluster.
This enhancement means that lead details, comments, previous Pathfinder investigation results, feedback, and other relevant information from clustered leads will now be utilized when investigating comparable leads. This results in higher-quality investigations and continuous evolution of the Pathfinder AI.
Security Content
AXON Threat Hunting Report
Notepad++ Update mechanism hijack
In February 2026, Team AXON initiated a Rapid Response campaign following the disclosure of a significant security incident involving Notepad++, a Popular text and code editing tool.
In this incident, State-sponsored attackers compromised Notepad++’s hosting infrastructure from June through December 2025, hijacking the application’s update mechanism to deliver malicious executables to selectively targeted users.
The attack did not exploit a vulnerability in Notepad++ code itself but leveraged infrastructure-level access combined with insufficient update verification controls in the WinGUp updater.
The Rapid Response campaign was conducted from June 1st, 2025, to February 5th, 2026. In case any indicators of compromise were discovered in your environment, those will be documented within the “Hunting Results” section of this report.
More details and findings (if they exist) can be found on the Hunters platform under “Axon Reports”.
Detectors
Improved detectors
As part of an ongoing quality monitoring, the detector “Superhuman activity (anomalous location)” was modified to increase coverage, accuracy, and alignment with Okta’s latest documentation.
The detector is an Okta third-party alert triggered by anomalous user login behavior involving rapid requests from a new device and IP across geographically distant locations, suggesting impossible travel.
As a result, the detector name was updated to “Okta 3rd party Unusual Login Location”.
Deprecated detectors
Execution of Chrome in debug mode from an unfamiliar process
As part of an ongoing quality monitoring, this detector was found to be very noisy and inaccurate.
There are many applications that behave that way, which makes this logic irrelevant.
The deprecation time is planned for Feb 18, 2026.
Enrichments
New Scoring Layer - Managed device for identity theft detectors
This scoring layer looks for the configuration properties indicating a device is managed.
It’s currently applied on Azure and Okta data sources since those data sources include properties that indicate whether the device is Azure/Okta managed.
The scoring applies on identity theft detectors such as “SaaS application brute force attempt”, “SaaS application password spraying attempt”, “Non-Browser User Agents Authenticating to OfficeHome”, and more.
For example, on the detector “SaaS application brute force attempt”, if on a certain lead, all the failed login attempts have been initiated from Azure-managed devices, the confidence score of the lead will be decreased.
Integrations
Crowdstrike Incidents - Deprecation
Crowdstrike has announced that “Incident logs” will be retired soon and no longer be available starting March 9, 2026. To avoid inconveniences, connect CrowdStrike Alerts (crowdstrike_alerts) - use our docs in order to onboard.
Microsoft Message Trace - Deprecation & Required Update
Microsoft has announced that the legacy Message Trace tools and APIs, commonly used to export email-delivery logs from Exchange Online, will be retired soon.
The API endpoints will be turned off in April, 2026.
Microsoft is also planning a new Graph API endpoint for Message Trace, expected to enter public preview in late 2025. Which we already support, and will update once Microsoft releases its update.
What this means for you
To ensure continued ingestion of your Microsoft email logs, you will need to migrate to Microsoft’s Graph API endpoint.
How Hunters can help
Our team is monitoring Microsoft’s rollout closely and will update our customers on any changes expected.
Please reach out to us with any questions or doubts.
New Integrations Releases:
Barracuda Incident Response Logs - S3 integration