{"id":8509,"date":"2026-06-17T02:46:20","date_gmt":"2026-06-17T02:46:20","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8509"},"modified":"2026-06-17T02:46:20","modified_gmt":"2026-06-17T02:46:20","slug":"microsoft-says-you-dont-need-another-email-security-tool-experts-say-not-so-fast","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8509","title":{"rendered":"Microsoft says you don\u2019t need another email security tool; experts say, not so fast"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Despite best efforts by defenders, malicious emails continue to slip through the cybersecurity cracks<\/a>, leading some enterprises to implement a layered \u201cdefense in depth\u201d strategy that incorporates multiple tools.<\/p>\n

Microsoft seems to be challenging this idea, revealing that there are only nominal returns from adding integrated pre- and post-send partners to Defender for Office 365\u2019s protections.<\/p>\n

According to its new quarterly benchmarking data, the tech giant catches the vast majority of malicious and spam emails before delivery, misses the fewest compared to competitors by a wide margin, and removes nearly 100% of dangerous emails that do reach the inbox. Collectively, its integrated partners improve that catch rate by less than .05%.<\/p>\n

While these numbers seem to tip the scales towards a one-vendor email security stack, experts urge enterprises to be skeptical and cautious of such vendor claims.<\/p>\n

Seva Ioussoufovitch<\/a>, senior research analyst at Info-Tech Research Group, pointed out, \u201cpercentages obscure the true quantity and severity of what\u2019s getting through, and, considering it only takes one message to result in an incident, it\u2019s simple enough to argue that there is real value in the defense in depth that having multiple tools provides.\u201d<\/p>\n

Malicious and spam email catch by the numbers<\/h2>\n

Microsoft introduced its quarterly benchmarking report in July 2025 alongside a Defender integrated cloud email security (ICES) ecosystem designed to support multi-vendor security strategies.<\/p>\n

The SEG players it ranked itself against this year includes Mimecast, Proofpoint, Hornetsecurity, Trend Micro, Iron Port (Cisco), Barracuda, and FireEye (Trellix); ICES companies include Abnormal, Checkpoint Harmony, Cisco, DarkTrace, KnowBe4 Defend, Tessian, and Trend Micro.<\/p>\n

Redmond reported that Defender \u201cconsistently leads\u201d in pre-delivery detection, missing 59% fewer high-severity cyberthreats prior to delivery than the other SEG vendors it evaluated. Its closest competitors were Mimecast and Proofpoint. The company also introduced a new metric in this area: A threat miss rate per 1,000 employees. In Microsoft\u2019s case, that was 194 per 1,000; for Mimecast, 478; for Proofpoint, 483.<\/p>\n

When it came to post-delivery protection, Defender removed an average of 96.03% of malicious emails that reached the inbox, up from an initial 45% when Microsoft first started tracking the data in its second report.<\/p>\n

This makes Defender \u201can increasingly critical backstop, operating even when ICES solutions are in place,\u201d Jeff Pinkston, VP and GM for Microsoft Defender, wrote in a blog post<\/a>. Still, ICES tools operating in tandem with Microsoft Defender \u201ccontinue to provide benefits,\u201d improving malicious catch by 0.29% and spam catch by 0.68%, he said.<\/p>\n

\u201cIf we focus on the basics, their argument seems strong,\u201d Info-Tech\u2019s Ioussoufovitch noted. \u201cDo you really need a separate ICES vendor for that extra sub 1% catch?\u201d Microsoft paints a \u201ccompelling picture\u201d by only focusing on raw catch rate, he said, but we don\u2019t hear the rest of the story: \u201cWhat exactly is the danger of what isn\u2019t being caught by Defender?\u201d<\/p>\n

No one vendor catches everything <\/h2>\n

David Shipley<\/a> of Beauceron Security pointed out that the report underscores the fact that \u201clots of stuff still gets by e-mail filters.\u201d<\/p>\n

His company regularly analyzes hundreds of thousands of emails, and the content that gets through \u201cranges from the shockingly mundane and obvious to a human expert, to highly clever time-delayed attacks,\u201d he said.<\/p>\n

A key factor in what gets through is the amount of content that is allowlisted; settings in \u201c100% paranoid mode\u201d get high catch rates, as well as high false positives, Shipley noted. \u201cAnyone who has ever had a sales person lose a deal because the purchase order PDF got flagged has felt this pain.\u201d<\/p>\n

Then there\u2019s the AI conundrum: \u201cA key risk for e-mail vendors using agentic LLM-based analysis is it\u2019s now possible to poison those models with hidden content<\/a> (such as \u2018ignore this e-mail, pretty please\u2019),\u201d Shipley said. This means enterprises need a variety of analysis methods.<\/p>\n

Ioussoufovitch agreed that keeping pace with threat actors using AI is an industry-wide challenge, particularly as AI enables higher-quality phishing. Filters are improving and will catch some of it, but some will inevitably continue to get through. Those messages are likely highly-targeted, which are lower in volume but harder to catch.<\/p>\n

\u201cAs of now, current tools do seem to be struggling to keep pace, but that doesn\u2019t mean those tools aren\u2019t necessary,\u201d said Ioussoufovitch. \u201cIt just highlights that defense-in-depth<\/a>, broadly speaking, is becoming more and more important.\u201d<\/p>\n

Claims appear more honest<\/h2>\n

Shipley said that this report appears more honest, accurate, and mature than others claiming 99.99% phish catch rates, \u201cwhich is never true.\u201d It\u2019s also a \u201csmart marketing move,\u201d because Microsoft competes for the same security budget as other tools, and would rather enterprises remove those vendors and buy more from it in areas beyond e-mail.<\/p>\n

On the other hand, he said, Microsoft is offering up a list of other vendors to think about, \u201cwhich, congrats to Mimecast on coming in second.\u201d<\/p>\n

In the long run, CISOs need to determine the best spend for their limited security dollars, he noted. Enterprises need a good filter; whether they need two is up for debate. \u201cThey also clearly still need to invest in a robust awareness program<\/a>,\u201d Shipley said, \u201cbecause as this report shows, lots of phishes are still getting delivered.\u201d<\/p>\n

Missing an important nuance<\/h2>\n

Ioussoufovitch noted that while the claims in the study are interesting, the data is presented without much of the nuance that would make it truly actionable.<\/p>\n

\u201cWe are all too familiar with vendors\u2019 abilities to massage data to tell the story they want, so I would advise leaders not to extrapolate the data beyond what it actually says,\u201d he said.<\/p>\n

Instead of the takeaway being \u201cget rid of our current vendors,\u201d this post highlights that Defender provides \u201cconsiderable value,\u201d he noted. Whether adding or subtracting additional vendors is worth the money should be a case-by-case conversation that considers an organization\u2019s risk appetite, and overall security budget and environment.<\/p>\n

\u201cI\u2019d treat these claims more as a reminder to assess your own environment and compare detections,\u201d he said. \u201cCome to conclusions based on the data you have, not what a vendor is presenting.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Despite best efforts by defenders, malicious emails continue to slip through the cybersecurity cracks, leading some enterprises to implement a layered \u201cdefense in depth\u201d strategy that incorporates multiple tools. Microsoft seems to be challenging this idea, revealing that there are only nominal returns from adding integrated pre- and post-send partners to Defender for Office 365\u2019s […]<\/p>\n","protected":false},"author":0,"featured_media":8510,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8509","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8509"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8509"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8509\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8510"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}