Microsoft’s Email Security Benchmark: What a Year of Data Reveals About Your Inbox Threats

Email remains the most common entry point for cyber attacks, and Microsoft’s Defender for Office 365 processes billions of messages each month. Earlier this year, the company published its first email security benchmark, based on a year of real-world telemetry from across its customer base. The report isn’t just a collection of statistics—it’s a diagnostic tool that can help any organization spot weak points in its email defenses.

If you manage Microsoft 365 security or simply want to understand what threats are actually reaching inboxes, the benchmark data offers a clearer picture than most vendor announcements.

What happened

Microsoft released the benchmark after analyzing data from millions of Defender for Office 365 users over a twelve-month period. The report aggregates anonymized information about threat detections, policy effectiveness, and common configuration gaps. It also introduces a security score that organizations can use to compare their posture against peers.

Key findings from the data include:

  • Phishing remains the most prevalent threat – more than 70% of detected malicious messages were phishing attempts, many designed to steal credentials or deliver malware.
  • Business email compromise (BEC) is the highest-impact attack – although less frequent than large-scale phishing, BEC attacks often succeed because they lack traditional indicators like malicious links or attachments.
  • Multi-stage attacks are increasing – attackers frequently use low-volume, highly targeted emails that evade automated filters.
  • Many organizations have critical policies misconfigured – for example, anti-phishing policies are often set to “audit only” mode, meaning suspicious messages are logged but not blocked.

The benchmark score itself (0–100) reflects how well an organization’s Defender settings align with Microsoft’s recommended security baseline. The global average score, according to the report, sits around 70—meaning most tenants have room for improvement.

Why it matters

Email security benchmarks are useful because they shift the conversation from “did we block this attack?” to “are we configured to block the next one?”. Too often, organizations only realize a policy is missing after an incident occurs.

The Microsoft data also highlights a persistent gap: many security teams enable advanced protection features but never review their default configurations. For instance, impersonation protection—designed to flag emails that mimic a CEO or vendor—is often left disabled or limited to a small handful of users. The benchmark reveals that organizations which expand impersonation protection to include all relevant domains significantly reduce their exposure to BEC.

Another reason this matters: the threat landscape is changing faster than most policies. The benchmark shows a steady rise in “password reset” themed phishing that mimics legitimate IT workflows. Traditional spam filters may not catch these because the content looks benign. Only a properly tuned anti-phishing policy with user-reporting can help.

What readers can do

If you’re using Microsoft Defender for Office 365, you can start improving your security posture today without buying new tools. Here are concrete steps based on the benchmark findings:

  1. Check your security score – In the Microsoft 365 Defender portal, navigate to Email & collaboration > Policies & rules > Threat policies. Look for the benchmark score and review the recommended actions listed below it. Each recommendation includes the estimated impact on your score.

  2. Enable anti-phishing policies for all users – Many organizations only apply these policies to executives. The data shows that attackers will target anyone. Go to Anti-phishing and ensure the policy is applied to your entire domain. Then turn on Impersonation protection for the domains you interact with most—including partner companies.

  3. Set safe links and safe attachments to “block” rather than “track” – A common misconfiguration is using “monitor” mode. While this lets you see which links are clicked, it does not prevent the click. Change the action to “block” for all policies.

  4. Activate user-reported message analysis – Enable the built-in report message add-in for Outlook. This gives your security team visibility into what users consider suspicious, and it feeds Microsoft’s threat intelligence.

  5. Review your mail flow rules – Overly permissive transport rules (e.g., bypassing spam filtering for certain senders) are a frequent cause of successful attacks. Audit any rules that allow messages to skip Defender scanning.

  6. Run a simulated phishing campaign – Microsoft offers Attack Simulation Training as part of Defender. Regularly testing your users helps identify which policies or training gaps need attention.

The benchmark is a starting point, not a final verdict. Microsoft acknowledges that the score is based on a subset of available configurations, and some security teams may have legitimate business reasons for deviating from the recommended baseline. Still, the data is a strong indicator of where your email defenses are strongest and weakest.

Sources

  • Microsoft’s official report: Microsoft Defender email security benchmarking: Key insights from one year of data (Microsoft Tech Community, 2026)
  • Follow-up analysis: From transparency to action: What the latest Microsoft email security benchmark reveals (Microsoft, March 2026)
  • Gartner Magic Quadrant for Email Security (2025) – referenced as context for Defender’s positioning

The benchmark report itself is accessible to all Defender for Office 365 customers through the Microsoft 365 Defender portal. If you haven’t looked at it yet, take twenty minutes this week. The data will likely change how you think about your inbox defenses.