Microsoft Defender Email Security Benchmark Results

Introduction

Microsoft’s latest email security benchmark offers useful data points for security teams evaluating native protection, secure email gateways (SEGs), and integrated cloud email security (ICES) tools. For administrators responsible for Microsoft 365 security posture, the update helps clarify where layered defenses add value and where Microsoft Defender for Office 365 is doing most of the heavy lifting.

What’s new in the benchmark

Microsoft’s newest telemetry, covering recent months, reinforces several trends across email security deployments:

• Microsoft Defender post-delivery remediation remains significant: Defender’s Zero-hour Auto Purge (ZAP) removed an average of 70.8% of malicious email post-delivery.
• ICES solutions provide incremental benefit: When combined with Defender, ICES partners improved filtering of marketing and bulk email by an average of 13.7%.
• Limited uplift for spam and malicious mail: The additional filtering gains from ICES tools were smaller for higher-risk email categories, averaging 0.29% for spam and 0.24% for malicious messages in the latest reporting period.
• SEG comparison remains favorable to Defender: Microsoft says Defender missed fewer high-severity threats than the SEG products evaluated in the study.

ICES ecosystem expansion

Microsoft also used the announcement to reinforce support for its ICES partner ecosystem. The current integrated partners are:

• Darktrace
• KnowBe4
• Cisco
• VIPRE Security Group

These integrations surface partner detections directly in the Microsoft Defender portal, including areas such as Quarantine, Explorer, email entity pages, advanced hunting, and reporting. The practical goal is to support defense-in-depth without forcing SOC teams to jump between separate consoles.

Why this matters for IT and security admins

For Microsoft 365 and security administrators, the benchmark data suggests a few clear takeaways:

• Post-delivery protection matters because threats still reach inboxes despite pre-delivery filtering.
• Layering tools can help, but the benefit varies by message type and may be more operationally useful for reducing inbox clutter than materially improving malicious email detection.
• Unified workflows reduce analyst friction, especially when third-party detections are visible in Defender rather than isolated in another management plane.

Recommended next steps

Admins should consider the following actions:

1. Review your current Microsoft Defender for Office 365 configuration, including ZAP, Safe Links, Safe Attachments, and reporting.
2. Assess whether an ICES deployment is providing measurable value beyond Defender, especially for spam, malicious mail, and user productivity.
3. Use benchmark data during renewal or architecture reviews to validate whether existing SEG or ICES investments align with your organization’s threat profile.
4. Monitor the Defender ICES ecosystem if your team wants partner protections without losing a single-pane-of-glass experience.

Microsoft says it will continue publishing benchmark updates regularly, giving organizations more transparency into how email protections perform at scale.