What Microsoft’s email security data reveals about today’s biggest threats

If you administer a Microsoft 365 tenant or run a small business that relies on Exchange Online, you’ve probably wondered how effective the built-in email protection really is. Microsoft recently published a year’s worth of benchmark data from Defender for Office 365, and the numbers offer a grounded look at what threats are actually getting through — and where the filters are holding.

The report covers detection rates, false positive percentages, and the most common attack vectors observed across millions of mailboxes. It is not a sales pitch; it is a transparent accounting of what Defender sees in real traffic. Here is what stood out, and what you can do with the information.

What happened

Microsoft shared telemetry from one year of Defender for Office 365 usage, spanning phishing, spam, and malware detections. The data showed that:

  • Phishing remains the dominant threat, accounting for roughly two‑thirds of all malicious email detected. Credential‑theft links were the most frequent payload, often disguised as legitimate notifications from services like DocuSign or SharePoint.
  • Business email compromise (BEC) attacks are climbing, with attackers increasingly using social engineering rather than malware. These emails often contain no link or attachment, making them harder for traditional filters to catch.
  • Detection rates were high for known threats, but zero‑hour phishing — attacks using newly created domains or recently compromised accounts — still slips through at a higher rate. Defender caught roughly 99% of bulk spam and known malware, but detection for targeted phishing that bypassed initial checks was lower, around 93%.
  • False positive rates remained low — under 0.1% for spam and around 0.01% for phishing — meaning the noise of wrongly blocked legitimate email is minimal for most organizations.

The data comes from Defender’s built‑in benchmarking, which compares each tenant’s detection performance against aggregated industry baselines.

Why it matters

These numbers confirm what many IT admins already suspect: out‑of‑the‑box Microsoft 365 security handles volume threats well, but sophisticated, targeted attacks require extra layers. If your organization relies only on default protection, you are likely missing the attacks that matter most — the ones designed to trick a CFO into wiring funds or an HR manager into sharing payroll data.

The low false positive rate is reassuring: you do not have to worry that tightening security will break your inbox. But the gap between bulk detection and targeted detection is where most breaches happen. Attackers know that standard filters are strong, so they adapt with slow, patient campaigns that look almost identical to real business correspondence.

What readers can do

You can improve your email security posture without a full security overhaul. Based on the benchmark insights, here are concrete steps:

  1. Turn on anti‑phishing policies for your entire domain. Many organizations leave them at default or only apply them to priority accounts. The data shows that targeted phishing is the area where Defender underperforms relative to bulk threats. Enabling impersonation protection — checking display names and email addresses against your CEO’s patterns, for example — can catch a significant portion of these attacks.

  2. Use mailbox intelligence. Defender can learn who each user normally corresponds with. If an email from an external address mimics a known partner but the domain is slightly off, it will be flagged. This feature is available but not always toggled on.

  3. Enable secure links and attachment sandboxing. These add a layer of analysis for any URL or file that passes initial filters. The benchmark data shows that safe links in particular reduce click‑through rates for phishing emails by more than half when users are warned before opening a suspicious link.

  4. Monitor your benchmark report monthly. Defender provides a “Security & Compliance” dashboard that shows your tenant’s detection rates compared to the average. If your phishing detection falls below 90%, investigate your policy configuration before attackers exploit the gap.

  5. Train users to report suspicious emails. Even the best filter will miss something. The report found that users who report phishing alerts (via the Report Message add‑in) give Defender additional signals that improve detection for the whole tenant. Make reporting easy and non‑punitive.

Sources

The data and insights in this article are drawn from Microsoft’s blog post titled “Microsoft Defender email security benchmarking: Key insights from one year of data,” published June 15, 2026, on the Microsoft Security Blog. The post includes the full methodology and anonymized aggregated figures.

For deeper reading, Microsoft also published “Clarity in complexity: New insights for transparent email security” (December 2025) and “From transparency to action: What the latest Microsoft email security benchmark reveals” (March 2026), which offer additional context on how the benchmark measurements work.