Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, phishing and other email threats. EOP is included in all Microsoft 365 organizations that have Exchange Online mailboxes.
Tip
EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes. For more information, see Standalone Exchange Online Protection.
These default policies apply to all recipients by default and can't be turned off, but they can be overridden by preset security policies or custom policies that you create.
You can customize the security settings in the default policies, create custom policies, or better yet, turn on and add all recipients to the Standard and/or Strict preset security policies. For complete information, see Configure protection policies.
The rest of this article explains how EOP works and the features that are available in EOP.
How EOP works
To understand how EOP works, it helps to see how it processes incoming email:
When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. Most spam is stopped at this point and rejected by EOP. For more information, see Configure connection filtering.
Then the message is inspected for malware. If malware is found in the message or a message attachment, the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use quarantine policies to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see Anti-malware protection in EOP.
The message continues through policy filtering, where it's evaluated against any mail flow rules (also known as transport rules) that you've created. For example, a rule can send a notification to a manager when a message arrives from a specific sender.
The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what users can do to the quarantined messages using quarantine policies. For more information, see Configure anti-spam policies and Configure anti-phishing policies in EOP.
A message that successfully passes all of these protection layers is delivered to the recipients.
EOP runs on a worldwide network of datacenters that are designed to provide the best availability. For example, if a datacenter becomes unavailable, email messages are automatically routed to another datacenter without any interruption in service. Servers in each datacenter accept messages on your behalf, providing a layer of separation between your organization and the internet, thereby reducing load on your servers. Through this highly available network, Microsoft can ensure that email reaches your organization in a timely manner.
EOP performs load balancing between datacenters but only within a region. If you're provisioned in one region, all of your messages are processed using the mail routing for that region.
EOP communications
The following communication channels are available for issues and new features in EOP:
If you're affected by a Service Level Event, you should see a communication alert (typically accompanied by a bell icon) in the Microsoft 365 admin center at https://admin.microsoft.com. We recommend that you read and act on any items as appropriate.
EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the EOP datacenters section earlier in this article.
Message queuing when the on-premises server can't accept mail
Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see the Mail flow delivery FAQ.
Office 365 Message Encryption available as an add-on
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.