Announcing Public Preview of the Phishing Triage Agent in Microsoft Defender

Cristina Da Gama Henriquez announces the public preview of the Phishing Triage Agent in Microsoft Defender, highlighting its AI-powered, autonomous phishing detection capabilities for SOC teams.

Announcing Public Preview: Phishing Triage Agent in Microsoft Defender

Author: Cristina Da Gama Henriquez
Updated: August 5, 2025

Overview

Microsoft introduces the Phishing Triage Agent in Microsoft Defender, now available in public preview. This solution is designed to reduce the operational burden for Security Operations Centers (SOC) by automating the triage of user-reported phishing emails, leveraging AI and large language models (LLMs). The agent operates as a part of Defender’s AI innovation wave announced at Microsoft Secure 2025, alongside other Security Copilot agents that aim to provide autonomous, adaptive security operations.

Key Features

Autonomous, AI-Powered Triage

• Uses LLMs to semantically evaluate email content, URLs, and attachments
• Detects phishing vs. benign submissions and conveys its decision with transparent, natural language explanations
• Continuously learns from analyst feedback to refine its accuracy

SOC Efficiency & Automation

• Resolves the majority of reported phishing emails (often >90% are false positives) automatically
• Reduces manual review workload for SOC analysts, accelerating reaction to real threats
• Integrates tightly with Microsoft Defender for Office 365 and Automated Investigation and Response (AIR), which can take further remediation actions based on the agent’s output

Transparent Reasoning and Decision-Making

• Provides step-by-step visual maps and summaries of its decisions, building trust and aiding analysts in review and investigation
• All actions and decisions are visible and configurable, maintaining organizational control and oversight

Responsible AI and Zero Trust Implementation

• Adheres to Microsoft’s Responsible AI principles (fairness, transparency, security, privacy)
• Enforces least privilege and Zero Trust access, with administrators retaining full control over the agent’s permissions and scope

Getting Started

Organizations meeting the prerequisites can enable the Phishing Triage Agent through a trial in the Microsoft Defender portal. Visit the product page for details or see the Adoption Hub for broader Security Copilot guidance.

Additional Resources

• Security Copilot agents overview
• Responsible AI FAQ
• Zero Trust principles

Summary

The Phishing Triage Agent marks a significant step towards fully autonomous SOC operations, using AI to cut through noise, adapt to evolving threats, and let security professionals focus on high-impact investigations.

This post appeared first on “Microsoft Security Blog”. Read the entire article here