Email - Mailbox Intelligence

Mailbox intelligence in Microsoft 365 helps protect users by making email security more personalized and relevant to their everyday interactions. It learns who you normally communicate with and what typical emails look like, so when something unusual appears—like a message from someone you don’t usually hear from or that doesn’t match normal patterns—it can trigger clearer, more meaningful warnings. For users, this means fewer unnecessary alerts and more accurate notifications, helping them more

Overview

Mailbox Intelligence is an AI‑ and machine‑learning–driven capability used by Microsoft Defender for Office 365 anti‑phishing policies. It builds a personalized communication model for each mailbox based on historical email patterns and trusted relationships. That model is then used to detect anomalous or suspicious messages that appear to impersonate someone the user commonly communicates with.

Unlike static allow/block rules, Mailbox Intelligence adapts over time and evaluates messages in the context of the individual user, making it particularly effective against targeted phishing and business email compromise (BEC) attacks.

Issue

Phishing and Business Email Compromise attacks are a consistently successful method for which attackers can compromise your account.  Mailbox Intelligence helps mitigate these attacks.

How it Works

Mailbox intelligence uses insights about user behavior, trusted contacts, and communication patterns to help identify unusual or potentially risky emails. By understanding who you normally interact with and how you communicate, it can flag unexpected messages—like emails from unfamiliar senders or unusual activity—making security warnings more accurate and relevant, while reducing unnecessary alerts.

Mailbox Intelligence protection significantly strengthens Microsoft 365’s anti‑phishing defenses by applying personalized, behavior‑based detection rather than relying solely on generic rules.

User Expectations or Impact

For end users, the main impacts are increased visibility into suspicious messages, occasional additional junk filtering, and clearer contextual warnings—trade‑offs that substantially reduce the risk of credential theft, fraud, and email‑bornecompromise.  These contextual warnings come in the form of email banners.

For example; When Mailbox Intelligence detects potential impersonation, users may see visual warning banners in Outlook or Outlook on the web, such as:

• “This sender looks suspicious”
• “This email address is not normally used by this sender”

These banners are designed to:

• Increase awareness
• Explain why a message is risky
• Prevent users from acting on social‑engineering prompts