Every Microsoft DfE 2025 Attack Campaign Blocked: Measuring Application Allowlisting Effectiveness
- Kim & Tom
- Jan 26
- 2 min read
Updated: Jan 27
First published: January 26, 2026
AppControl.AI analyzed all Microsoft Defender for Endpoint threat intelligence reports published in 2025 to measure the real-world effectiveness of Windows application allowlisting. The results are now available in our yearly report.
The Data Set
Microsoft Defender for Endpoint published 231 analyst reports in 2025. After filtering out reports that didn't involve code execution on Windows endpoints, lacked sufficient technical detail, or targeted non-Windows platforms, 100 relevant reports remained. Of these, 33 were classified as Attack Campaign reports—coordinated, time-bound attack operations observed in the wild.
Key Findings
Workstation endpoints: With full allowlisting enforcement (executables, libraries, and scripts), zero threats across all report types resulted in successful impact on Windows workstations. Every documented attack chain was disrupted at the execution layer.
Server workloads: Six threats (6%) could still impact servers running full allowlisting. These weren't failures of allowlisting itself—they exploited vulnerable server applications already running as trusted, privileged processes (typically LocalSystem). Once an attacker gains code execution inside a trusted process with system privileges, allowlisting can no longer intervene.
Attack Campaigns specifically: All 33 attack campaigns documented by Microsoft in 2025 would have been blocked on both workstation and server endpoints under full allowlisting enforcement.
Partial Implementation Gaps
The analysis measured what happens when organizations implement partial allow listing:
Configuration | Effectiveness (Workstations) | Threats Getting Through |
Full allowlisting (exe + dll + scripts) | 100% | 0 |
Excluding script allowlisting | 89% | 11 (including 9 attack campaigns) |
Excluding library allowlisting | 89% | 11 (including 4 attack campaigns) |
Excluding both scripts and libraries | 78% | 22 |
The 11% effectiveness drop from excluding script enforcement is particularly notable. PowerShell and script-based attacks remain one of the most common execution mechanisms on Windows. Nine actual attack campaigns would have succeeded against organizations that deployed executable-only policies without script enforcement.
Library (DLL) enforcement showed similar importance. The report identifies specific ransomware-affiliated threat actors—Manatee Tempest, Storm-0249, and others—whose operations rely on DLL-based techniques that library allowlisting would block.
What This Means
Application allowlisting provides preventive protection at the execution layer. Unlike detection-based controls that respond after code runs, allowlisting stops unauthorized execution before it starts. The 2025 threat landscape data shows that modern attacks—including multi-stage campaigns and living-off-the-land techniques—still depend on executing untrusted code at some point in the chain.
The data also shows clear limitations. Allowlisting cannot protect against vulnerabilities in trusted, privileged applications. Server environments running network-facing services under LocalSystem require additional controls beyond allowlisting. The report's appendix covers recommended mitigations for these scenarios.
Download the Full Report
The complete report includes:
Detailed methodology for threat selection and filtering
Breakdown by threat report type (Attack Campaign, Vulnerability, Activity Group, Tool/Technique)
Specific Microsoft Defender for Endpoint report references for each finding
Recommendations for server workload protection
This report was authored by Kim Oppalfens, AppControl.AI Security Architect. The methodology uses Microsoft's own threat intelligence to assess Microsoft's own allowlisting technology—providing an objective, evidence-based measurement of defensive value.
Comments