Microsoft Security Blog: Announcing public preview: Phishing triage agent in Microsoft Defender

Aug 7, 2025

—

Source URL: https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/announcing-public-preview-phishing-triage-agent-in-microsoft-defender/4438301
Source: Microsoft Security Blog
Title: Announcing public preview: Phishing triage agent in Microsoft Defender

Feedly Summary: The Phishing Triage Agent in Microsoft Defender is now available in Public Preview. It tackles one of the most repetitive tasks in the SOC: handling reports of user-submitted phish.
The post Announcing public preview: Phishing triage agent in Microsoft Defender appeared first on Microsoft Security Blog.

AI Summary and Description: Yes

**Summary:** The text describes the introduction of Microsoft’s Phishing Triage Agent, a new autonomous tool in Microsoft Defender designed to enhance the efficiency of Security Operations Centers (SOCs). By utilizing large language models, this agent addresses the repetitive task of reviewing user-submitted phishing reports, significantly reducing manual workload and improving response times, which is critical as phishing remains a pervasive cybersecurity threat.

**Detailed Description:**
The Phishing Triage Agent represents a significant advancement in autonomous security operations within Microsoft Defender, focused on enhancing SOC efficiency and threat response. Key aspects of its functionality include:

– **Autonomous Operation:**
– The agent autonomously triages phishing alerts, evaluating thousands of user submissions swiftly (within 15 minutes of detection).
– It utilizes large language models (LLMs) for assessments that include the analysis of email content, URLs, and intent detection.

– **Learning and Adaptation:**
– The agent evolves through continuous learning, refining its decision-making based on analyst feedback.
– Analysts can reclassify incidents and provide natural language explanations, which the agent incorporates for improved future accuracy.

– **Transparency and Traceability:**
– Each verdict is accompanied by a clear, natural language explanation, which helps analysts understand the decision-making process.
– Visual representation of decision logic allows teams to drill down into the analysis, increasing trust in the system.

– **Operational Efficiency:**
– Over 90% of reported phishing emails are often false positives, and the agent automates the resolution of these, allowing analysts to focus on genuine threats.
– Integration with Microsoft Defender for Office 365 includes automated investigation and response features that further enhance threat detection and remediation.

– **Compliance and Security Principles:**
– Built on Microsoft’s Responsible AI principles, the agent incorporates guardrails for fairness, security, and privacy.
– Operates under a Zero Trust framework with strict access controls, ensuring it adheres to organizational security policies.

– **Performance Monitoring:**
– Real-time dashboards provide visibility into the agent’s performance, including incident handling, efficiency gains, and accuracy metrics.

This innovation marks a shift toward a more efficient and adaptive SOC, enabling organizations to better manage threats and maintain a robust security posture in an era where phishing continues to evolve rapidly. The Phishing Triage Agent is currently available in public preview through the Microsoft Defender portal, allowing organizations to explore and adopt this advanced security capability.

01 1 3 4 5 a access access control access controls accuracy accuracy metrics adaptation adaptive addresses advanced advanced security advancement age agent AI air alerts analysis and API app as assessment assessments at ated Auto autonomous based Bi board built by C capability centers CI class CleaR co community compliance content continuous continuous learning control controls critical Current cyber cybersecurit Cybersecurity cybersecurity threat D dashboard dashboards de decision decision-making Defender design detection e E 3 efficiency efficiency gains efficient email end exp fairness false positive false positives feature features feedback first focused for framework FTTH function functionality future g Gen Guardrails H handling HR http HTTPS improving in incident incident handling innovation integration intent investigation io IRS k Key l language language model language models large large language model large language models Large Language Models (LLMs) learning learning and adaptation led Li llm llms lm load logic low M making man media metrics Micro Microsoft Microsoft Defender Microsoft Security Microsoft Security Blog mission Mode model models Monitor monitoring N nation natural language natural language explanations new no o of off on one ons operation operational operational efficiency operations opt organization organizational security organizations oS over per performance performance monitoring phi phishing phishing emails policies post pre Preview principles privacy pro process protection ps public R rate RCE re real real-time red remediation report representation resolution response response times responsible Responsible AI review Ro robust security RoT Rust s sec security security operations security operations center Security Operations Centers security policies security posture security threat shift Sig SoC source SSE STIG Swift system T Task tasks team Teams tech ted text the threat threat detection threat response threats Time times to tool Tor TP traceability transparency trust UI under US use user V val visibility Wi workload x z zero Zero Trust zero-trust framework