What Microsoft’s Year of Email Security Data Reveals About Your Threats

In June 2026, Microsoft published a comprehensive analysis of email security data collected over the preceding twelve months. The report, based on telemetry from Microsoft Defender for Office 365, covers the threats that organizations face most often, the configurations that leave them exposed, and the benchmarks that security teams can use to measure their own defenses. For any IT professional or business owner responsible for email security, it is a practical dataset worth understanding.

What happened: A year of email threat telemetry

Microsoft’s report draws on aggregated, anonymized data from its customer base. While the company does not publish every raw number, several clear themes emerge from the analysis and from complementary reports by Proofpoint and Microsoft’s own earlier work on transparency in email security.

The most common threats remain what you would expect but with some shifts in volume and technique:

  • Phishing continues to be the dominant attack vector, but attackers are increasingly using conversational, socially engineered lures that bypass traditional keyword filters.
  • Business email compromise (BEC) accounts for a disproportionate share of financial loss relative to its volume. Microsoft’s data shows that BEC attempts are often low-and-slow, targeting specific individuals with carefully crafted messages.
  • Malware delivered via email has declined as a share of total threats, but the malware that does arrive is more frequently polymorphic or uses encrypted payloads to evade detection.
  • Credential harvesting remains the end goal of most phishing campaigns, with a notable rise in attacks that use legitimate services (like SharePoint or OneDrive) as hosting platforms for malicious links.

The report also highlights common misconfigurations in Microsoft Defender itself. Among the most frequent: overly permissive allow lists, disabled or misconfigured anti-spam policies, and failure to enable advanced phishing protection for high-value users (for example, executives and finance staff). According to Microsoft’s data, organizations that address these three configuration areas see a measurable reduction in successful email attacks.

Why it matters

For many security administrators, the biggest challenge is not knowing what “good” looks like. Email security metrics are often siloed, and without a baseline, it is difficult to tell whether your current blocking rate is acceptable or whether you have a blind spot.

Microsoft’s benchmark provides that baseline. By comparing your own detection rates, false positive levels, and response times against the aggregate data, you can identify gaps that would otherwise go unnoticed until a real incident occurs. The report also underscores that configuration hygiene—rather than the absence of threats—is the leading cause of exposure for most organizations.

The Proofpoint article published alongside the Microsoft report makes a similar point: measuring email security effectiveness requires looking beyond simple blocked counts and tracking what actual users report, what gets past filters, and how quickly those events are remediated.

What readers can do

Based on the findings, there are several concrete steps you can take now:

Review your allow and block lists. Overly broad allow lists are one of the most common misconfigurations. Audit any entries that bypass scanning entirely and ensure they are scoped to specific senders or domains, not entire top-level domains or generic patterns.

Enable advanced phishing protection. Microsoft Defender offers features such as impersonation protection for your leadership team and specific business partners. If you have not configured these, you are likely missing a significant slice of targeted attacks.

Check your anti-spam policy thresholds. The default settings are reasonable for many organizations, but if you are seeing high false positives, adjust the bulk email threshold and safe sender lists carefully. Test changes in a small group before rolling out organization-wide.

Monitor user-reported phishing. Telemetry in the report shows that user reporting is still one of the most effective signals for detecting new threats. Ensure that your users know how to report suspicious email and that your security team actually reviews those reports.

Use the benchmarks as a starting point, not a destination. Microsoft’s data is aggregated; your organization’s risk profile, user behavior, and threat landscape may differ. Use the numbers to set internal goals, but adapt them to your environment.

Sources

  • Microsoft – “Microsoft Defender email security benchmarking: Key insights from one year of data” (June 15, 2026)
  • Microsoft – “Clarity in complexity: New insights for transparent email security” (December 10, 2025)
  • Microsoft – “From transparency to action: What the latest Microsoft email security benchmark reveals” (March 12, 2026)
  • Proofpoint – “Seeing the Full Picture: How to Measure Email Security Effectiveness the Right Way” (June 16, 2026)

These articles provide additional context on how Microsoft collects and presents its benchmark metrics, as well as independent perspectives on measuring email security performance.