Microsoft Security Copilot Expands with Phishing Triage Agent for Faster Incident Response
New Security Copilot agent automates phishing triage with intelligent insights and seamless integration.
Key Takeaways:
- Microsoft debuts an AI-powered Phishing Triage Agent within Defender to streamline email threat analysis.
- The agent offers clear, natural language explanations for its decisions and learns from admin feedback.
- Integrated with Microsoft’s broader security tools, it enhances automation and response efficiency across platforms.
Microsoft has launched the Phishing Triage Agent in public preview, seamlessly integrated into Microsoft Defender as part of its expansive Security Copilot initiative. Designed to automate and speed up the analysis of user-reported phishing emails, the agent aims to reduce response times and lighten the load on security teams.
The launch of Microsoft’s new Phishing Triage Agent is part of a broader initiative announced in March to introduce 11 new Security Copilot agents. These agents are designed to automate repetitive security tasks and streamline workflows across Microsoft Defender, Purview, Intune, and Entra.
How does the Phishing Triage Agent work?
The new Phishing Triage Agent leverages AI-powered reasoning for analyzing user-reported phishing messages, examining content, links, and attachments, to determine their legitimacy. It resolves 90 percent of false positives automatically. This agent explains the decision logic in natural language and continuously improves its accuracy by learning from feedback provided by administrators.
“One of the most defining features of the Phishing Triage Agent is how clearly it communicates its decisions. For every verdict, the agent provides a natural language explanation that outlines why a message was or wasn’t classified as phishing. The rationale is clear and accessible, allowing analysts to quickly comprehend what led to the outcome,” Microsoft explained.
Microsoft explained that this new agent is built for quick deployment and operates securely using role-based access controls to limit its scope. Once configured, this agent runs quietly in the background and gets into action whenever a user flags an email as suspicious. It allows organizations to respond quickly to potential threats without any manual intervention.
Additionally, the output of the Phishing Triage Agent is integrated with Microsoft’s Automated Investigation and Response (AIR) system. It helps to identify related risks and recommends actions to contain or remediate them.
Real-time insights and administrator control
Microsoft notes that all phishing incidents reviewed by the agent include a summary and a visual breakdown of the steps it took, such as analyzing URLs and testing attachments in a secure environment. Administrators can also override the agent’s decisions and provide feedback in plain language, which helps the system learn and improve its accuracy over time. A dedicated dashboard offers real-time insights into how the agent is performing, including triage time and accuracy, incident volume, and more.
The Phishing Triage Agent is currently available in public preview for commercial customers. To join the public preview, organizations must meet specific requirements and sign up through the Microsoft Defender portal.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
