What Microsoft’s new email security benchmark reveals about phishing and misconfigurations
Microsoft recently published its first annual email security benchmarking report, based on a year’s worth of telemetry from Defender for Office 365. The report is meant to give organizations a clearer picture of the threats hitting their inboxes and, just as importantly, where their own configurations are leaving gaps. If you manage a Microsoft 365 tenant – or if you’re a security-conscious user trying to understand what your IT team should be checking – the findings are worth a close look.
What happened
Microsoft aggregated anonymized data from millions of mailboxes protected by Defender for Office 365 over the course of a year. The goal was to establish a baseline: what kinds of attacks are most common, how effective Defender’s default protections are, and where the most frequent policy misconfigurations occur. The company then built a benchmarking tool that lets tenant admins compare their own security posture against industry peers.
The report highlights three major threat categories:
- Phishing – including credential harvesting and social engineering attempts.
- Business email compromise (BEC) – targeted impersonation of executives or vendors to trick recipients into wiring money or sharing sensitive data.
- Malware delivery – emails carrying malicious attachments or links.
It also calls out recurring misconfigurations that weaken protections, such as overly permissive anti-spam policies, lack of DMARC enforcement, and failure to enable anti-phishing safeguards for high-profile users.
Why it matters
For anyone relying on Microsoft 365, this report is a reality check. Email remains the single most common vector for cyberattacks. The data suggests that many organizations are not fully using the security features they already have – either because policies were set too loosely to avoid false positives, or because administrators were unaware that certain protections were left at default (and sometimes not optimal).
Common misconfigurations like not enforcing DMARC validation or not enabling impersonation protection for executives are straightforward to fix, yet they can dramatically reduce the risk of successful BEC attacks. The report’s benchmarking tool provides a score that allows you to see how your tenant stacks up against similar organizations, which can be a useful starting point for internal discussions about where to invest security effort.
What readers can do
If you manage a Microsoft 365 tenant (or if you’re a decision-maker in a small business), here are practical steps you can take based on the report’s insights:
Run the Defender benchmarking tool. In the Microsoft 365 Defender portal, navigate to Email & collaboration > Policies & rules > Threat policies > Benchmarking. This tool compares your tenant’s settings against a cross-industry baseline. It will flag policies that are unusually permissive and suggest improvements.
Review your anti-spam and anti-phishing policies. Check that your default anti-spam policy isn’t set to “no action” for high-confidence spam or phishing. Enable anti-phishing protection for your most targeted accounts – typically executives, finance, and HR staff. Turn on impersonation protection and add known domains that attackers might spoof.
Implement DMARC, DKIM, and SPF. The report notes that many organizations still lack proper email authentication. Without DMARC, attackers can spoof your domain more easily. Microsoft provides guidance on setting up these records in the admin center. If you already have them, verify they’re set to “reject” or “quarantine” rather than “none.”
Educate users about BEC and phishing. The human element can’t be fixed with policies alone. Run simulated phishing campaigns (Defender has built-in simulation tools) and remind staff to verify unusual payment requests through a second channel.
Review allowed and blocked lists. Overly permissive allow lists can bypass filters for domains that later become compromised. Periodically audit your tenant’s allow/block lists and remove entries that are no longer needed.
Monitor the benchmark regularly. The threat landscape changes, and so do Defender’s default recommendations. Microsoft plans to update the benchmarking data periodically. Set a quarterly reminder to re-check your score and adjust policies accordingly.
Sources
- Microsoft. “Microsoft Defender email security benchmarking: Key insights from one year of data.” Microsoft Security Blog, June 2026.
- Microsoft. “Clarity in complexity: New insights for transparent email security.” Microsoft Security Blog, December 2025.
- Microsoft. “From transparency to action: What the latest Microsoft email security benchmark reveals.” Microsoft Security Blog, March 2026.
- Microsoft. “Detecting and mitigating common agent misconfigurations.” Microsoft Security Blog, February 2026.
- Proofpoint. “Seeing the Full Picture: How to Measure Email Security Effectiveness the Right Way.” Proofpoint Blog, June 2026.