News
Microsoft Rolls Out Phishing Triage Agent in Security Copilot Public Preview
Microsoft this week has launched the public preview of its new Phishing Triage Agent, integrated into Microsoft Defender under the Security Copilot agent framework.
The agent autonomously analyzes user‑reported phishing emails to determine real threats from false alarms using AI-powered reasoning (rather than static rules). It provides natural‑language explanations of its decisions and adapts over time as administrators flag cases to fine‑tune its accuracy. It also provides a clear look into the decision making of the AI for IT to understand why it flags or doesn't flag certain messages.
"One of the most defining features of the Phishing Triage Agent is how clearly it communicates its decisions," wrote Microsoft. "For every verdict, the agent provides a natural language explanation that outlines why a message was or wasn’t classified as phishing. The rationale is clear and accessible, allowing analysts to quickly comprehend what led to the outcome."
Microsoft's new agent is designed for quick setup and uses role-based access controls to ensure it operates within a secure, limited scope. Once deployed, the agent runs in the background and activates whenever a user reports a suspicious email.
The company said it designed the agent to tag and automatically dismiss the estimated 90 percent of false positive reports an average enterprise receives, allowing security teams to focus on genuine threats. Its output integrates with Microsoft’s Automated Investigation and Response system to identify related threats and suggest remediation steps.
Each incident includes a plain-language summary and a visual decision flow that outlines the steps taken, including URL analysis and sandboxed attachment testing. IT can override decisions of the agent and submit feedback in natural language, helping the agent learn and improve. A dedicated dashboard tracks incident volume, triage time and accuracy, offering real-time visibility into performance.
This launch is part of a broader initiative unveiled in March to introduce 11 AI agents -- six developed by Microsoft and five by partners -- that automate high‑volume security tasks across Defender, Purview, Intune and Entra. Microsoft analysts said that the sheer volume of phishing alerts (estimated at more than 30 billion phishing emails detected in 2024) demands scalable automation to prevent SOC overload.
This agent is now available for select organizations as a part of the public preview. To take part in the preview, organizations will need to meet certain prerequisites and sign up for the Phishing Triage Agent Public Preview in the Microsoft Defender portal.