What Microsoft’s year-long email security benchmark reveals about protecting your inbox

Microsoft recently published a year’s worth of email security benchmarking data from its Defender for Office 365 platform. The report aggregates telemetry from millions of organizations, offering a broad view of the threats hitting inboxes and the configuration gaps that leave them vulnerable. For IT teams and business decision-makers, the numbers are a useful reality check — and a starting point for making practical improvements.

What happened

The benchmark compiles anonymized data collected over roughly 12 months from Microsoft Defender for Office 365 customers. It covers threat volumes (phishing, malware, spam), detection and response metrics, and the state of security policies across organizations of varying sizes and industries. Microsoft has released similar reports in the past, but this one includes more granular comparisons — such as how small businesses fare against enterprises, and which sectors face the highest risk from specific attack vectors.

Key findings from the report include:

  • Phishing remains the dominant threat, accounting for the majority of malicious emails detected. Credential-harvesting campaigns, often disguised as routine notifications, were particularly widespread.
  • Configuration issues are common. For example, many organizations had not enabled anti-phishing policies for their most targeted users, such as executives or finance teams. Others had not set up safe attachments or safe links policies, leaving default settings in place.
  • Detection rates vary by organization size. Smaller companies tended to have lower detection rates for advanced threats, often because they lacked dedicated security staff or had not tuned their policies.
  • Business email compromise (BEC) attacks were persistent, and many successful compromises were traced to misconfigured mailbox intelligence rules or overly permissive forwarding settings.

The report also highlights that organizations using attack simulation training saw measurable improvements in user reporting rates and a decrease in successful phishing clicks.

Why it matters

Email remains the single most common entry point for cyberattacks. Ransomware, data theft, and account takeover often start with a single malicious message that slips past defenses. The benchmark data gives security teams a rare glimpse into how their peers are performing — and where the most common failures occur.

The comparisons by industry are also instructive. For example, the report indicates that education and healthcare organizations tended to have higher click-through rates on phishing simulations, suggesting that user awareness programs in those sectors may need additional investment. Meanwhile, financial services firms generally had stronger policy enforcement but still struggled with advanced BEC techniques.

The value of the benchmark is not just in the raw numbers but in the transparency. Microsoft has publicly shared these findings to help organizations identify blind spots in their own configurations. Given that many breaches stem from missed basics — rather than zero-day exploits — this data can directly inform where to focus effort first.

What readers can do

Based on the report’s findings, here are concrete steps any organization can take:

  • Review your security policies immediately. Check that anti-phishing policies are applied to all users, especially those in high-risk roles. Enable safe attachments and safe links for everyone. These are often left on default settings that offer limited protection.
  • Run a configuration baseline against Microsoft’s Secure Score. The benchmark data shows that organizations with higher Secure Scores had fewer successful attacks. Use the score as a guide to close the most critical gaps.
  • Deploy attack simulation training. Microsoft found that organizations running regular simulations saw a significant drop in users clicking real phishing emails. Start with the built-in campaigns in Defender for Office 365.
  • Audit mailbox forwarding rules. BEC attacks frequently rely on compromised inboxes that automatically forward sensitive emails. Disable external forwarding where it is not needed, and monitor for suspicious rule creation.
  • Enable multi-factor authentication (MFA) for all mailboxes. This remains one of the most effective controls, yet many organizations still have MFA turned off for certain users. The benchmark data underscores why this is a high-priority fix.

If you manage multiple tenants or have a hybrid environment, the report also suggests using cross-tenant comparison reports to spot anomalies in your own deployment.

Sources

  • Microsoft Defender email security benchmarking: Key insights from one year of data — Microsoft (June 2026)
  • From transparency to action: What the latest Microsoft email security benchmark reveals — Microsoft (March 2026)
  • Clarity in complexity: New insights for transparent email security — Microsoft (December 2025)

These articles are available on Microsoft’s official security blog. The full benchmark data is included in the Defender for Office 365 reporting console for organizations that have licensed the service.