Microsoft Defender for Office 365: Agentic AI Phish Submission Analysis

Microsoft Defender for Office 365 will introduce an Agentic AI grading system by late November 2025, using large language models to analyze phishing submissions faster with natural language explanations. This feature is enabled by default, requires no admin action, and integrates AI with existing models and human review for accuracy.

[Introduction:]

We are introducing an advanced Agentic AI grading system integrated into the Microsoft Defender for Office 365 (MDO) phishing submission analysis and response flow. This enhancement provides faster, higher-quality verdicts with detailed natural language explanations when customers report phishing messages to Microsoft.

This message is associated with Microsoft 365 Roadmap ID 503112.

[When this will happen:]

General Availability (Worldwide): Rollout will begin in mid-November 2025 and is expected to complete by late November 2025.

[How this affects your organization:]

Who is affected: Admins and users submitting phishing emails for analysis in Microsoft Defender for Office 365.

What will happen:

You can expect the following changes when this feature rolls out:

• Phishing emails will be analyzed using large language models (LLMs) in an agentic workflow.
• Natural language explanations for verdicts will be provided.
• Existing machine learning models and human review will be integrated for accuracy.
• Wait times will be reduced by processing more submissions via AI grading instead of manual review.
• User workflows will remain unchanged; the feature will be enabled by default.
• There are no admin controls to manage this functionality.

How to view Agentic AI grading system responses:

1. Report an admin or user phish submission to Microsoft for analysis. See the Learn more section below for links to detailed instructions.
2. Go to Microsoft Defender portal (https://sip.security.microsoft.com).
3. Navigate to Investigation & response > Actions & submissions > Submissions or visit https://security.microsoft.com/reportsubmission.
4. Select the relevant tab (“Emails” for admin submissions or “User reported” for user submissions).
5. Select an email submission line item to review results in the flyout panel under Result details.
6. Agentic AI grading responses will include the note: “AI-generated content may be incorrect. Check it for accuracy.”

Screenshot - Sample agentic AI submission response:

 

[What you can do to prepare:]

• No admin action is required before rollout.
• No disruptions or downtime during rollout.

Learn more:

• Report phishing and suspicious emails in Outlook for admins | Microsoft Learn
• Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft | Microsoft Learn
• User reported settings | Microsoft Learn

[Compliance considerations:]

Question	Answer
Does the change alter how existing customer data is processed, stored, or accessed?	Yes – Introduces AI-based processing of phishing email submissions to provide natural language explanations of verdicts. No changes to storage or access patterns.
Does the change introduce or significantly modify AI/ML or agent capabilities that interact with or provide access to customer data?	Yes – Introduces an Agentic AI grading system using LLMs orchestrated within an agentic workflow to analyze phishing emails and generate explanations.
Does the change provide end users any new way of interacting with generative AI?	Yes – Users and admins will see AI-generated natural language explanations for phishing verdicts in the Defender portal.