Microsoft Defender XDR: Email summary powered by Security Copilot on the email entity page

Microsoft Defender XDR will add an AI-powered Email summary via Security Copilot on the Email entity page, launching in public preview mid-April 2026 and generally available by mid-May 2026. It provides concise threat insights, timeline analysis, URL and attachment assessments, requiring Security Copilot access and SCUs.

[Introduction]

We’re introducing Email summary powered by Security Copilot on the Email Entity page in Microsoft Defender XDR. This AI-driven capability helps security teams quickly understand and respond to email threats by summarizing email detection data into clear, actionable insights. This feature is designed to reduce investigation time and improve analyst efficiency by presenting key signals and analysis in one place.

[When this will happen]

• Public preview: Rollout begins in mid-April 2026 and is expected to complete by late April 2026.
• General availability (Worldwide): Rollout begins in early May 2026 and is expected to complete by mid-May 2026.

[How this affects your organization]

Who is affected

• Security teams and admins using Microsoft Defender XDR
• Microsoft 365 tenants with Security Copilot access and provisioned Security Compute Units (SCUs)

What will happen

• A new Email summary section will appear on the Email entity page in Microsoft Defender XDR: 

  

• Security Copilot will generate AI-driven summaries that include:
  • Email overview: A concise summary of detected threats, actions taken, overrides, and key indicators: 

    

  • Timeline event analysis: A chronological view of actions and outcomes across the email lifecycle: 

    

  • URL analysis: Assessment of URLs extracted from the email to identify known malicious behavior.
  • Attachment analysis: Insights into attachments, highlighting suspicious or harmful files and associated risks.
• This feature requires Security Copilot access and SCUs and is not enabled by default.
• Existing security policies, permissions, and investigation workflows are respected; no policy changes are required.

[What you can do to prepare]

• Ensure Security Copilot Security Compute Units (SCUs) are provisioned in your tenant.
• Verify that intended users have access to Security Copilot.
• Review and update internal investigation workflows or documentation, if applicable.
• Inform security analysts about the new Email summary experience so they can incorporate it into daily investigations.

Learn more:

• Get started with onboarding to Microsoft Security Copilot | Security Copilot | Security | Microsoft Learn
• Learn about Security Copilot for Microsoft 365 E5 included customers | Security Copilot | Security | Microsoft Learn
• Microsoft Security Copilot in Microsoft Defender | Microsoft Defender XDR | Microsoft Learn

[Compliance considerations]

Question	Answer
Does the change alter how existing customer data is processed, stored, or accessed (for example, emails, detections, URLs, or attachments)?	Yes. This change alters how existing email detection data in Microsoft Defender XDR is processed by using Security Copilot to generate AI-based summaries from existing signals, metadata, and analysis results. No new customer data is stored, and existing data retention, residency, and access controls remain unchanged.
Does the change introduce or significantly modify AI/ML or agent capabilities that interact with or provide access to customer data?	Yes. This change introduces a generative AI capability through Security Copilot that summarizes existing Microsoft Defender XDR email data to provide contextual insights for security analysts. The AI output is derived from existing data and does not replace underlying security signals or detections.
Does the change provide end users any new way of interacting with generative AI, if so how?	Yes. Security analysts can view AI-generated summaries on the Email entity page, providing read-only insights generated by Security Copilot. The feature respects existing role-based access controls and does not grant access to data beyond what users are already permitted to view.
Does the change include an admin control, and can it be controlled through Entra ID group membership?	Yes. Access to this capability is controlled through Security Copilot licensing and the provisioning of Security Compute Units (SCUs). Administrative access can be managed using existing access controls, including Entra ID–based role assignments.