Microsoft published its fourth quarterly Defender email security benchmarking update on June 15, 2026, covering February through April 2026 and comparing Defender for Office 365 against secure email gateway and integrated cloud email security vendors using production telemetry. The headline is simple: Microsoft says Defender is not merely holding its own in mail protection, but increasingly absorbing the work that third-party layers were supposed to justify. The more interesting story is not that Microsoft won its own benchmark. It is that Microsoft is trying to redefine the benchmark around operational outcomes that favor the platform sitting closest to Exchange Online.
For years, the email security market has been built around distrust. Organizations bought secure email gateways because they did not want to rely solely on the inbox provider, and later adopted integrated cloud email security tools because gateways looked increasingly awkward in a world of cloud-native mail, API-based remediation, and Microsoft 365 everywhere.
Microsoft’s new year-in-review benchmark is an argument against that old procurement muscle memory. It says the decisive action is no longer a gateway appliance or a bolt-on scanner standing in front of Microsoft 365. It is the combination of pre-delivery filtering, post-delivery remediation, mailbox context, user reports, and security operations workflow inside Defender.
That is a self-serving thesis, of course. Microsoft is both the platform owner and a vendor in the market it is measuring. But the company’s latest numbers are still worth taking seriously because they frame the question many security teams are already asking: if Defender catches most of the dangerous mail before delivery and then removes most of what slips through afterward, what exactly is the expensive extra layer buying?
The answer, according to Microsoft’s own data, is narrower than many vendors would like. Third-party ICES tools may still help with promotional and bulk email filtering, and some enterprises will keep them for defense-in-depth, compliance, visibility, or internal politics. But Microsoft is pushing customers toward a harder distinction between security value and inbox hygiene.
The company’s approach is to compare Defender against secure email gateway vendors and ICES vendors using observed production telemetry. For SEG products, Microsoft defines a missed threat as a high-severity message that was not detected before delivery. For ICES products layered on top of Defender, the company measures the additional catch contribution those tools provide after Microsoft’s own filters have done their work.
That methodology puts the debate on terrain Microsoft likes. A gateway is judged on what it blocks before the message reaches the user, while an ICES vendor is judged by the marginal improvement it adds over Defender. In a Microsoft 365 environment, that is not an unfair lens, but it is not a neutral one either. It assumes Defender is the baseline and everyone else must prove incremental value.
Still, that is how many customers experience the stack in practice. Defender is already embedded in Microsoft 365 licensing discussions, already tied into Exchange Online, and already visible in Microsoft’s security portal. A third-party product may be excellent, but if it adds only a small amount of malicious-message catch on top of Microsoft’s native protection, the budget conversation changes.
That is the kind of statistic that travels well through executive decks. It is simple, comparative, and attached to the most emotionally loaded category in email security: high-severity threats. Nobody wants to explain to a board that the gateway caught more newsletter noise while allowing more dangerous messages into inboxes.
But the phrasing deserves careful reading. Microsoft is not saying every SEG product is useless, nor is it publishing a universal law of email defense. It is saying that in its benchmarked population, under its definitions, Defender produced fewer pre-delivery misses per 1,000 protected users than the evaluated gateway vendors.
For WindowsForum readers who live in the real world of licensing bundles, renewal clocks, and security exceptions, that caveat is important. Benchmarks do not replace tenant-specific testing. They do, however, give Microsoft’s field teams a powerful new line: before renewing that gateway, ask whether it is reducing risk or preserving an architecture from another era.
In the most recent quarter, the gap became even starker. ICES vendors operating on top of Defender improved promotional and bulk filtering by an average of 16.85 percent, but added only 0.13 percent for malicious messages and 0.28 percent for spam. Those are not nothing, especially at enterprise scale. But they are small numbers to defend if the tool is sold primarily as a security control.
This is where Microsoft’s argument becomes more subtle. It is not saying third-party cloud email security tools never help. It is saying their clearest, most durable benefit appears to be reducing inbox clutter rather than catching a materially larger share of dangerous mail. That shifts the category from breach prevention toward productivity and user experience.
Vendors will object that Microsoft’s telemetry may not capture every operational benefit they provide. They may point to reporting workflows, specialized detection models, impersonation controls, executive protection, abuse mailbox automation, or support for heterogeneous environments. Those are fair counterarguments. But Microsoft’s data attacks the core buying premise: that a second cloud email security layer is necessary because Microsoft’s own protection cannot be trusted.
That is a major framing shift. Old email security thinking treated delivery as the decisive moment: either the filter stopped the message or the user was exposed. Modern cloud mail defense is messier. Messages can be delivered, reclassified, detonated, reported, correlated with campaigns, and removed after the fact.
Microsoft is leaning into that reality because it has structural advantages there. It controls the mailbox platform, the identity fabric, the reporting experience, and much of the telemetry around user interaction. If post-delivery remediation is the new battleground, then proximity to Exchange Online and Microsoft 365 Defender becomes more valuable than sitting outside the flow of mail.
For administrators, this matters because post-delivery performance affects containment. A phish that lands in 500 mailboxes is bad. A phish that stays there for hours is worse. A phish that is automatically identified, searched, and pulled back across the tenant before the majority of users touch it changes the incident from a crisis to a cleanup job.
Microsoft is not attacking defense in depth directly. It is doing something more effective: accepting that some customers want multiple vendors while measuring whether the second vendor changes the outcome. The Defender ICES vendor ecosystem is the diplomatic version of that argument. Microsoft can say it supports multi-vendor strategies, integrates with trusted partners, and streamlines SOC workflows, while still publishing numbers that make some third-party layers look marginal.
That is a clever posture. It avoids the arrogance of telling enterprises to rip everything out and trust Redmond. It also puts pressure on every add-on vendor to demonstrate something concrete beyond anxiety reduction.
The result is a more uncomfortable procurement conversation. If a third-party email security product materially reduces high-severity misses, improves response times, or fits a non-Microsoft mail estate, it can still justify itself. If it mostly sorts promotional mail, then the license should be priced and governed like an inbox management tool, not a frontline security system.
At first glance, that sounds like consumer-email housekeeping creeping into enterprise mail. In context, it is more strategic. Microsoft’s own benchmark says ICES vendors show their strongest uplift in promotional and bulk filtering. So Microsoft is building a native feature aimed directly at the area where third-party tools can most easily claim measurable value.
This is classic platform behavior. When an ecosystem product proves demand for a workflow, the platform eventually absorbs the workflow. Sometimes that benefits users by reducing friction and licensing sprawl. Sometimes it squeezes specialized vendors whose main differentiation becomes a checkbox in the native client.
For IT teams, the Promotions folder will need careful watching. Anything that changes mailbox placement at scale can produce help desk tickets, executive complaints, and policy debates over what counts as business-critical mail. But the direction is clear: Microsoft wants fewer reasons for customers to buy an ICES tool just to make Outlook less noisy.
The numbers Microsoft cites are striking: analysts identify 6.5 times more malicious alerts, improve verdict accuracy by 77 percent, and spend 53 percent more time investigating real threats. Those figures are vendor-reported and should be treated with the usual caution. But they point to where Microsoft sees the next contest.
The battle is no longer just filter versus filter. It is workflow versus workflow. When a user reports a suspicious message, how quickly does the system decide whether the report matters? When the system changes a verdict, how quickly does it remove matching messages? When analysts open an email entity page, how much context do they get without pivoting through three consoles?
AI gives Microsoft a way to turn its platform breadth into a security operations story. It can summarize email evidence, triage reported phish, correlate tenant telemetry, and wrap it all in the broader Microsoft Defender and Security Copilot pitch. Whether every customer is ready to trust that automation is another matter, but Microsoft is clearly positioning AI as a force multiplier for mail defense rather than a decorative assistant.
That does not automatically make Defender better at every detection problem. Specialized vendors can still innovate quickly, focus on narrow attack classes, and support environments that are not all-in on Microsoft 365. Some security teams also value independent telemetry precisely because they do not want the platform provider grading its own homework.
But the center of gravity has moved. The old perimeter model assumed email security happened at the edge. Cloud productivity suites made the mailbox itself a living security surface, where messages can be rescored and remediated as new intelligence arrives. In that model, the platform has enormous gravitational pull.
This is why Microsoft’s benchmark is more than a product comparison. It is an architectural claim. Microsoft is saying the most effective email security system is the one that can act before delivery, after delivery, inside the user workflow, and inside the SOC workflow without stitching together a half-dozen separate control planes.
That requires tenant-level evidence. Security teams should compare native Defender detections, third-party detections, user-reported messages, post-delivery removals, false positives, analyst workload, and business disruption. A tool that catches a small number of additional malicious messages may still be worth keeping if those messages are high-impact attacks against privileged users. A tool that generates noise, duplicates alerts, or delays mail may be weakening operations despite improving a dashboard metric.
Admins should also separate mail security from mail cleanliness. Promotional filtering can matter, especially in organizations where inbox overload affects productivity or where users habitually miss important mail amid bulk noise. But if that is the main benefit, it belongs in a different budget conversation than phishing prevention.
Licensing will inevitably shape the outcome. If Defender capabilities are already included in a Microsoft 365 security bundle, third-party tools must justify incremental cost against measurable risk reduction. Microsoft knows this, and its benchmark is designed to give CISOs and procurement teams permission to ask harder questions.
For partners, this is both an opportunity and a warning. Integration with Microsoft can reduce friction, improve SOC workflows, and make products easier to operate in Microsoft 365-heavy environments. But it also means playing on Microsoft’s field, where Defender is the baseline and third-party value is measured as additive uplift.
The best-positioned vendors will be those that can prove differentiated outcomes Microsoft does not already deliver. That might mean better protection for particular industries, stronger executive impersonation controls, faster investigation tooling, richer abuse mailbox automation, or support for organizations with mixed mail platforms. The weakest-positioned vendors will be those whose main selling point is a generic promise to catch what Microsoft misses.
This dynamic is familiar across the Microsoft ecosystem. Endpoint detection, identity governance, device management, browser security, and collaboration compliance have all seen Microsoft absorb features that were once sold by specialists. Email security is now moving through the same consolidation pressure.
But transparency is not the same as independence. Microsoft chooses the definitions, the comparison frame, the severity categories, and the way results are summarized. It also has obvious commercial incentives to show Defender as the safest default and third-party tools as incremental at best.
That does not invalidate the report. It means customers should use it as one input, not the final verdict. The benchmark is most valuable when it prompts organizations to measure their own environment with the same discipline: what was missed before delivery, what was remediated after delivery, what users reported, what analysts confirmed, and what each product contributed.
The deeper lesson is that email security effectiveness is becoming harder to reduce to a single catch rate. Timing matters. Severity matters. False positives matter. User experience matters. Analyst time matters. A product that catches slightly more mail but creates operational drag may lose to a platform that catches slightly less at the edge but remediates faster across the tenant.
Microsoft Turns the Email Security Debate Into a Platform Argument
For years, the email security market has been built around distrust. Organizations bought secure email gateways because they did not want to rely solely on the inbox provider, and later adopted integrated cloud email security tools because gateways looked increasingly awkward in a world of cloud-native mail, API-based remediation, and Microsoft 365 everywhere.Microsoft’s new year-in-review benchmark is an argument against that old procurement muscle memory. It says the decisive action is no longer a gateway appliance or a bolt-on scanner standing in front of Microsoft 365. It is the combination of pre-delivery filtering, post-delivery remediation, mailbox context, user reports, and security operations workflow inside Defender.
That is a self-serving thesis, of course. Microsoft is both the platform owner and a vendor in the market it is measuring. But the company’s latest numbers are still worth taking seriously because they frame the question many security teams are already asking: if Defender catches most of the dangerous mail before delivery and then removes most of what slips through afterward, what exactly is the expensive extra layer buying?
The answer, according to Microsoft’s own data, is narrower than many vendors would like. Third-party ICES tools may still help with promotional and bulk email filtering, and some enterprises will keep them for defense-in-depth, compliance, visibility, or internal politics. But Microsoft is pushing customers toward a harder distinction between security value and inbox hygiene.
The Benchmark Is Also a Sales Pitch, but That Does Not Make It Useless
Microsoft says its benchmarking program began in July 2025 with a promise to publish real-world performance data rather than rely on synthetic tests. That distinction matters because email security is notoriously easy to distort in lab conditions. A product can look brilliant against a static corpus and still struggle when adversaries rotate infrastructure, mutate lures, abuse legitimate services, or time attacks around user behavior.The company’s approach is to compare Defender against secure email gateway vendors and ICES vendors using observed production telemetry. For SEG products, Microsoft defines a missed threat as a high-severity message that was not detected before delivery. For ICES products layered on top of Defender, the company measures the additional catch contribution those tools provide after Microsoft’s own filters have done their work.
That methodology puts the debate on terrain Microsoft likes. A gateway is judged on what it blocks before the message reaches the user, while an ICES vendor is judged by the marginal improvement it adds over Defender. In a Microsoft 365 environment, that is not an unfair lens, but it is not a neutral one either. It assumes Defender is the baseline and everyone else must prove incremental value.
Still, that is how many customers experience the stack in practice. Defender is already embedded in Microsoft 365 licensing discussions, already tied into Exchange Online, and already visible in Microsoft’s security portal. A third-party product may be excellent, but if it adds only a small amount of malicious-message catch on top of Microsoft’s native protection, the budget conversation changes.
Defender’s Pre-Delivery Lead Is the Number Microsoft Wants Buyers to Remember
The sharpest claim in the report is that Defender missed fewer high-severity email threats than every secure email gateway vendor evaluated across every benchmarking period since July 2025. Microsoft says the next closest SEG vendor had 2.5 times more misses over the year. In the latest quarter, covering February through April 2026, Defender reportedly missed 59 percent fewer high-severity threats than the closest SEG competitor.That is the kind of statistic that travels well through executive decks. It is simple, comparative, and attached to the most emotionally loaded category in email security: high-severity threats. Nobody wants to explain to a board that the gateway caught more newsletter noise while allowing more dangerous messages into inboxes.
But the phrasing deserves careful reading. Microsoft is not saying every SEG product is useless, nor is it publishing a universal law of email defense. It is saying that in its benchmarked population, under its definitions, Defender produced fewer pre-delivery misses per 1,000 protected users than the evaluated gateway vendors.
For WindowsForum readers who live in the real world of licensing bundles, renewal clocks, and security exceptions, that caveat is important. Benchmarks do not replace tenant-specific testing. They do, however, give Microsoft’s field teams a powerful new line: before renewing that gateway, ask whether it is reducing risk or preserving an architecture from another era.
ICES Vendors Are Being Pushed Into the Inbox Cleanup Business
The most damaging part of Microsoft’s benchmark for the broader email security ecosystem may not be the SEG comparison. It is the ICES uplift data. Microsoft says ICES vendors added an average uplift of 15 percent in promotional filtering over the four quarters, while their uplift for malicious catch and spam averaged only 0.29 percent and 0.68 percent respectively.In the most recent quarter, the gap became even starker. ICES vendors operating on top of Defender improved promotional and bulk filtering by an average of 16.85 percent, but added only 0.13 percent for malicious messages and 0.28 percent for spam. Those are not nothing, especially at enterprise scale. But they are small numbers to defend if the tool is sold primarily as a security control.
This is where Microsoft’s argument becomes more subtle. It is not saying third-party cloud email security tools never help. It is saying their clearest, most durable benefit appears to be reducing inbox clutter rather than catching a materially larger share of dangerous mail. That shifts the category from breach prevention toward productivity and user experience.
Vendors will object that Microsoft’s telemetry may not capture every operational benefit they provide. They may point to reporting workflows, specialized detection models, impersonation controls, executive protection, abuse mailbox automation, or support for heterogeneous environments. Those are fair counterarguments. But Microsoft’s data attacks the core buying premise: that a second cloud email security layer is necessary because Microsoft’s own protection cannot be trusted.
Post-Delivery Remediation Is Becoming the Center of Gravity
The most strategically important number in the report is not the pre-delivery miss rate. It is Microsoft’s claim that Defender’s share of post-delivery malicious catch has risen dramatically. In the second report, Microsoft said Defender contributed 45 percent of post-delivery malicious catch; in the latest quarter, it says Defender removed an average of 96.03 percent of malicious messages that reached inboxes, up from 70.8 percent in the prior quarter.That is a major framing shift. Old email security thinking treated delivery as the decisive moment: either the filter stopped the message or the user was exposed. Modern cloud mail defense is messier. Messages can be delivered, reclassified, detonated, reported, correlated with campaigns, and removed after the fact.
Microsoft is leaning into that reality because it has structural advantages there. It controls the mailbox platform, the identity fabric, the reporting experience, and much of the telemetry around user interaction. If post-delivery remediation is the new battleground, then proximity to Exchange Online and Microsoft 365 Defender becomes more valuable than sitting outside the flow of mail.
For administrators, this matters because post-delivery performance affects containment. A phish that lands in 500 mailboxes is bad. A phish that stays there for hours is worse. A phish that is automatically identified, searched, and pulled back across the tenant before the majority of users touch it changes the incident from a crisis to a cleanup job.
Microsoft Is Quietly Recasting “Defense in Depth” as “Pay Twice If You Must”
Security buyers have long been trained to distrust single-vendor security stacks. The argument is familiar: no one product catches everything, and layered controls reduce the chance that one vendor’s blind spot becomes an incident. In email security, that logic supported SEG deployments for years and later gave ICES vendors a natural pitch.Microsoft is not attacking defense in depth directly. It is doing something more effective: accepting that some customers want multiple vendors while measuring whether the second vendor changes the outcome. The Defender ICES vendor ecosystem is the diplomatic version of that argument. Microsoft can say it supports multi-vendor strategies, integrates with trusted partners, and streamlines SOC workflows, while still publishing numbers that make some third-party layers look marginal.
That is a clever posture. It avoids the arrogance of telling enterprises to rip everything out and trust Redmond. It also puts pressure on every add-on vendor to demonstrate something concrete beyond anxiety reduction.
The result is a more uncomfortable procurement conversation. If a third-party email security product materially reduces high-severity misses, improves response times, or fits a non-Microsoft mail estate, it can still justify itself. If it mostly sorts promotional mail, then the license should be priced and governed like an inbox management tool, not a frontline security system.
Outlook’s Promotions Folder Is Not a Small Feature in This Fight
One of the product changes Microsoft connects to the benchmark is a native Promotions folder in Outlook. The feature is designed to keep legitimate bulk and promotional messages out of the primary inbox without sending them to Junk. Microsoft says it will be visible across Outlook experiences and enabled by default once generally available.At first glance, that sounds like consumer-email housekeeping creeping into enterprise mail. In context, it is more strategic. Microsoft’s own benchmark says ICES vendors show their strongest uplift in promotional and bulk filtering. So Microsoft is building a native feature aimed directly at the area where third-party tools can most easily claim measurable value.
This is classic platform behavior. When an ecosystem product proves demand for a workflow, the platform eventually absorbs the workflow. Sometimes that benefits users by reducing friction and licensing sprawl. Sometimes it squeezes specialized vendors whose main differentiation becomes a checkbox in the native client.
For IT teams, the Promotions folder will need careful watching. Anything that changes mailbox placement at scale can produce help desk tickets, executive complaints, and policy debates over what counts as business-critical mail. But the direction is clear: Microsoft wants fewer reasons for customers to buy an ICES tool just to make Outlook less noisy.
AI Is Being Sold as the Missing Layer Between Users and Analysts
Microsoft also links the benchmarking improvements to AI-driven operational changes. The company says it introduced an agentic grading system in November 2025 to reduce reliance on manual review in the submission and analysis pipeline. It also highlights the Microsoft Security Copilot Alert Triage Agent, which uses language-model reasoning to classify user-reported phishing emails, resolve false positives, and escalate confirmed threats.The numbers Microsoft cites are striking: analysts identify 6.5 times more malicious alerts, improve verdict accuracy by 77 percent, and spend 53 percent more time investigating real threats. Those figures are vendor-reported and should be treated with the usual caution. But they point to where Microsoft sees the next contest.
The battle is no longer just filter versus filter. It is workflow versus workflow. When a user reports a suspicious message, how quickly does the system decide whether the report matters? When the system changes a verdict, how quickly does it remove matching messages? When analysts open an email entity page, how much context do they get without pivoting through three consoles?
AI gives Microsoft a way to turn its platform breadth into a security operations story. It can summarize email evidence, triage reported phish, correlate tenant telemetry, and wrap it all in the broader Microsoft Defender and Security Copilot pitch. Whether every customer is ready to trust that automation is another matter, but Microsoft is clearly positioning AI as a force multiplier for mail defense rather than a decorative assistant.
The Benchmark Rewards the Vendor Closest to the Mailbox
There is a structural reason Defender looks strong in this kind of measurement. Microsoft sees the mail flow, the mailbox, the identity context, the user report, and the remediation action inside the same cloud. A gateway sees messages before delivery. An ICES tool sees what APIs and integrations expose. Microsoft sees the whole house because it owns the floor plan.That does not automatically make Defender better at every detection problem. Specialized vendors can still innovate quickly, focus on narrow attack classes, and support environments that are not all-in on Microsoft 365. Some security teams also value independent telemetry precisely because they do not want the platform provider grading its own homework.
But the center of gravity has moved. The old perimeter model assumed email security happened at the edge. Cloud productivity suites made the mailbox itself a living security surface, where messages can be rescored and remediated as new intelligence arrives. In that model, the platform has enormous gravitational pull.
This is why Microsoft’s benchmark is more than a product comparison. It is an architectural claim. Microsoft is saying the most effective email security system is the one that can act before delivery, after delivery, inside the user workflow, and inside the SOC workflow without stitching together a half-dozen separate control planes.
Administrators Should Read the Numbers as a Renewal Warning, Not a Rip-and-Replace Order
The practical response to Microsoft’s benchmark should not be blind consolidation. It should be disciplined skepticism applied to every layer in the mail stack. If an organization has Defender, a SEG, and an ICES product, the question is no longer whether more tools feel safer. The question is which tool catches what, when, and at what operational cost.That requires tenant-level evidence. Security teams should compare native Defender detections, third-party detections, user-reported messages, post-delivery removals, false positives, analyst workload, and business disruption. A tool that catches a small number of additional malicious messages may still be worth keeping if those messages are high-impact attacks against privileged users. A tool that generates noise, duplicates alerts, or delays mail may be weakening operations despite improving a dashboard metric.
Admins should also separate mail security from mail cleanliness. Promotional filtering can matter, especially in organizations where inbox overload affects productivity or where users habitually miss important mail amid bulk noise. But if that is the main benefit, it belongs in a different budget conversation than phishing prevention.
Licensing will inevitably shape the outcome. If Defender capabilities are already included in a Microsoft 365 security bundle, third-party tools must justify incremental cost against measurable risk reduction. Microsoft knows this, and its benchmark is designed to give CISOs and procurement teams permission to ask harder questions.
The Vendor Ecosystem Is Being Invited Inside Microsoft’s Fence
Microsoft’s Defender ICES vendor ecosystem is an interesting compromise. Rather than pretending multi-vendor email security will disappear, Microsoft is trying to make third-party tools operate more cleanly within its environment. That helps customers who have already chosen layered security while allowing Microsoft to remain the gravitational center.For partners, this is both an opportunity and a warning. Integration with Microsoft can reduce friction, improve SOC workflows, and make products easier to operate in Microsoft 365-heavy environments. But it also means playing on Microsoft’s field, where Defender is the baseline and third-party value is measured as additive uplift.
The best-positioned vendors will be those that can prove differentiated outcomes Microsoft does not already deliver. That might mean better protection for particular industries, stronger executive impersonation controls, faster investigation tooling, richer abuse mailbox automation, or support for organizations with mixed mail platforms. The weakest-positioned vendors will be those whose main selling point is a generic promise to catch what Microsoft misses.
This dynamic is familiar across the Microsoft ecosystem. Endpoint detection, identity governance, device management, browser security, and collaboration compliance have all seen Microsoft absorb features that were once sold by specialists. Email security is now moving through the same consolidation pressure.
Transparency Is Useful, but Microsoft Still Owns the Measuring Stick
Microsoft deserves some credit for publishing recurring benchmark data. Security marketing is often built on anecdotes, cherry-picked test results, and fear. A quarterly cadence tied to production telemetry is more useful than a one-off lab shootout.But transparency is not the same as independence. Microsoft chooses the definitions, the comparison frame, the severity categories, and the way results are summarized. It also has obvious commercial incentives to show Defender as the safest default and third-party tools as incremental at best.
That does not invalidate the report. It means customers should use it as one input, not the final verdict. The benchmark is most valuable when it prompts organizations to measure their own environment with the same discipline: what was missed before delivery, what was remediated after delivery, what users reported, what analysts confirmed, and what each product contributed.
The deeper lesson is that email security effectiveness is becoming harder to reduce to a single catch rate. Timing matters. Severity matters. False positives matter. User experience matters. Analyst time matters. A product that catches slightly more mail but creates operational drag may lose to a platform that catches slightly less at the edge but remediates faster across the tenant.
The Year of Data Leaves Fewer Places for Email Security Spend to Hide
Microsoft’s first year of Defender email benchmarking gives IT teams a sharper way to challenge old assumptions. The numbers are not a universal truth, but they are concrete enough to reshape renewal meetings and architecture reviews.- Defender reportedly missed fewer high-severity pre-delivery threats than every evaluated secure email gateway across all four quarterly benchmarking periods since July 2025.
- Microsoft says the closest SEG competitor had 2.5 times more misses over the full year, and Defender missed 59 percent fewer high-severity threats than the next-closest SEG vendor in the February through April 2026 quarter.
- ICES vendors showed their strongest measured value in promotional and bulk filtering, with far smaller average uplift for malicious messages and spam.
- Defender’s reported share of post-delivery malicious remediation rose from 45 percent in an earlier report to just over 96 percent in the latest quarter.
- Outlook’s native Promotions folder is strategically important because it targets the same inbox-clutter category where ICES vendors showed their clearest uplift.
- Security teams should use Microsoft’s benchmark as a trigger for tenant-specific measurement, not as a substitute for their own evidence.
References
- Primary source: Microsoft
Published: 2026-06-15T16:12:07.816227
Microsoft Defender email security benchmarking: Key insights from one year of data | Microsoft Security Blog
See how Microsoft Defender performed in one year of real-world email security benchmarking against SEG and ICES vendors.www.microsoft.com