Microsoft says Defender leads email security benchmark after a year of telemetry

Microsoft said its first year of email security benchmarking shows Defender for Office 365 missed fewer high-severity threats than secure email gateway vendors and handled most post-delivery malicious remediation across evaluated integrated cloud email security setups.

Microsoft changes the benchmark

Microsoft launched the benchmark program in July 2025 to replace lab-style comparisons with production telemetry. The company publishes the data each quarter for Microsoft Defender for Office 365, secure email gateways, and integrated cloud email security vendors.

The latest report covers February through April 2026 and closes the first year of data. Microsoft said Defender missed 59% fewer high-severity threats than the closest secure email gateway vendor during the quarter. Across the full year, the nearest gateway vendor had 2.5 times more misses.

{{IMAGE:2}}

Microsoft uses a strict definition for gateway misses: If a tool fails to stop a high-severity threat before delivery, Microsoft counts the message as missed. That framing matters for buyers because pre-delivery filtering still sets the baseline for email defense. Every missed phish or malware message shifts work to users, analysts, and post-delivery tools.

Defender and ICES serve different roles

Microsoft’s data gives security leaders a clearer split between Defender, secure email gateways, and ICES tools. Defender led in pre-delivery high-severity threat detection, while ICES vendors added more value in promotional and bulk email filtering.

Across four quarters, Microsoft reported an average 15% uplift from ICES vendors for promotional filtering. During the latest quarter, ICES tools improved promotional and bulk mail filtering by 16.85% on average. That result gives companies with noisy inboxes a business case for extra filtering, because users spend less time sorting newsletters, vendor campaigns, and bulk messages.

{{IMAGE:3}}

ICES vendors contributed far less on malicious and spam catch. Microsoft said ICES tools added 0.13% malicious catch and 0.28% spam catch in the latest quarter, down from 0.24% and 0.29% in the prior report.

Security teams should read that result with care. A low malicious uplift does not mean an ICES layer has no value in a given environment. It does mean buyers should demand proof against their own mail flow, threat profile, and operational cost. If an ICES product helps with impersonation patterns, executive protection, or abuse cases that matter to one company, the team should test those outcomes before adding another console and policy layer.

Microsoft pushes post-delivery remediation

Microsoft said Defender’s share of post-delivery malicious catch rose from 45% in an earlier report to 96.03% in the latest quarter. The company framed that improvement as a result of product changes shaped by the benchmark program and its ICES vendor ecosystem.

Post-delivery remediation matters because attackers change infrastructure, sender patterns, and payload behavior after the first scan. A message can look benign at delivery, then point users to a hostile site minutes later. Analysts need tools that revisit mail after delivery, remove threats from inboxes, and preserve evidence for investigation.

Microsoft connected the benchmark trend to several product updates. The company added a Promotions folder in Outlook to separate legitimate bulk mail from priority messages without sending those messages to Junk. Microsoft also introduced an agentic grading system in November 2025 for submitted email review, which the company said reduces manual review in its analysis pipeline.

Microsoft also tied the report to Microsoft Security Copilot. The company said the Alert Triage Agent helps analysts classify user-reported phishing messages, resolve false positives, and escalate confirmed threats. Microsoft reported that analysts identify 6.5 times more malicious alerts, improve verdict accuracy by 77%, and spend 53% more time on real threats when they use the tool.

Buyers should compare cost, coverage, and operations

The report gives security leaders a practical sourcing question: Does a separate gateway or ICES layer improve security enough to justify the license cost, mail-flow complexity, and analyst workload?

For Microsoft 365 customers, Defender has a platform advantage. Microsoft controls Exchange Online, Outlook experiences, mailbox telemetry, identity context, and parts of the investigation workflow. That lets Microsoft connect pre-delivery scanning, post-delivery removal, user reporting, and analyst triage across one stack.

Third-party vendors can still earn a place. Some companies want vendor diversity because they distrust single-provider dependence. Others need specialized controls, regional support, custom detection logic, or continuity during a Microsoft outage. ICES tools can also give security teams a second analytic opinion without forcing a mail-routing change.

The migration trade-off depends on architecture. Replacing a secure email gateway with Defender can reduce mail hops and policy duplication, but the security team must rework transport rules, allow lists, quarantine workflows, phishing simulations, and user reporting. Adding ICES on top of Defender can avoid a full gateway migration, but analysts may inherit overlapping alerts and competing verdicts.

Pricing also needs a full operational view. Buyers should compare Microsoft 365 licensing, third-party subscription fees, implementation effort, incident volume, analyst time, false-positive handling, and user productivity. A tool that catches a small number of extra malicious messages may still pay for itself in a high-risk environment. A tool that duplicates Defender verdicts may drain budget and analyst attention.

Microsoft’s benchmark strengthens Defender’s case for Microsoft 365-centered organizations. Security teams should still run a proof of value against their own mailboxes, because aggregate telemetry can hide industry-specific attacks, regional sender patterns, and executive targeting.

The practical path starts with measurement. Security teams should count pre-delivery misses, post-delivery removals, false positives, user-reported phish, analyst hours, and promotional mail volume before they change providers. Then they can compare Defender, gateway, and ICES options with evidence from their own environment.

Microsoft’s latest email security benchmarking data gives buyers a stronger baseline for that comparison. The value comes from using the benchmark as a starting point, then testing each vendor against the messages that reach the company’s users.