{"id":3218,"date":"2026-04-16T16:15:56","date_gmt":"2026-04-16T16:15:56","guid":{"rendered":"https:\/\/modern-workplace.uk\/?p=3218"},"modified":"2026-04-16T16:15:57","modified_gmt":"2026-04-16T16:15:57","slug":"from-threat-counts-to-posture-a-new-way-to-read-your-defender-data","status":"publish","type":"post","link":"https:\/\/modern-workplace.uk\/?p=3218","title":{"rendered":"From Threat Counts to Posture: A New Way to Read Your Defender Data"},"content":{"rendered":"\n

Microsoft has announced something at RSA 2026 that deserves more attention than it has received so far: a brand-new report inside the Microsoft Defender portal called the Protection and Posture Insights report<\/strong>.<\/p>\n\n\n\n

If you manage Microsoft 365 security for an organisation, this one matters, and here’s why.<\/p>\n\n\n\n

\n\n\n\n

What Is It?<\/h2>\n\n\n\n

The Protection and Posture Insights report is a dedicated view inside the Defender portal that gives you a personalized, tenant-specific picture of the threats being directed at your environment and how Defender is responding to them.<\/p>\n\n\n\n

This is different from the generic threat dashboards and email protection status reports that have existed for a while. Those tell you what Defender caught across broad categories. This report tells you what was happening specifically in your tenant which campaigns were targeting your users, which techniques were being used, who was in the firing line, and where your risk is concentrated.<\/p>\n\n\n\n

Built entirely on your own telemetry, there’s no averaging across a generic baseline. The data is yours.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n
\n\n\n\n

What’s Actually Inside It?<\/strong><\/h2>\n\n\n\n

Having had the chance to look at the report for a live tenant, here’s how it’s structured and what each section genuinely delivers.<\/p>\n\n\n\n

Executive Summary<\/strong>
A high-level overview of the period: how many threats were observed, how they were handled, and what the overall protection picture looks like. Designed to be readable by someone who doesn’t live in the Defender portal day-to-day.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

<\/p>\n\n\n\n

Effectiveness<\/strong>
This section answers the headline question: how well is Defender actually performing for this tenant? It breaks down what was caught versus what reached users, giving you a defensible answer to “is this working?” rather than just a volume count.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

<\/p>\n\n\n\n

Threat Landscape & Threat Classification<\/strong>
A breakdown of the threat types observed during the reporting period \u2014 spam, phishing, malware \u2014 with classification detail. This is where you start to understand the character<\/em> of attacks hitting your organisation, not just the numbers.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Zero-Day Threats (Detonation)<\/strong>
One of the more technically interesting sections. This covers threats that were caught specifically via Safe Attachments detonation analysis, i.e., files or URLs where Defender had no prior signal and had to run them in a sandboxed environment to determine they were malicious. The presence of this section in the report gives you visibility into how much of your protection depends on that detonation layer versus signature-based detection.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Priority Accounts<\/strong>
If you’ve configured Priority Accounts in Defender (executives, finance, IT admins), this section shows you whether they are being targeted at a higher rate than the general user population, and how those threats were handled. This is a useful data point for board-level conversations about targeted risk.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Policy Coverage<\/strong>
This is arguably the most operationally useful section for an administrator. It maps your current policy configuration against the threats that were observed, surfacing any coverage gaps. If a threat type is hitting your organisation but you don’t have the relevant policy configured to catch it optimally, this is where that shows up.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Delivery Locations<\/strong>
Where did threats end up? Inbox, junk, quarantine, blocked pre-delivery? This section shows the distribution across delivery outcomes, which helps you understand whether your policies are catching threats early or whether too much is reaching users before being remediated.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Detection Trends & Inbound Detection Technology<\/strong>
Trend data over the reporting period, and a breakdown of which detection technologies fired \u2014 things like URL detonation, file reputation, anti-spoofing, impersonation protection, and so on. Useful for understanding which parts of the stack are doing the heavy lifting.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Phish Threshold Policy Level<\/strong>
Your current anti-phishing threshold setting shown in context of the threats observed. If your threshold is set conservatively relative to what’s hitting your users, this section makes that visible \u2014 without you having to cross-reference documentation and policy settings manually.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Quarantine Statistics<\/strong>
A summary of what ended up in quarantine over the period, including volumes and categories. Useful both for operational awareness and for reviewing whether your quarantine policies are set appropriately.<\/p>\n\n\n\n

\n\n\n\n

Why This Matters<\/h2>\n\n\n\n

<\/p>\n\n\n\n

Most Defender reporting up to now has been good at answering volume<\/em> questions: how many phishing emails were blocked this month, how many malware attachments were quarantined. What it hasn’t done well is answer posture <\/strong>questions: are we configured correctly for the threats we’re actually seeing? Are there gaps between what’s hitting us and what we’re catching?<\/p>\n\n\n\n

The Protection and Posture Insights report shifts the frame. Instead of a count of events, you get a narrative about your environment: what attackers are trying, how your controls are performing against those specific attempts, and where the gaps are.<\/p>\n\n\n\n

The Policy Coverage and Phish Threshold sections in particular are genuinely new value. These are questions that previously required an admin to manually compare their configuration against observed threat patterns. Having that surfaced in a single report (and tied to your actual telemetry rather than a generic recommendation baseline) is a meaningful step forward.<\/p>\n\n\n\n

For organisations running Defender for Office 365 Plan 2 or Defender XDR, this is worth checking as soon as it appears in your portal.<\/p>\n\n\n\n

\n\n\n\n

Where to Find It<\/h2>\n\n\n\n

<\/p>\n\n\n\n

The report is accessible directly in the Microsoft Defender portal (security.microsoft.com). Head to Reports and look for Protection and Posture Insights under the Email & Collaboration \/ Email & Collaboration reports. It is being rolled out following the RSA 2026 announcement in late March, so if you don’t see it yet, it should appear in your tenant shortly.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

The report covers a rolling period and is exportable as a PDF, which makes it practical to include in regular security reviews or customer reporting without manual assembly.<\/p>\n\n\n\n

\n\n\n\n

A Note on Licence Coverage<\/h2>\n\n\n\n

Full access to this report requires Defender for Office 365 Plan 1 or Plan 2, or a Defender XDR licence. Organisations on baseline Exchange Online Protection will have limited visibility.<\/p>\n\n\n\n

If you’re assessing whether to move customers up to MDO Plan 2, the combination of this report and the broader investigation and hunting capabilities it supports makes a stronger case than it did six months ago.<\/p>\n\n\n\n

\n\n\n\n

The Bigger Picture<\/h2>\n\n\n\n

<\/p>\n\n\n\n

This report landed alongside two other Teams-focused announcements at RSA 2026: inline real-time warnings for vishing (Teams call impersonation), and SOC-level call investigation capabilities including advanced hunting on call events. Microsoft is making a deliberate push to bring Teams calling up to parity with email as a first-class security signal.<\/p>\n\n\n\n

The Protection and Posture Insights report sits across all of that \u2014 a single place to understand what’s hitting your collaboration surface and whether your posture is right for it.<\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft’s new Protection & Posture Insights report in Defender for Office 365 goes beyond blocking counts to show you what’s targeting your tenant, whether your policies are configured to catch it, and where the gaps are. Here’s what’s inside it and why it changes how you read your security data.<\/p>\n","protected":false},"author":1,"featured_media":3220,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[850,753,976],"tags":[975,959,974,962,767,961,759,960,874,964,966,969,973,963,968,971,965,972,970,967],"class_list":["post-3218","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-850","category-microsoft365","category-microsoft-defender-office-365","tag-collaboration-security","tag-defender-for-office-365","tag-defender-xdr","tag-email-security","tag-m365","tag-mdo","tag-microsoft-365","tag-microsoft-365-security","tag-microsoft-defender","tag-microsoft-defender-portal","tag-phishing-protection","tag-policy-coverage","tag-priority-accounts","tag-protection-and-posture-insights","tag-rsa-2026","tag-safe-attachments","tag-security-posture","tag-security-reporting","tag-threat-protection","tag-zero-day-threats"],"_links":{"self":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3218"}],"version-history":[{"count":1,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3218\/revisions"}],"predecessor-version":[{"id":3228,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3218\/revisions\/3228"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/media\/3220"}],"wp:attachment":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}