Exchange Online Protection overview

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.

Note

EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes. For more information, see Standalone Exchange Online Protection.

The steps to set up EOP security features and a comparison to the added security that you get in Microsoft Defender for Office 365, see protect against threats. The recommended settings for EOP features are available in Recommended settings for EOP and Microsoft Defender for Office 365 security.

The rest of this article explains how EOP works and the features that are available in EOP.

How EOP works

To understand how EOP works, it helps to see how it processes incoming email:

Graphic of email from the internet or Customer feedback passing into EOP and through the Connection, Anti-malware, Mailflow Rules-slash-Policy Filtering, and Content Filtering, before the verdict of either junk mail or quarantine, or end user mail delivery.

  1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see Configure connection filtering.

  2. Then the message is inspected for malware. If malware is found in the message or the attachment(s) the message is routed to an admin only quarantine store. To learn more about malware protection, see Anti-malware protection in EOP.

  3. The message continues through policy filtering, where it's evaluated against any mail flow rules (also known as transport rules) that you've created. For example, a rule can send a notification to a manager when a message arrives from a specific sender.

    In on-premises organization with Exchange Enterprise CAL with Services licenses, Data loss prevention (DLP) checks in EOP also happen at this point.

  4. The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.). For more information, see Configure anti-spam policies and Configure anti-phishing policies in EOP.

A message that successfully passes all of these protection layers is delivered to the recipients.

For more information, see Order and precedence of email protection.

EOP datacenters

EOP runs on a worldwide network of datacenters that are designed to provide the best availability. For example, if a datacenter becomes unavailable, email messages are automatically routed to another datacenter without any interruption in service. Servers in each datacenter accept messages on your behalf, providing a layer of separation between your organization and the internet, thereby reducing load on your servers. Through this highly available network, Microsoft can ensure that email reaches your organization in a timely manner.

EOP performs load balancing between datacenters but only within a region. If you're provisioned in one region all your messages will be processed using the mail routing for that region. The following list shows the how regional mail routing works for the EOP datacenters:

  • In Europe, the Middle East, and Africa (EMEA), all Exchange Online mailboxes are located in EMEA datacenters, and all messages are routed through EMEA datacenters for EOP filtering.
  • In Asia-Pacific (APAC), all Exchange Online mailboxes are located in APAC datacenters, and messages are currently routed through APAC datacenters for EOP filtering.
  • In the Americas, services are distributed in the following locations:
    • South America: Exchange Online mailboxes are located in datacenters in Brazil and Chile. All messages are routed through local datacenters for EOP filtering. Quarantined messages are stored in the datacenter where the tenant is located.
    • Canada: Exchange Online mailboxes are located in datacenters in Canada. All messages are routed through local datacenters for EOP filtering. Quarantined messages are stored in the datacenter where the tenant is located.
    • United States: Exchange Online mailboxes are located in U.S. datacenters. All messages are routed through local datacenters for EOP filtering. Quarantined messages are stored in the datacenter where the tenant is located.
  • For the Government Community Cloud (GCC), all Exchange Online mailboxes are located in U.S. datacenters and all messages are routed through U.S. datacenters for EOP filtering.

EOP features

This section provides a high-level overview of the main features that are available in EOP.

For information about requirements, important limits, and feature availability across all EOP subscription plans, see the Exchange Online Protection service description.

Notes:

  • EOP uses several URL block lists that help detect known malicious links within messages.
  • EOP uses a vast list of domains that are known to send spam.
  • EOP uses multiple anti-malware engines help to automatically protect our customers at all times.
  • EOP inspects the active payload in the message body and all message attachments for malware.
  • For recommended values for protection policies, see Recommended settings for EOP and Microsoft Defender for Office 365 security.
  • For quick instructions to configure protection policies, see Protect against threats.


Feature Comments
Protection
Anti-malware Anti-malware protection in EOP

Anti-malware protection FAQ

Configure anti-malware policies in EOP

Inbound anti-spam Anti-spam protection in EOP

Anti-spam protection FAQ

Configure anti-spam policies in EOP

Outbound anti-spam Outbound spam protection in EOP

Configure outbound spam filtering in EOP

Control automatic external email forwarding in Microsoft 365

Connection filtering Configure connection filtering
Anti-phishing Anti-phishing policies in Microsoft 365

Configure anti-phishing policies in EOP

Anti-spoofing protection Spoof intelligence insight in EOP

Manage the Tenant Allow/Block List

Zero-hour auto purge (ZAP) for delivered malware, spam, and phishing messages ZAP in Exchange Online
Preset security policies Preset security policies in EOP and Microsoft Defender for Office 365

Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365

Tenant Allow/Block List Manage the Tenant Allow/Block List
Block lists for message senders Create blocked sender lists in EOP
Allow lists for message senders Create safe sender lists in EOP
Directory Based Edge Blocking (DBEB) Use Directory Based Edge Blocking to reject messages sent to invalid recipients
Quarantine and submissions
Admin submission Use Admin submission to submit suspected spam, phish, URLs, and files to Microsoft
User submissions (custom mailbox) User submissions policy
Quarantine - admins Manage quarantined messages and files as an admin in EOP

Quarantined messages FAQ

Report messages and files to Microsoft

Anti-spam message headers in Microsoft 365

You can analyze the message headers of quarantined messages using the Message Header Analyzer at.

Quarantine - end-users Find and release quarantined messages as a user in EOP

Use user spam notifications to release and report quarantined messages

Mail flow
Mail flow rules Mail flow rules (transport rules) in Exchange Online

Mail flow rule conditions and exceptions (predicates) in Exchange Online

Mail flow rule actions in Exchange Online

Manage mail flow rules in Exchange Online

Mail flow rule procedures in Exchange Online

Accepted domains Manage accepted domains in Exchange Online
Connectors Configure mail flow using connectors in Exchange Online
Enhanced Filtering for Connectors Enhanced filtering for connectors in Exchange Online
Monitoring
Message trace Message trace

Message trace in the Exchange admin center

Email & collaboration reports View email security reports
Mail flow reports View mail flow reports

Mail flow reports in the Exchange admin center

Mail flow insights Mail flow insights

Mail flow insights in the Exchange admin center

Auditing reports Auditing reports in the Exchange admin center
Alert policies Alert policies
Service Level Agreements (SLAs) and support
Spam effectiveness SLA > 99%
False positive ratio SLA < 1:250,000
Virus detection and blocking SLA 100% of known viruses
Monthly uptime SLA 99.999%
Phone and web technical support 24 hours a day, seven days a week Help and support for EOP.
Other features
A geo-redundant global network of servers EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the EOP datacenters section earlier in this article.
Message queuing when the on-premises server cannot accept mail Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see EOP queued, deferred, and bounced messages FAQ.
Office 365 Message Encryption available as an add-on For more information, see Encryption in Office 365.