Blog Post

Microsoft Security Community Blog
4 MIN READ

Phishing Triage Agent in Defender XDR: Say Goodbye to False Positives and Analyst Fatigue

Jacques_GuibertDeBruet's avatar
Sep 03, 2025

Phishing Triage Agent: AI-powered email defense for SOC teams in Microsoft Defender XDR.

Phishing remains one of the most common and dangerous attack vectors in cybersecurity. With the rise of user-reported suspicious emails, Security Operations Center (SOC) teams are overwhelmed by the volume and complexity of triage. Enter the Phishing Triage Agent, a new capability within Microsoft Defender XDR and Security Copilot that uses AI to automate phishing classification, reduce false positives, and accelerate incident response. 

 

 Image from Microsoft Learn - Microsoft Security Copilot Agents 

What’s the Issue? 

SOC analysts regularly handle a high volume of suspicious email reports, dedicating substantial time to reviewing each submission, though many prove to be non-threatening. More than 90% of cyberattacks originate from phishing, making it a primary method used to breach organizational defenses. This results in numerous alerts and potential incidents that must be triaged, prioritized, and investigated. 

Traditional rule-based systems, which were once effective for detecting known threats, now face challenges as attackers adapt their tactics and techniques. The continually changing threat landscape requires defenders to address not only advanced phishing attempts but also alert fatigue and the possibility of missing significant incidents. In this context, scalable and efficient solutions are important for enabling defenders to focus on investigating and mitigating real threats rather than addressing false positives. 

 

 Image from Microsoft Learn - Type view for the Mailflow status report 

Why It’s Urgent 

Phishing is a very popular entry point for attackers, with such attacks growing more frequent and advanced, leaving SOC teams struggling with incident management. The Phishing Triage Agent uses LLMs and state of the art Threat Intelligence to quickly analyze and categorize reported emails, helping analysts focus on real threats. Integrating easily with current workflows, it offers adaptive, AI-driven insights for rapid threat detection and improved situational awareness. Through ongoing learning, it stays aligned with evolving attacker tactics and helps strengthen email security. 

 

Image from Microsoft Learn - Defender for Office 365 Phishing block 

 Use Cases 

  • Automated Triage: Classify phishing emails without manual rules. 
  • False Positive Filtering: Reduce noise and analyst fatigue. 
  • Explainable AI: Provide clear reasoning behind verdicts. 
  • Threat Prioritization: Focus on high-risk incidents with enriched context. 
  • Compliance Auditing: Maintain logs and transparency for regulatory needs. 

 

Image from Microsoft Learn – Incident Queue with Phishing Triage Agent 

 How It Works 

The agent activates when a user reports a suspicious email and does the following: 

  1. Analyzes the message using LLMs. 
  2. Classifies it as normal email or phishing. 
  3. Enriches the incident with threat intelligence. 
  4. Provides a verdict with natural-language explanation. 
  5. Escalates or resolves based on severity and confidence. 

 

Image was created with AI 

It integrates with Security Copilot, enabling AI-assisted investigations and automation across Microsoft Defender XDR. 

 

Image from Microsoft Learn - Transparency and explainability in phishing triage 

 Pros and Cons 

This section outlines the main advantages, limitations, and licensing requirements of the Phishing Triage Agent solution. 

Pros 

Cons 

License Needed 

Scales phishing triage across the enterprise 

Requires SCU provisioning and Defender licensing 

Microsoft Defender for Office 365 Plan 2 

Reduces false positives and analyst fatigue 

Currently in preview; may evolve 

Security Copilot subscription 

Provides explainable decisions 

Requires integration with Defender XDR 

SCUs and plugin configuration 

 The Phishing Triage Agent is a game-changer for SOC teams. By combining AI-powered analysis with human oversight, it accelerates detection, sharpens response, and strengthens organizational security posture. As phishing tactics evolve, this agent ensures your defenses stay ahead. 

Getting Started with Phishing Triage Agent 

The Phishing Triage Agent in Microsoft Defender XDR and Security Copilot helps SOC teams automate and accelerate phishing email analysis. Here’s how to get started: 

 

  1. Check Prerequisites

Ensure your organization has the necessary licenses: 

    • Microsoft Defender for Office 365 Plan 2 
    • Security Copilot subscription 
    • Security Compute Units (SCUs) provisioned 
    • Defender XDR integration enabled 

Microsoft Defender for Office 365 service description  

License options for Microsoft 365 Copilot  

 

  1. Enable Phishing Triage Agent

Go to the Microsoft Defender portal: 
Settings > Email & Collaboration > Policies & Rules 
Enable the Phishing Triage Agent under Automated Investigation & Response (AIR). 

Automated investigation and response examples - Microsoft Defender for Office 365 

 

  1. Integrate with Security Copilot

In the Security Copilot interface:

    • Add the Phishing Triage Agent as a plugin 
    • Configure it to trigger when users report suspicious emails via Outlook or Defender for Office 365 
  •  

Use plugins in Microsoft Security Copilot 

 

  1. Test the Workflow

Simulate a phishing report by submitting a suspicious email. The agent will: 

    • Use LLMs to analyze the message 
    • Classify it as phishing or safe 
    • Enriching the incident with threat intelligence 
    • Provide a natural-language explanation 
    • Escalate or resolve based on severity 

 Security Copilot Phishing Triage Agent in Microsoft Defender 

 

  1. Review and Tune

Use the Mailflow status report and Incident Queue to monitor: 

    • Classification accuracy 
    • False positives 
    • Analyst workload reduction 

Mail flow insights in the new EAC in Exchange Online

Prioritize incidents in the Microsoft Defender portal 

 

  1. Train Your SOC Team
    • Share explainable AI outputs with analysts to build trust 
    • Use the agent’s verdicts to guide manual investigations and reinforce learning 

Security Copilot Phishing Triage Agent in Microsoft Defender (Preview) 

 

  1. Iterate and Improve
    • Review phishing trends 
    • Update triage policies 
    • Leverage Security Copilot’s adaptive learning to stay ahead of evolving threats 

What is Microsoft Security Copilot? 

 

About the Author: Greetings! Jacques “Jack” here. I am excited to share this remarkable technology with our Defender community, as it has the potential to greatly enhance organizational protection. My role as a Microsoft Technical Trainer has shown me how valuable solutions like Security Copilot and Security AI Agents can be in strengthening defenses and accelerating response to threats. By sharing these advancements, I hope to empower you with the tools needed to safeguard your environment in an ever-evolving security landscape.  

#MicrosoftLearn #SkilledByMTT 

Updated Sep 03, 2025
Version 1.0