Introduction & Use Case:
As cyber threats continue to evolve, organizations must stay ahead of emerging technologies that pose significant risks. One such threat is Deep Seek AI, a platform with known ties to the People’s Republic of China. These connections carry serious security implications, as Deep Seek AI can be leveraged for intelligence gathering, data exfiltration, and the introduction of malware or spyware into your network. Every time a user interacts with Deep Seek AI by sending a prompt, the platform immediately establishes a communication link with Beijing, allowing sensitive data to be transferred and compromising the integrity of your system. This direct connection to a state actor in China increases the risk of espionage, intellectual property theft, and sabotage.
To mitigate these threats, it is critical for organizations to block Deep Seek AI from accessing their environments. In this post, we'll show you how to use Microsoft Defender for Cloud Apps to prevent Deep Seek from infiltrating your network. By configuring specific policies to detect and block this malicious AI, you can protect sensitive data, prevent unauthorized access, and defend against the growing threat of cyber espionage tied to state-backed actors. Blocking Deep Seek AI not only reduces immediate risks but also strengthens your overall security posture against future threats from similar sources.
This blog will also highlight how KMicro deploys Defender for Cloud Apps from the ground up and integrate it seamlessly with Microsoft Defender for Endpoint. With this integration, you can easily block or unsanction Deep Seek AI, as well as manage any other applications that don’t meet your compliance standards, such as SOC2, GDPR, PIPEDA, CMMC, and NIST. Whether your goal is to block malicious AI or simply reduce network strain (like during peak times such as March Madness), KMicro ensures that your cloud infrastructure remains secure, compliant, and cost-effective.
Whether you’re an IT/SecOps professional or a security and compliance enthusiast, KMicro has the expertise to help you identify, block, and manage bandwidth hogs 🐽, lock down your environment 🔒, and improve your compliance posture with ease. With KMicro on your team, you’ll always be prepared to tackle your toughest security challenges and maintain smooth, secure operations ✅.
In this Post We Will:
● ⚡ Deploy Defender for Cloud Apps.
● 🔧 Integrate with Defender for Endpoint.
● 🔌 Onboard a Device to Defender for Endpoint.
● 🔍 Investigate Application Usage
● 🚫 Un-sanction an Unwanted Application (Deep Seek).
● 🚧 Un-sanction an unwanted Application on your Firewall (for devices that don’t support the MDE agent).
● 💡 KMicro Knowledge Nuggets
Deploy Defender for Cloud Apps
● Ensure you have the necessary administrative permissions to configure and manage MDCA.
● Access the unified security portal at www.security.microsoft.com.
● Navigate to settings blade towards the bottom of the left menu and select Cloud Apps.
● Scroll down to Microsoft Defender for Endpoint and check the Microsoft Defender for Endpoint Integration box.
● This integration allows for enhanced threat detection and response capabilities by correlating signals from endpoints and cloud apps.
● If the Defender for Endpoint agent is deployed on devices within your organization, then MDCA can leverage the MDE agent to monitor network activities and traffic, including those related to cloud apps.
● The Defender for Endpoint agent collects detailed information about cloud app usage directly from the endpoints. This includes data on which apps are being accessed, by whom, and from which devices and IP addresses etc.
Integrate with Defender for Endpoint
● Access the unified security portal at www.security.microsoft.com.
● Navigate to settings blade towards the bottom of the left menu and select Endpoints.
Click on Advanced Features under General and toggle the Microsoft Defender for Cloud Apps Toggle switch to On as illustrated below:
💡 While you’re in here, you’ll need to toggle Custom Network Indicators to the On position:
● Enabling this feature sends telemetry collected by Defender for Endpoint over to Defender for Cloud Apps. You can confirm by going back to the unified security portal » Settings » Cloud Apps » Automatic Log Upload and verifying the following entry populates (it can take a few hours for data to populate):
Onboard a Device to Defender for Endpoint
So perhaps you don’t have all of your devices onboarded to Defender for Endpoint, but you have a fair idea of who might be consuming all the bandwidth and want to start there. Follow the steps below to onboard their devices to Defender for Endpoint and get Cloud App Telemetry:
● Logon to your device
● Navigate to the unified security portal at www.security.microsoft.com from your device
● Select the Settings blade from the left menu, then choose Endpoints
● Scroll down to Onboarding and fill out the appropriate settings, then download the onboarding package
● Run it with administrative privilges on the device you wish to onboard.
● Give it a few minutes and the device will show up in the unified security portal, illustrated below:
Investigate Application Usage
Let’s see who our heavy hitters are on the network.
Navigate to the Cloud Discovery blade, then go to the Discovered Apps tab to list applications found on your endpoints. You can sort these by traffic and uploaded data etc. to narrow down your hunt:
As illustrated, Deep Seek isn’t compliant against much…
Click into the app from the list to bring up additional metrics, there’s nobody using Deep Seek in our lab so here’s an example from another app:
Lastly, slide over to the Cloud App Usage tab to identify usage by user:
💡 KMicro Knowledge Nugget: This is helpful when deciding what applications to unsanction. If the entire corporation is heavily using an application then maybe investigate further before unsanctioning it and start with a small deployment group before unsanctioning it for everybody. There was one instance where unsanctioning the Steam Games platform locked a developer out of his Unreal Engine dev tools that he needed for production. Always do your due diligence before unsanctioning an app, and don’t unsanction anything on a Friday… We’re firm believers in Read-Only Fridays 😉.
Un-sanction an Unwanted Application (Deep Seek)
Now that we’ve got our devices onboarded and our MDE and MDCA platforms integrated, we can enforce MDCA polcies like blocking un-sanctioned applications using the MDE agent directly.
● From the unified security portal, navigate to the Cloud Discovery Blade, located under Cloud Apps
● Swing over from the Dashboard tab to the next one to the right, called Discovered Apps to list all of the applications reported from Defender for Endpoint that have run on that device since the Automatic Log upload has been deployed from MDE to MDCA earlier:
● You can Un-sanction any application found in your environment from here.
💡 KMicro Knowledge Nugget: Why wait until an application is already active in your environment to block it? The Cloud App Catalogue blade (directly underneath the Cloud Discovery blade) lists all of the applications that Microsoft has evaluated, and there’s thousands of them!
● In this example, we’ll block applications we know we don’t want to see in our network, like Deep Seek. From the Cloud App Catalogue search for your unwanted applications and select the Unsanction button to the right for each application you want to block:
Give it a few minutes and try to navigate to one of those applications in a browser or through their designated local applications on a device that you’ve onboarded to MDE to see them fail (gloriously):
Un-sanction an unwanted Application on your Firewall (for devices that don’t support the MDE agent).
So what about those weird Linux distros that don’t support MDE (yet)… they need protection too right? If they’re behind a firewall appliance, check out this awesome MDCA feature that becomes available once you’ve un-sanctioned a few unwanted applications…
● From the Cloud Discovery Dashboard go to the Actions drop down, located in the top-right hand corner of the screen, and click on Generate Block Script…:
💡KMicro Knowledge Nugget:
Ever used a DNS Sink Hole like a Pi-Hole (powered by Raspberry Pi)? It works similarly by refusing to resolve addresses that host the apps you're trying to block. A Pi-Hole, for example, resolves the addresses but directs them to an IP that doesn’t exist—hence the term "sinkhole." This speeds up page load times since it doesn't have to resolve all the “junk” from known ad-hosting IPs and other unnecessary traffic.
But what happens if someone has already downloaded and logged into an app like Steam Games before you’ve unsanctioned it? Once they've logged in, the app has already "phoned home" and fetched a fresh authentication token. This means the app will continue to work until the token expires. Once it does, the app will try to get a new key by contacting the blocked address—and that’s when things fail. So, users could still be using an unsanctioned app temporarily until their authentication token expires.
👉Pro tip: If you're gearing up to block apps but don’t want to miss out on the action, head to the unified security portal, navigate to Settings > Cloud Apps > Exclude Entities, and add an exclusion! 😜
Conclusion
In this post, we walked through the process of deploying Defender for Cloud Apps and integrating it with Defender for Endpoint to secure your environment from unauthorized applications like Deep Seek AI. We onboarded a device to Defender for Endpoint, confirmed the necessary AV configuration prerequisites using PowerShell (without relying on Intune, SCCM, or GPO), and investigated application usage to identify potential threats. Finally, we unsanctioned Deep Seek AI and ensured its blocking on your firewall for devices that don’t support the MDE agent. By following these steps, you can effectively block Deep Seek AI from your environment and maintain a secure, compliant, and efficient network.
Need help securing your environment?
KMicro specializes in deploying and optimizing Microsoft security solutions to protect organizations like yours from emerging threats. Whether you need help blocking malicious AI, enforcing compliance, or strengthening your overall security posture, our team of experts is ready to assist.
Thanks for reading! What will you block from your environment first?
About the Author
Ian Hanley is a demonstrated leader and Security Architect at a leading MXDR MSSP. He specializes in leveraging the Microsoft security fabric to achieve favorable security outcomes. With a deep focus on Microsoft products and services, Ian enables his peers in information security to enhance their effectiveness and protect their organizations. As a father of two daughters, Ian also brings a personal perspective to risk management, ensuring that security is not just a professional responsibility but a principle he upholds in all aspects of life.
-
Cybersecurity Trends 2025: How Businesses Can Stay Ahead of Emerging Threats
28 Feb, 2025
-
Practical Tips for Addressing NCUA Risk Alerts and Safeguarding Member Trust
20 Nov, 2024
-
8 Things to Include on Your Disaster Recovery Plan Checklist
30 May, 2019
-
How to Implement a BYOD Policy Your Employees Will Actually Follow
23 May, 2019
-
What Is Shadow IT? 5 Risks of Shadow IT and How to Avoid Them
25 Apr, 2019