Microsoft has graciously allowed users to download arbitrary executables in a recent update to Microsoft Defender since version 4.18.2007.9 and 4.18.2009.9, inclusive.
Command syntax: “mpcmdrun -DownloadFile -url <url> -path <path>”
With some luck we may get ubiquitous SSH access to all Windows workstations in the near future. It would greatly improve connectivity. Think of the possibilities!
Living off the Land is never going away and this is not a security incident. Just another proof point that administrators need to monitor the usage of such integrated tools to keep a full picture of how users, legitimate or compromised, are (ab)using their respective systems.