What One Year of Microsoft Defender Data Reveals About Email Threats

What One Year of Microsoft Defender Data Reveals About Email Threats

Microsoft published its latest email security benchmark report in June 2026, based on telemetry collected across its Defender for Office 365 user base over the preceding twelve months. The report offers a snapshot of the volume and types of email-borne attacks that the platform detected and blocked, and it highlights trends that anyone using Microsoft 365 should be aware of. This article summarizes the key findings and translates them into practical steps you can take to improve your own email security.

What the Benchmark Report Found

According to Microsoft’s data, the service blocked roughly 35 billion malicious emails per month during the study period. That figure alone is staggering, but the breakdown of attack types is more useful for everyday users. The most common threat was phishing, which accounted for about 65% of all blocked email threats. Malware made up roughly 20%, and business email compromise (BEC) attempts—where an attacker impersonates a trusted executive or vendor—represented about 10% of blocked threats. The remaining 5% included spam that evaded basic filters, credential harvesting links, and targeted spear-phishing.

The report also noted a slight increase in BEC attacks compared to the previous year, while traditional malware attachments declined. Attackers appear to be shifting toward social engineering tactics that bypass technical defenses—for example, sending messages that contain no malicious links or attachments but instead rely on urgent language to trick recipients into sending money or credentials.

These numbers come from Microsoft’s own telemetry, and independent verification of the methodology or results is not yet available. Still, the dataset is large enough to warrant attention.

Why This Matters for Microsoft 365 Users

If you use Microsoft 365—whether as an individual, a small business, or part of a larger organization—these statistics reflect the reality of what lands in your inbox every day. The default spam and phishing filters in Exchange Online and Defender have become more effective over time, but no filter catches everything. The fact that phishing remains the dominant attack vector means that human judgment remains the weakest link. Attackers are not breaking through the technical barriers; they are going around them by targeting the person reading the email.

Small business owners are especially vulnerable because they often lack dedicated IT security staff. A single successful phishing attack can lead to account takeover, data loss, or wire fraud.

Practical Steps You Can Take

The report’s data reinforces several straightforward measures that everyone can implement:

• Enable multi-factor authentication (MFA) on all Microsoft 365 accounts. This is the single most effective defense against credential theft. Microsoft’s own data suggests that MFA can block over 99% of automated attacks. If you haven’t enabled it yet, do it today.
• Review your spam and phishing filter settings. In the Microsoft 365 Defender portal, check that anti-phishing policies are set to the highest level that is practical for your users. Enable “impersonation protection” to flag messages that mimic your domain or key executives.
• Train yourself and your team to recognize suspicious emails. Look for generic greetings, mismatched sender addresses, unusual urgency, and requests that break normal workflow. The best technical filter is a well-trained user.
• Report suspicious messages. Use the “Report Message” add-in in Outlook to send phishing attempts to Microsoft for analysis. This helps improve detection for everyone.
• Set up forwarding rules carefully. BEC attackers often gain access and then create forwarding rules to intercept sensitive emails. Regularly audit forwarding rules in your tenant.

Limitations of the Data

It is important to note that this benchmark report is produced by Microsoft and reflects only what Defender detected and blocked. It does not account for attacks that evaded detection or that targeted users of other email providers. Independent security researchers have not yet validated the figures. Consider the trends suggestive rather than definitive.

Sources

• Microsoft. “Microsoft Defender email security benchmarking: Key insights from one year of data.” June 2026. [Link to article] (Microsoft’s official report, as covered by Google News).