Microsoft Defender for Office 365 to Provide Detail Results for Spam, Phishing or Clean Emails

Summary
1. Microsoft Defender for Office 365 is introducing large language model (LLM) technology to provide clear, human-readable explanations for why emails are classified as spam, phishing, or clean.
2. The feature will deploy automatically worldwide from late June to mid-July 2025, requiring no administrative action or configuration changes from organizations.
3. Users will receive detailed reasoning behind classification decisions, including key indicators and behavioral insights.
4. Users can access AI explanations through the Microsoft Defender portal at security.microsoft.com under Actions & Submissions > Submissions.

Microsoft is set to revolutionize email security transparency with the introduction of AI-powered explanations for email submission results in Microsoft Defender for Office 365. 

This groundbreaking feature, leveraging large language models (LLMs), will provide clear, human-readable rationales for why messages are classified as spam, phishing, or clean, marking a significant advancement in cybersecurity communication and user understanding.

AI-Powered Enhancement 

The new capability represents a major technological leap in email security transparency, utilizing sophisticated large language models (LLMs) to generate comprehensive explanations for email classification decisions. 

This feature, associated with Microsoft 365 Roadmap ID 488098, addresses a longstanding challenge in cybersecurity where users often receive classification results without understanding the underlying reasoning.

The AI-generated explanations will include multiple components designed to enhance user comprehension. 

These encompass the specific reasoning behind each classification decision, key indicators that influenced the determination, and optional behavioral insights that provide context about sender patterns or message characteristics. 

When the AI explanation system is unavailable, the platform will automatically revert to standard explanations, ensuring a consistent user experience.

The system supports five distinct result types such as:

• Unknown classifications occur when Microsoft cannot reach a definitive decision due to inaccessible content or analyst disagreement.
• Bulk classifications identify senders as bulk mailers with future blocking potential based on BCL (Bulk Complaint Level).
• Spam classifications trigger blocking of similar items based on SCL (Spam Confidence Level).
• No threats found indicates clean content with potential filter updates.
• Threats found identifies malicious content requiring immediate filter modifications.

The rollout timeline spans from late June 2025 through mid-July 2025, with global availability planned across all Microsoft Defender for Office 365 deployments. 

This feature will be available by default, requiring no administrative intervention or configuration changes, streamlining the implementation process for organizations worldwide.

Technical access requires navigation to the Microsoft Defender portal at https://security.microsoft.com, followed by accessing Actions & Submissions > Submissions or directly visiting https://security.microsoft.com/reportsubmission. 

Users must select the Emails tab and open specific submissions to view AI-generated explanations in the Result Details section.

The current scope specifically targets email submissions within the Microsoft Defender portal, excluding files, Teams messages, URLs, or other user-submitted content types. 

This focused approach ensures optimal performance and accuracy during the initial deployment phase.

According to the Report, Organizations can expect immediate benefits without requiring preparatory actions, as the automatic rollout eliminates administrative overhead. 

However, security teams should review existing submission workflows to maximize the new explanatory capabilities and consider updating internal documentation to reflect enhanced transparency features.

The implementation provides significant value for security operations centers and end-users alike, offering deeper insights into email threat detection processes. 

Organizations may want to notify administrators and users about these enhancements to ensure optimal utilization of the improved classification explanations and maintain consistent security awareness protocols across their Microsoft 365 environments.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar