What Microsoft’s email security benchmark reveals about protecting your inbox

If you rely on Microsoft 365 for your business or personal email, you probably assume the built-in security tools are doing their job. And they are — but only up to a point. Microsoft recently published a year-long benchmark study of email threats detected by Microsoft Defender for Office 365, covering data from June 2025 through June 2026. The report gives a realistic picture of what attackers are doing and how well the default protections hold up.

For small business owners and privacy-conscious individuals, the key takeaway is straightforward: the tools are powerful, but you need to configure them properly. Leaving everything at default settings leaves gaps. Here’s what the data shows and what you should do about it.

What happened

Microsoft’s benchmark analyzed real-world email traffic across its customer base. The headline number is that Defender blocks over 99.9% of email threats automatically. But that still leaves millions of attacks slipping through — especially when users click on links or open attachments they shouldn’t.

The most common attack types were:

  • Credential phishing – emails that try to steal your login details by mimicking legitimate services.
  • Ransomware delivered via email – malicious attachments or links that encrypt your files.
  • Business email compromise (BEC) – attackers impersonate a trusted colleague or vendor to trick you into sending money or sensitive data.

Geographic trends were less relevant for individual users, but the volume of BEC attacks has been rising steadily, and they are harder to detect because they don’t rely on malicious links or attachments — just social engineering.

Why it matters

If you’re a small business owner, an IT manager, or even just a consumer using Outlook or Microsoft 365, these numbers aren’t abstract. Every day, your inbox is a target. Phishing attempts that look like invoices, fake shipping notifications, or urgent messages from “your IT department” are common. Without proper settings, a single click can lock you out of your accounts or cost your business thousands.

The good news is that Microsoft Defender can stop the vast majority of these threats, but many organizations — especially small ones — never adjust the default policies. They assume Microsoft handles everything. In reality, default settings are a baseline, not an optimum.

What readers can do

You don’t need to be a security expert or buy additional software. Here are practical steps you can take today inside your Microsoft 365 tenant.

1. Turn on anti-phishing policies

By default, anti-phishing protection is enabled but often set to low sensitivity. Go to the Microsoft 365 Defender portal (security.microsoft.com) and navigate to Email & collaboration > Policies & rules > Threat policies > Anti-phishing. Create a new policy that applies to your domain. Under “Impersonation,” add your own domain and key executives’ email addresses as protected senders. This flags emails that try to mimic them.

These two features scan attachments and links in real time. They may already be on for some users, but check: under Threat policies, find Safe Attachments and Safe Links. Set the policy to scan all messages, not just those from outside your organization. For Safe Links, enable “Do not allow users to click through to original URL” — this prevents users from bypassing the warning.

3. Use Microsoft Secure Score

Secure Score is a built-in tool that grades your security posture and gives specific recommendations. Find it in the Defender portal under Secure Score. It will show you exactly which email security settings are missing or not fully configured. Aim for a score above 80% for reasonable protection. Small businesses should especially address the recommendations under “Email and collaboration.”

4. Enable multi-factor authentication (MFA)

This isn’t email-specific, but it’s the single most effective protection. If an attacker does steal a password, MFA stops them. Microsoft 365 Business Basic and higher include MFA. Enable it for all accounts — especially those with administrative privileges.

5. Educate yourself and your team

No tool catches everything. Recognize the signs: urgent requests for money or credentials, slightly misspelled domain names, unexpected attachments. The Microsoft benchmark shows that human error is still the biggest risk. Short regular training — even just a monthly five-minute review — reduces incidents significantly.

Sources

The data and recommendations in this article are based on Microsoft’s own benchmark report: “Microsoft Defender email security benchmarking: Key insights from one year of data” published in June 2026. Additional context comes from Microsoft’s Secure Score documentation and common security best practices for Microsoft 365.

Note: The benchmark covers a specific time period, and threat patterns evolve. Enable automatic updates for Defender policies and review your Secure Score quarterly.