Microsoft Defender for Office 365 Identifies Spam, Phishing, and Legitimate Emails

Microsoft is set to enhance its enterprise email security platform with artificial intelligence capabilities that will provide detailed explanations for email classification decisions.

The new feature, rolling out globally between late June and mid-July 2025, represents a significant advancement in making email security decisions more transparent and understandable for administrators and security teams.

Microsoft Defender for Office 365 is introducing an innovative AI-powered capability that leverages large language models (LLMs) to generate clear, human-readable explanations for email submission results.

This enhancement addresses a long-standing challenge in email security where administrators often received classification results without understanding the underlying reasoning behind security decisions.

The new feature will automatically generate explanations for why submitted messages are classified as spam, phishing, or clean, providing unprecedented visibility into the decision-making process.

These AI-generated explanations will include the reasoning behind classifications, key indicators used in security decisions, and optional behavioral insights that help administrators better understand potential threats.

When available, the system will display these explanations in the Result Details section of email submissions, offering context that was previously unavailable.

If AI explanations are temporarily unavailable, the system will seamlessly revert to standard explanations, ensuring continuity of service.

Technical Implementation

The rollout, associated with Microsoft 365 Roadmap ID 488098, will begin in late June 2025 and complete by mid-July 2025 across all global regions.

Importantly, this feature will be available by default, requiring no administrative configuration or activation steps from organizations.

Currently, the AI-powered explanations apply exclusively to email submissions within the Microsoft Defender portal, accessed through security.microsoft.com.

The feature does not extend to files, Teams messages, URLs, or other user-submitted content at this time, maintaining a focused approach on email security.

The system supports five distinct result types with LLM explanations:

Unknown classifications occur when Microsoft cannot reach a definitive decision due to inaccessible content or analyst disagreement;

Bulk classifications identify senders as bulk mailers with potential future blocking based on Bulk Complaint Level (BCL);

Spam classifications indicate malicious content with future blocking based on Spam Confidence Level (SCL);

No threats found results confirm clean content while potentially updating filters; and Threats found results identify malicious items and update security filters accordingly.

Organizational Impact

Organizations can expect automatic implementation without requiring preparatory administrative actions before the rollout date.

However, Microsoft recommends that administrators review current submission workflows to maximize the benefits of the enhanced explanations.

The company suggests notifying administrators and end users about the upcoming changes and updating internal documentation to reflect the new capabilities.

This proactive approach will help organizations fully leverage the improved transparency in email security decisions.

To access the new explanations, administrators should navigate to the Microsoft Defender portal, select Actions & Submissions, choose the Submissions section, and open the Emails tab.

Within individual submissions, the AI-generated explanations will appear in the Result Details section when available.

This enhancement represents Microsoft’s continued investment in making enterprise security tools more intuitive and actionable, providing security teams with the context needed to make informed decisions about email threats and refine their security postures accordingly.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.