What Microsoft’s Year of Email Security Data Reveals About Today’s Threats

Email remains the most common entry point for cyberattacks. That’s not a new claim, but the scale of the problem is easy to underestimate. Microsoft recently published a comprehensive year-long benchmark of email security threats detected by Microsoft Defender for Office 365. The data covers mid-2025 through mid-2026 and gives us a rare, large-scale look at what attackers are actually doing and how well defenses hold up.

If you run a small business or manage IT for an organization with limited resources, this information isn’t just interesting — it’s actionable.

What happened

Microsoft analyzed telemetry from millions of mailboxes protected by Defender for Office 365. The benchmark tracks detection accuracy, false positive rates, response times, and the types of threats most commonly encountered. According to their reports, phishing attempts increased by about 40% year-over-year. Credential theft — phishing designed to steal usernames and passwords — was the single most common vector, followed by business email compromise (BEC) and ransomware delivery via malicious attachments or links.

The numbers also show that the defense side is improving in some areas. Microsoft claims a catch rate of 99.9% for known malware and a false positive rate of roughly 0.1% — meaning very few legitimate emails are incorrectly flagged as dangerous. But these are platform averages, and they mask variation: emerging or highly targeted attacks can still slip through.

Why it matters

For a small business owner, the implication is straightforward: attackers are betting that you rely on basic email filtering or no filtering at all. Credential phishing is cheap to run and effective when people aren’t expecting it. Business email compromise — where an attacker impersonates a colleague or vendor — doesn’t require technical sophistication, just a plausible story and a sense of urgency.

The benchmark data confirms that these tactics are not isolated. They are systematic and increasing. Ransomware delivery through email also remains a threat, often using attachments that mimic invoices, shipping notices, or legal documents.

If you are responsible for email security in a small organization, the key metric to watch is not just whether your filter catches threats, but how many false positives it generates. Too many false positives lead users to ignore warnings or whitelist dangerous senders.

What readers can do

You can apply the lessons from Microsoft’s benchmark without buying a new product. Here are concrete steps that apply to any email system:

Enable multi-factor authentication everywhere. Credential theft is the top vector, but MFA blocks the vast majority of stolen-password attacks. Even SMS-based MFA, while not the most secure, is vastly better than nothing. For small businesses, requiring MFA for all accounts — especially those with access to financial systems — is the single highest-impact change.

Review email forwarding rules. Business email compromise often works by an attacker setting up a forwarding rule to silently copy messages from an executive’s inbox. Regularly audit forwarding rules for your domain. Microsoft and Google both provide simple tools to see who has forwarded mail externally.

Use anti-phishing tools built into your email platform. If you use Microsoft 365, ensure that the default anti-phishing policies are enabled. For Google Workspace, the equivalent is “Enhanced pre-delivery message scanning.” These features inspect URLs and attachments before delivery, and they can sandbox suspicious links.

Train staff to report suspicious messages. This is still the weakest link. Run short, annual simulations — there are free or inexpensive services that let you send mock phishing emails and track who clicks. Do not punish people who fall for simulations; instead, use the results to focus training.

Check your spam filter settings. Many small organizations leave spam filters on their lowest setting to avoid missing legitimate inquiries. That’s understandable, but it lets credential phishing through. Find a middle ground: allowlist important domains but keep spam and phishing detection at a high level for unknown senders.

Monitor your own email security metrics. If you use a provider like Microsoft Defender, you can view your own catch rate and false positive rate. If not, you can still track how many phishing reports your staff submits and how many malicious messages reach inboxes.

Sources

This post draws on multiple posts from the Microsoft Security Blog, including:

  • Microsoft Defender email security benchmarking: Key insights from one year of data (June 2026)
  • Clarity in complexity: New insights for transparent email security (December 2025)
  • From transparency to action: What the latest Microsoft email security benchmark reveals (March 2026)

A note on limitations: the benchmark covers only Microsoft Defender users, so the numbers may not perfectly represent threats targeting organizations using other email security products. The overall trends — rising phishing, credential theft dominance, and the need for multi-layered defenses — are consistent with industry reports from other vendors. The practical advice above is independent of any single platform.