Phishing Triage Agent: AI-powered email defense for SOC teams in Microsoft Defender XDR.
Phishing remains one of the most common and dangerous attack vectors in cybersecurity. With the rise of user-reported suspicious emails, Security Operations Center (SOC) teams are overwhelmed by the volume and complexity of triage. Enter the Phishing Triage Agent, a new capability within Microsoft Defender XDR and Security Copilot that uses AI to automate phishing classification, reduce false positives, and accelerate incident response.
Image from Microsoft Learn - Microsoft Security Copilot Agents
What’s the Issue?
SOC analysts regularly handle a high volume of suspicious email reports, dedicating substantial time to reviewing each submission, though many prove to be non-threatening. More than 90% of cyberattacks originate from phishing, making it a primary method used to breach organizational defenses. This results in numerous alerts and potential incidents that must be triaged, prioritized, and investigated.
Traditional rule-based systems, which were once effective for detecting known threats, now face challenges as attackers adapt their tactics and techniques. The continually changing threat landscape requires defenders to address not only advanced phishing attempts but also alert fatigue and the possibility of missing significant incidents. In this context, scalable and efficient solutions are important for enabling defenders to focus on investigating and mitigating real threats rather than addressing false positives.
Image from Microsoft Learn - Type view for the Mailflow status report
Why It’s Urgent
Phishing is a very popular entry point for attackers, with such attacks growing more frequent and advanced, leaving SOC teams struggling with incident management. The Phishing Triage Agent uses LLMs and state of the art Threat Intelligence to quickly analyze and categorize reported emails, helping analysts focus on real threats. Integrating easily with current workflows, it offers adaptive, AI-driven insights for rapid threat detection and improved situational awareness. Through ongoing learning, it stays aligned with evolving attacker tactics and helps strengthen email security.
Image from Microsoft Learn - Defender for Office 365 Phishing block
Use Cases
- Automated Triage: Classify phishing emails without manual rules.
- False Positive Filtering: Reduce noise and analyst fatigue.
- Explainable AI: Provide clear reasoning behind verdicts.
- Threat Prioritization: Focus on high-risk incidents with enriched context.
- Compliance Auditing: Maintain logs and transparency for regulatory needs.
Image from Microsoft Learn – Incident Queue with Phishing Triage Agent
How It Works
The agent activates when a user reports a suspicious email and does the following:
- Analyzes the message using LLMs.
- Classifies it as normal email or phishing.
- Enriches the incident with threat intelligence.
- Provides a verdict with natural-language explanation.
- Escalates or resolves based on severity and confidence.
Image was created with AI
It integrates with Security Copilot, enabling AI-assisted investigations and automation across Microsoft Defender XDR.
Image from Microsoft Learn - Transparency and explainability in phishing triage
Pros and Cons
This section outlines the main advantages, limitations, and licensing requirements of the Phishing Triage Agent solution.
Pros |
Cons |
License Needed |
Scales phishing triage across the enterprise |
Requires SCU provisioning and Defender licensing |
Microsoft Defender for Office 365 Plan 2 |
Reduces false positives and analyst fatigue |
Currently in preview; may evolve |
Security Copilot subscription |
Provides explainable decisions |
Requires integration with Defender XDR |
SCUs and plugin configuration |
The Phishing Triage Agent is a game-changer for SOC teams. By combining AI-powered analysis with human oversight, it accelerates detection, sharpens response, and strengthens organizational security posture. As phishing tactics evolve, this agent ensures your defenses stay ahead.
Getting Started with Phishing Triage Agent
The Phishing Triage Agent in Microsoft Defender XDR and Security Copilot helps SOC teams automate and accelerate phishing email analysis. Here’s how to get started:
- Check Prerequisites
Ensure your organization has the necessary licenses:
-
- Microsoft Defender for Office 365 Plan 2
-
- Security Copilot subscription
-
- Security Compute Units (SCUs) provisioned
-
- Defender XDR integration enabled
Microsoft Defender for Office 365 service description
License options for Microsoft 365 Copilot
- Enable Phishing Triage Agent
Go to the Microsoft Defender portal:
Settings > Email & Collaboration > Policies & Rules
Enable the Phishing Triage Agent under Automated Investigation & Response (AIR).
Automated investigation and response examples - Microsoft Defender for Office 365
- Integrate with Security Copilot
In the Security Copilot interface:
-
- Add the Phishing Triage Agent as a plugin
- Configure it to trigger when users report suspicious emails via Outlook or Defender for Office 365
Use plugins in Microsoft Security Copilot
- Test the Workflow
Simulate a phishing report by submitting a suspicious email. The agent will:
-
- Use LLMs to analyze the message
-
- Classify it as phishing or safe
-
- Enriching the incident with threat intelligence
-
- Provide a natural-language explanation
-
- Escalate or resolve based on severity
Security Copilot Phishing Triage Agent in Microsoft Defender
- Review and Tune
Use the Mailflow status report and Incident Queue to monitor:
-
- Classification accuracy
-
- False positives
-
- Analyst workload reduction
Mail flow insights in the new EAC in Exchange Online
Prioritize incidents in the Microsoft Defender portal
- Train Your SOC Team
-
- Share explainable AI outputs with analysts to build trust
-
- Use the agent’s verdicts to guide manual investigations and reinforce learning
Security Copilot Phishing Triage Agent in Microsoft Defender (Preview)
- Iterate and Improve
-
- Review phishing trends
-
- Update triage policies
-
- Leverage Security Copilot’s adaptive learning to stay ahead of evolving threats
What is Microsoft Security Copilot?
About the Author: Greetings! Jacques “Jack” here. I am excited to share this remarkable technology with our Defender community, as it has the potential to greatly enhance organizational protection. My role as a Microsoft Technical Trainer has shown me how valuable solutions like Security Copilot and Security AI Agents can be in strengthening defenses and accelerating response to threats. By sharing these advancements, I hope to empower you with the tools needed to safeguard your environment in an ever-evolving security landscape.
#MicrosoftLearn #SkilledByMTT