Microsoft Defender for Office 365 is launching an AI-powered feature to enhance threat analysis transparency for enterprise administrators.
The new capability, identified as MC1098943 and roadmap item 488098, uses large language models (LLMs) to generate human-readable explanations for email submission verdicts.
This innovation addresses the complexity of interpreting security classifications like “Bulk,” “Spam,” or “Threats found” by providing contextual reasoning behind Microsoft’s analysis.
Rollout begins globally in late June 2025, completing by mid-July, with no administrative configuration required.
LLM-Driven Threat Rationalization
The AI engine analyzes email submissions to produce explanations featuring:
- Classification reasoning (e.g., why an item was flagged as phishing)
- Key indicators used in decision-making
- Behavioral insights about sender patterns
Supported verdicts include Spam, Bulk, Threats found, No threats found, and Unknown. - For unsupported scenarios—such as Teams messages, URLs, or file submissions—the system reverts to traditional explanations.
- This functionality exclusively processes admin-submitted emails, not user-reported content.
Technical Implementation and Access
To view AI-generated insights:
- Navigate to
https://security.microsoft.com
- Access Actions & Submissions > Submissions
- Select the Emails tab and open a submission
- Check the Result Details section for explanations
The feature integrates with existing submission workflows that perform:
- Email authentication checks (SPF/DKIM/DMARC)
- Policy hit analysis (organizational/user overrides)
- Payload detonation (URL/attachment examination).
Organizational Impact and Preparedness
While the feature activates automatically, Microsoft recommends:
- Reviewing submission review workflows
- Updating internal documentation with new explanation formats
- Notifying security teams about enhanced diagnostic capabilities
This enhancement complements Defender for Office 365’s existing threat protection layers, including grader analysis and payload detonation, without modifying data processing boundaries for GCC High/DoD environments.

The AI-powered explainability represents a significant advancement in security transparency, enabling administrators to make faster, more informed decisions about email threats.
By translating technical verdicts like BCL (Bulk Complaint Level) thresholds and SCL (Spam Confidence Level) overrides into actionable insights, Microsoft reduces the operational burden of threat investigation while maintaining Defender’s robust detection capabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates