Co-Authors: Cristina Da Gama Henriquez and Ajaj Shaikh
AI is rapidly reshaping both sides of the security landscape, and email remains one of the most common and complex entry points for attacks. As adversaries use AI to scale more sophisticated phishing and email-based threats, defenders are under pressure not just to detect them, but to quickly understand what actually happened. Microsoft continues to apply generative and agentic AI across the email protection stack to help stop threats before they reach the inbox and catch what inevitably gets through in the SOC. Still, for security analysts, understanding an email threat requires piecing together context across the incident and its related artifacts. Much of that context exists within the Email entity experience, but it is spread across metadata, timelines, URLs, and attachments, making it time-consuming to connect the dots and act with confidence.
Today, we are excited to announce the public preview of Security Copilot’s Email summary capability, designed to bring those insights together and make email threat investigations faster, clearer, and more actionable. With Security Copilot included in Microsoft 365 E5, organizations will be able to bring AI directly into their flow of work—extending these benefits across the SOC at no additional cost.*
Bringing clarity into the investigation workflow
Email summary brings AI-generated context directly into the Email entity page, transforming fragmented detection data into a clear, natural-language explanation of what happened and why. Analysts can access it from the Security Copilot right-side pane, the same place where Copilot activity across Microsoft Defender is surfaced. Instead of navigating across multiple views to reconstruct the story, analysts can generate a summary that connects the signals and highlights what matters most. And it all happens in seconds.
Built on Security Copilot’s summarization capabilities, Email summary uses the same data analysts already rely on, like email metadata, timeline events, URLs, and attachments, and turns it into a cohesive narrative. It explains how a message was evaluated, what actions were taken, and where risk exists, without requiring manual correlation.
A summary that follows how analysts think
The experience is intentionally embedded in the Email entity page, where investigations already happen, so analysts don’t have to change how they work to benefit from it. The output is structured to match how analysts approach an investigation. It starts with a concise overview of the email, including what was detected, what actions were taken, and any key indicators. From there, it walks through the timeline of events, helping reconstruct how the email was delivered, interacted with, and remediated. It also breaks down URLs and attachments, calling out malicious signals and explaining associated risks in plain language.
Importantly, this is a user-triggered experience. Analysts generate a summary when they need it, ensuring the capability is both intentional and efficient.
From fragmented data to confident decisions
Email summary is a foundational step toward making email threat investigations more explainable and efficient. Today, it brings together existing signals into a clear, actionable narrative. Over time, it will evolve to incorporate additional signal depth: detonation (sandboxing) results, submission responses, and more granular insights from the filtering stack, further strengthening the completeness and fidelity of each investigation.
As threats continue to grow in speed and sophistication, the ability to quickly understand and act is just as critical as detection itself. Email summary helps close that gap, giving analysts the clarity they need to respond with confidence.
*Eligible Microsoft 365 E5 customers will have 400 Security Compute Units (SCUs) per month for every 1,000 user licenses, up to 10,000 SCUs per month. This included capacity is expected to support typical scenarios. Customers will have an option to pay for scaling beyond the allocated amount at a future date with $6 per SCU on a pay-as-you-go basis, and will get a 30-day advanced notification when this option is available. Learn more.
Microsoft