Phishing attacks remain one of the most persistent and damaging threats to organizations worldwide. Security teams are under constant pressure to investigate a growing number of user reported phishing emails daily, ensuring accurate verdicts and timely responses. As threats grow in volume and sophistication, SOC teams are forced to spend valuable time triaging and investigating, often at the expense of strategic defense and proactive threat hunting.
At Microsoft Ignite 2025 we are delivering innovation that showcases our continued commitment to infuse AI agents, and agentic workflows into the core of our email security solution and SOC operations to automate repetitive tasks, accelerate investigations, and provide transparent, actionable insights for every reported phishing email. In addition, we continue to invest in our ecosystem partnerships to empower customers with seamless integrations, as they adopt layered security solutions to comply with regulatory requirements, enhance detection, and ensure robust protection.
Today I’m excited to announce:
- General Availability of the Security Copilot Phishing Triage Agent
- Agentic Email Grading System in Microsoft Defender
- Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem
The Security Copilot Phishing Triage Agent is now generally available
In March 2025, we introduced the Phishing Triage Agent, designed to autonomously handle user-submitted phishing reports at scale. The agent classifies incoming alerts, resolves false positives, and escalates only the malicious cases that require human expertise. Today, we’re announcing its general availability. We will also be extending the agent to triage alerts for identity and cloud alerts.
The Phishing triage agent automates repetitive tasks, accelerates investigations, and every decision is transparent, allowing security teams to focus on what matters most—investigating real threats and strengthening the overall security posture. Early results prove how it is transforming analyst work:
- Identified 6.5X more malicious alerts
- Improved verdict accuracy by 77%
- Agent supported analysts spent 53% more time investigating real threats
Agentic email grading: Advanced analysis of phishing email submissions
When customers report suspicious messages to Microsoft, they expect clarity, speed, and actionable insights to protect their environment. They expect a response they can trust, understand easily, and take additional investigation and response action for the organization.
Previously, when customers reported messages to Microsoft, our response depended largely on manual human grader reviews, creating delays and inconsistent verdicts. Customers often waited several hours for a response, and sometimes it lacked clarity on how a verdict was reached.
Today, we are excited to announce that we integrated an agentic grading system into the Microsoft Defender submission analysis and response workflow when customers report phishing messages to Microsoft.
Image 2: Agentic Email Grading: Advanced analysis of phishing email submissions
The agentic grading system brings a new level of speed and transparency to phishing analysis. It uses large language models (LLMs) orchestrated within an agentic workflow to analyze phishing emails, assess the full content of a submitted email, and communicate context and related metadata. This system combines advanced AI with existing machine learning models and human review for additional levels of accuracy and transparency for decision making. Every verdict comes with higher quality, clear verdicts, and context-rich explanations tailored to each phishing email submission. Additionally, it establishes a feedback mechanism that enhances continuous learning and self-healing, thereby strengthening and optimizing protection over time.
By reducing reliance on manual reviews, users will experience lower wait times, faster responses and higher-quality results. It will enable security teams to respond promptly and act confidently against phishing threats.
Over time we plan to expand beyond phishing verdicts to include spam, scam, bulk, and clean classifications, making the process more comprehensive. The system will continue to evolve through feedback and adapt to emerging attack patterns.
How to view agentic submission responses in Microsoft Defender
When you report a suspicious email—whether as an admin or an end user—you can now see how Microsoft Defender’s new agentic grading system evaluates your submission. To view agentic grading system responses, follow the steps below:
- Report the suspicious email
Submit the email through the admin submission or user-reported submission process. - Sign in to Microsoft Defender
Go to https://security.microsoft.com. - Navigate to Submissions
From the left menu, select:
Investigation & response > Actions & submissions > Submissions. - Choose the correct tab
- Emails for admin submissions
- User reported for user submissions
- Open the submission details
Click the email submission you want to review. A flyout panel will display Result details. - Look for the Agentic AI note
If the verdict was generated by Agentic AI, you’ll see:
“AI-generated content may be incorrect. Check it for accuracy.”
Image 3: AI generated explainable verdicts
Expanding the Integrated Cloud Email Security (ICES) ecosystem
In June, we introduced the Microsoft Defender ICES vendor ecosystem, a unified framework that enables seamless integration of Microsoft’s Defender’s email security solution with trusted third-party vendors. Today we are excited to announce two new partners: Cisco and VIPRE Security Group.
The addition of these partners to our ecosystem reinforces our ongoing commitment to support customers in their choice to strategically layer their email security solutions. Organizations benefit from a unified quarantine experience, and a deep integration across the various SOC experiences including threat explorer, advanced hunting, and the email entity page, while providing clear insight into detection efficacy of each solution.
As we continue to innovate, our commitment remains steadfast: empowering defenders with intelligent, transparent, and integrated security solutions that adapt to the evolving threat landscape. By infusing agentic AI into every layer of Microsoft Defender, expanding our ecosystem of trusted partners, and delivering faster, more actionable insights, we’re helping organizations build resilience and stay ahead of attackers. Our strategy is rooted in delivering real value making security simpler, more effective, and adapted to the needs of every customer.
Learn More:
- Want to know what else is new in Microsoft Defender at Ignite 2025 check out the blog here.
- For info on how to complete admin phish submissions, please see
- For end user reported phish submissions, you need to have it configured for reporting messages to Microsoft. Set it up today.
Join us at Microsoft Ignite
Join us at Microsoft Ignite to see these advancements in action and discover how intelligent, agentic defense is becoming accessible to every organization. Don’t miss our featured sessions:
- AI vs AI: Protect email and collaboration tools with Microsoft Defender on Thursday, November 20th. Learn More.
- Microsoft Defender: Building the agentic SOC with guest Allie Mellen on Wednesday, November 19th. Learn more.
- Empowering the SOC: Security Copilot and the rise of Agentic Defense on Friday, November 21st. Learn more.
Microsoft