Exchange Online Protection overview
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, phishing and other email threats. EOP is included in all Microsoft 365 organizations that have Exchange Online mailboxes.
Tip
EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes. For more information, see Standalone Exchange Online Protection.
You can sign up for an EOP trial and get pricing information at the Exchange Online Protection home page.
EOP protection is on by default thanks to the default policies for:
These default policies apply to all recipients by default and can't be turned off, but they can be overridden by preset security policies or custom policies that you create.
You can customize the security settings in the default policies, create custom policies, or better yet, turn on and add all recipients to the Standard and/or Strict preset security policies. For complete information, see Configure protection policies.
The rest of this article explains how EOP works and the features that are available in EOP.
How EOP works
To understand how EOP works, it helps to see how it processes incoming email:
When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. Most spam is stopped at this point and rejected by EOP. For more information, see Configure connection filtering.
Then the message is inspected for malware. If malware is found in the message or a message attachment, the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use quarantine policies to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see Anti-malware protection in EOP.
The message continues through policy filtering, where it's evaluated against any mail flow rules (also known as transport rules) that you've created. For example, a rule can send a notification to a manager when a message arrives from a specific sender.
In on-premises organization with Exchange Enterprise CAL with Services licenses, Microsoft Purview Data Loss Prevention (DLP) checks in EOP also happen at this point.
The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what users can do to the quarantined messages using quarantine policies. For more information, see Configure anti-spam policies and Configure anti-phishing policies in EOP.
A message that successfully passes all of these protection layers is delivered to the recipients.
For more information, see Order and precedence of email protection.
EOP datacenters
EOP runs on a worldwide network of datacenters that are designed to provide the best availability. For example, if a datacenter becomes unavailable, email messages are automatically routed to another datacenter without any interruption in service. Servers in each datacenter accept messages on your behalf, providing a layer of separation between your organization and the internet, thereby reducing load on your servers. Through this highly available network, Microsoft can ensure that email reaches your organization in a timely manner.
EOP performs load balancing between datacenters but only within a region. If you're provisioned in one region, all of your messages are processed using the mail routing for that region.
EOP communications
The following communication channels are available for issues and new features in EOP:
- If you're affected by a Service Level Event, you should see a communication alert (typically accompanied by a bell icon) in the Microsoft 365 admin center at https://admin.microsoft.com. We recommend that you read and act on any items as appropriate.
- The Microsoft 365 Message center at https://admin.microsoft.com/Adminportal/Home?#/MessageCenter also contains information about new and updated features. For more information, see Track new and changed features in the Microsoft 365 Message center.
- The Microsoft 365 roadmap is a good resource for finding out information about upcoming new features.
- We also posting blog articles about new features to the Microsoft 365 Blogs website.
EOP features
This section provides a high-level overview of the main features that are available in EOP.
For information about requirements, important limits, and feature availability across all EOP subscription plans, see the Exchange Online Protection service description.
Notes:
- EOP uses several URL block lists that help detect known malicious links within messages.
- EOP uses a vast list of domains that are known to send spam.
- EOP inspects the active payload in the message body and all message attachments for malware.
| Feature | Comments |
|---|---|
| Protection | |
| Preset security policies | Preset security policies in EOP and Microsoft Defender for Office 365 Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365 |
| Anti-malware | Anti-malware protection in EOP |
| Inbound anti-spam | Anti-spam protection in EOP |
| Outbound anti-spam | Outbound spam protection in EOP Configure outbound spam filtering in EOP Control automatic external email forwarding in Microsoft 365 |
| Connection filtering | Configure connection filtering |
| Anti-phishing | Anti-phishing policies in Microsoft 365 |
| Anti-spoofing protection | Spoof intelligence insight in EOP |
| Zero-hour auto purge (ZAP) for delivered malware, spam, and phishing messages | ZAP in Exchange Online |
| Tenant Allow/Block List | Manage the Tenant Allow/Block List |
| Block lists for message senders | Create blocked sender lists in EOP |
| Allow lists for message senders | Create safe sender lists in EOP |
| Directory Based Edge Blocking (DBEB) | Use Directory Based Edge Blocking to reject messages sent to invalid recipients |
| Quarantine and submissions | |
| Admin submission | Use Admin submission to submit suspected spam, phish, URLs, and files to Microsoft |
| User reported message settings | User reported settings |
| Quarantine - admins | Manage quarantined messages and files as an admin in EOP Report messages and files to Microsoft Anti-spam message headers in Microsoft 365 You can analyze the message headers of quarantined messages using the Message Header Analyzer at. |
| Quarantine - end-users | Find and release quarantined messages as a user in EOP Use quarantine notifications to release and report quarantined messages |
| Mail flow | |
| Mail flow rules | Mail flow rules (transport rules) in Exchange Online Mail flow rule conditions and exceptions (predicates) in Exchange Online Mail flow rule actions in Exchange Online |
| Accepted domains | Manage accepted domains in Exchange Online |
| Connectors | Configure mail flow using connectors in Exchange Online |
| Enhanced Filtering for Connectors | Enhanced filtering for connectors in Exchange Online |
| Monitoring | |
| Message trace | Message trace |
| Email & collaboration reports | View email security reports |
| Mail flow reports | Mail flow reports in the Exchange admin center |
| Mail flow insights | Mail flow insights in the Exchange admin center |
| Auditing reports | Auditing reports in the Exchange admin center |
| Service Level Agreements (SLAs) and support | |
| Spam effectiveness SLA | > 99% |
| False positive ratio SLA | < 1:250,000 |
| Virus detection and blocking SLA | 100% of known viruses |
| Monthly uptime SLA | 99.999% |
| Phone and web technical support 24 hours a day, seven days a week | Get support for Microsoft 365 for business. |
| Other features | |
| A geo-redundant global network of servers | EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the EOP datacenters section earlier in this article. |
| Message queuing when the on-premises server can't accept mail | Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see the Mail flow delivery FAQ. |
| Office 365 Message Encryption available as an add-on | For more information, see Encryption in Office 365. |