Exchange Online Protection overview
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.
EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes. For more information, see Standalone Exchange Online Protection.
The steps to set up EOP security features and a comparison to the added security that you get in Microsoft Defender for Office 365, see protect against threats. The recommended settings for EOP features are available in Recommended settings for EOP and Microsoft Defender for Office 365 security.
The rest of this article explains how EOP works and the features that are available in EOP.
How EOP works
To understand how EOP works, it helps to see how it processes incoming email:
When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see Configure connection filtering.
Then the message is inspected for malware. If malware is found in the message or the attachment(s) the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use quarantine policies to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see Anti-malware protection in EOP.
The message continues through policy filtering, where it's evaluated against any mail flow rules (also known as transport rules) that you've created. For example, a rule can send a notification to a manager when a message arrives from a specific sender.
In on-premises organization with Exchange Enterprise CAL with Services licenses, Microsoft Purview data loss prevention (DLP) checks in EOP also happen at this point.
The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what users can do to the quarantined messages using quarantine policies. For more information, see Configure anti-spam policies and Configure anti-phishing policies in EOP.
A message that successfully passes all of these protection layers is delivered to the recipients.
For more information, see Order and precedence of email protection.
EOP runs on a worldwide network of datacenters that are designed to provide the best availability. For example, if a datacenter becomes unavailable, email messages are automatically routed to another datacenter without any interruption in service. Servers in each datacenter accept messages on your behalf, providing a layer of separation between your organization and the internet, thereby reducing load on your servers. Through this highly available network, Microsoft can ensure that email reaches your organization in a timely manner.
EOP performs load balancing between datacenters but only within a region. If you're provisioned in one region, all your messages will be processed using the mail routing for that region.
This section provides a high-level overview of the main features that are available in EOP.
For information about requirements, important limits, and feature availability across all EOP subscription plans, see the Exchange Online Protection service description.
- EOP uses several URL block lists that help detect known malicious links within messages.
- EOP uses a vast list of domains that are known to send spam.
- EOP uses multiple anti-malware engines help to automatically protect our customers at all times.
- EOP inspects the active payload in the message body and all message attachments for malware.
- For recommended values for protection policies, see Recommended settings for EOP and Microsoft Defender for Office 365 security.
- For quick instructions to configure protection policies, see Protect against threats.
Submit and view feedback for