What Microsoft’s Email Security Data Reveals About Today’s Biggest Phishing Threats

Email remains the most common entry point for cyberattacks, and a new benchmarking report from Microsoft—based on a full year of data from Defender for Office 365—gives us a clearer picture of how attackers are adapting. While the exact numbers are still being parsed, the trends are clear enough to warrant a closer look at how we protect our inboxes.

What happened

Microsoft released its “Microsoft Defender email security benchmarking: Key insights from one year of data” report, compiling threat telemetry from millions of mailboxes. The report covers the 12-month period ending in mid-2025 (exact dates were not specified in public summaries). According to the report, phishing remains the dominant attack method, accounting for the largest share of detected threats. Business email compromise (BEC) attempts showed a significant year-over-year increase—though precise percentages have not been publicly detailed. Notably, the report also highlights the growing use of AI-generated text in phishing emails, making fraudulent messages harder to distinguish from legitimate correspondence.

Other key observations include:

  • Attackers are increasingly targeting specific roles within organizations, such as executives and finance personnel.
  • Credential theft remains a primary goal, especially through convincing login page look-alikes.
  • Malware delivery via email attachments has declined relative to phishing links, but remains a threat in targeted campaigns.

These findings are part of Microsoft’s broader effort to increase transparency around email security. The company has also published related reports on “Clarity in complexity” and “From transparency to action,” which reinforce the same themes.

Why it matters

For everyday users, the report’s key takeaway is that email attacks are becoming more sophisticated. AI-generated language can mimic a colleague’s or vendor’s writing style, and the traditional “spelling errors and weird formatting” telltale signs are less reliable. BEC attacks, where attackers impersonate a trusted person to request money or sensitive data, are especially dangerous because they often bypass technical filters by not containing any malicious links or attachments.

The targeting of specific roles means that even if you’re not an executive, your organization may be at risk if attackers view you as a stepping stone to someone else. A compromised finance department email can lead to fraudulent wire transfers. The rise in BEC suggests attackers are investing more in research and social engineering, not just volume.

For IT professionals, the data reinforces the need for layered defenses. No single tool—whether it’s email filtering, multi-factor authentication, or user training—is sufficient on its own.

What readers can do

You don’t need to be a security expert to reduce your risk. Based on the patterns in the report, here are practical steps:

  1. Enable multi-factor authentication (MFA) on your email account. This is the single most effective defense against credential theft. If your email provider supports it, use it—preferably with an authenticator app rather than SMS.

  2. Verify unexpected requests by a separate channel. If you receive an email asking for a payment, a password reset, or sensitive information—especially if it seems urgent—call the sender or use a known phone number to confirm. Do not reply to the email or use any contact information provided in the message.

  3. Pay attention to the language, not just the formatting. AI-generated phishing emails can be grammatically perfect but may still feel slightly off—overly formal or too generic. Trust your instincts. If an email feels unusual, treat it with suspicion.

  4. Use email filtering and anti-phishing features. If your email service offers advanced threat protection (such as Microsoft Defender for Office 365, Google Workspace security, or a third-party service), enable it. These tools can detect known malicious links and attachments, and sometimes flag suspicious AI-generated content.

  5. Report suspicious emails. Most email clients have a “report phishing” button. Using it helps improve detection for everyone.

For IT administrators, consider deploying policies that require MFA for all users, enabling BEC detection rules in your email security platform, and running regular phishing simulations to train staff.

Sources

  • Microsoft. “Microsoft Defender email security benchmarking: Key insights from one year of data.” Microsoft Security Blog. June 2025.
  • Microsoft. “Clarity in complexity: New insights for transparent email security.” Microsoft Security Blog. December 2025.
  • Microsoft. “From transparency to action: What the latest Microsoft email security benchmark reveals.” Microsoft Security Blog. March 2026.

Note: The exact figures from the benchmarking report have not been publicly released in full detail as of this writing. The trends described here are drawn from the report’s executive summary and related Microsoft publications.