EOP features

The following table provides a list of features that are available in the Exchange Online Protection (EOP) hosted email filtering service.

Tip

The Office 365 for business roadmap is a good resource for finding out information about upcoming new features. For a broader view about what features are available with the different EOP subscription plans, see Exchange Online Protection Service Description.

Feature Description
Anti-spam protection
Inbound spam detection Inbound anti-spam protection is always enabled and can't be disabled. You can configure custom settings via your connection filter and content filter policies.
For EOP standalone customers: By default, the EOP content filters send spam-detected messages to each recipient's Junk Email folder. However, in order to help ensure that the Move message to Junk Email folder action will work with on-premises mailboxes, you must configure two Exchange mail flow rules (also known as transport rules) on your on-premises servers to detect spam headers added by EOP. For details, see Ensure that spam is routed to each user's Junk Email folder.
Outbound spam detection Outbound anti-spam protection is always enabled if you use the service for sending outbound email, thereby helping protect organizations that use the service and their intended recipients. Similar to inbound filtering, outbound spam filtering is comprised of connection filtering and content filtering. The outbound spam filtering settings aren't configurable, but there are outbound spam policy settings that you can use to configure admin notifications for suspicious and blocked outbound messages. For more information, see Configure the outbound spam policy.
NDR backscatter protection For more information about NDR backscatter, see the NDR backscatter setting in Advanced spam filtering options as well as Backscatter messages and EOP.
Bulk mail filtering EOP has enhanced detection methods for identifying bulk email messages. You can configure the service to mark bulk email messages through the user interface. You can also create mail flow rules to more aggressively filter bulk mail by searching for a bulk mail message header stamp. For more information about bulk email, see What's the difference between junk email and bulk email? and its associated subtopics.
Malicious URL block lists EOP uses several URL block lists that help detect known malicious links within messages.
Anti-phishing protection EOP includes 750,000 domains of known spammers.
Spam management
The ability to configure connection filter IP Allow and IP Block lists IP addresses specified in the connection filter are respected for single IP addresses and CIDR IP address ranges. The service also supports IPv6 addresses. For more information, see Configure the connection filter policy.
The ability to customize content filter policies per user, group, or domain For greater granularity, you can create custom content filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see Configure your spam filter policies.
The ability to configure actions on content-filtered messages There are multiple configurable actions. For example, you can delete content-filtered messages or send them to the Junk Email folder or the quarantine. For more information, see Configure your spam filter policies.
The ability to configure advanced options for aggressive spam filtering For more information, see Configure your spam filter policies (which is where you configure them) and Advanced spam filtering options (which provides specific details about what each option does).
International spam filtering You can configure EOP to filter messages written in specific languages or sent from specific countries or regions. You can configure up to 86 different languages and 250 different regions. The service will apply the configured action for high confidence spam. For more information, see Configure your spam filter policies.
Manage spam via Outlook or Outlook on the web (formerly known as Outlook Web App) Admins and end users can create safe sender lists and blocked sender lists. For more information:
Outlook on the web: See Block or allow (junk email settings).
Outlook: See Overview of the Junk Email Filter.
If you're using EOP to help protect on-premises mailboxes, be sure to use directory synchronization to help ensure that these settings are synced to the service. For more information about setting up directory synchronization, see "Use directory synchronization to manage mail users" in Manage mail users in EOP.
Spam submissions via the Junk Email Reporting Add-in for Microsoft Office Outlook You can download an add-in to Outlook that lets you submit spam messages to Microsoft for analysis. For more information about downloading and using this tool, see Enable the Report Message add-in.
If you're using Exchange Server 2013 or later with EOP, you can also right-click in Outlook on the web to submit spam messages, as described in Report junk email and phishing scams in Outlook on the web .
Spam and non spam submissions via an email alias You can submit spam (junk) and non spam (not junk) messages to Microsoft via email. For more information, see Submit spam, non-spam, and phishing scam messages to Microsoft for analysis.
Spam and non spam submissions via Outlook on the web Junk Email Reporting You can submit spam and non spam messages to Microsoft via Outlook on the web Junk Email Reporting. For more information, see Report junk email and phishing scams in Outlook on the web.
This feature is currently available for Outlook on the web customers whose Exchange Server 2013 SP1 or later mailboxes are being filtered by EOP. Exchange Online Outlook on the web customers will also have this functionality in the near future.
End-user spam quarantine notifications End users can release their own spam-quarantined messages and optionally report them as not junk via end-user spam notification messages. These notification emails must be configured and enabled by an admin, as described in Configure end-user spam notifications in Exchange Online or Configure end-user spam notifications in EOP.
End-user spam quarantine notification frequency This frequency is 3 days by default and is configurable from 1 through 15 days.
The ability for admins to configure the language of end-user spam quarantine notifications This is available for end users and administrators. For more information, see Find and release quarantined messages as an administrator or Find and Release Quarantined Messages as an End User.
Access and manage messages in quarantine via a web page This is available for end users and administrators. For more information, see Find and release quarantined messages as an administrator or Find and Release Quarantined Messages as an End User.
The ability to search the quarantine The ability to search the quarantine for specific spam messages is available for both admins and end users. For more information, see Find and release quarantined messages as an administrator or Find and Release Quarantined Messages as an End User.
View spam-quarantined message headers from the Exchange admin center After viewing the message header in the quarantine, you can also copy the message header text and paste it into the Message Header Analyzer, which provides information about what happened to the message.
Anti-malware protection
Multiple engine anti-malware protection Multiple anti-malware engines help to automatically protect our customers at all times.
The option to disable malware filtering You cannot disable malware filtering because we're enforcing anti-malware scanning for all email messages routing through the service. We believe that helping to provide a consistent and rigorous level of protection for all of our customers is a critical part of the defense-in-depth strategy necessary to help protect your email messaging environment. As a result, malware filtering is automatically enabled for all customers.
Malware inspection of the message body and attachments The service inspects the active payload in the message body and all message attachments for malware.
Default or custom malware alert notifications You have the option to send a notification email message to senders or administrators when a message is detected as malware and is not delivered. These notifications are only sent when the entire message is deleted. For more information, see Configure anti-malware policies.
The option to remove an attachment when malware is detected Administrators can select whether to delete the entire message or to strip the attachment and send a customized message to the recipients. For more information, see Configure anti-malware policies.
Anti-spyware protection Anti-malware protection encompasses anti-virus protection and anti-spyware protection.
The ability to customize malware filter policies per user, group, or domain For greater granularity, you can create custom malware filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see Configure anti-malware policies.
Mail routing and connectors
Conditional mail routing For more information, see Create Connectors for Conditional Mail Routing.
Opportunistic or forced TLS Opportunistic or forced TLS is available with connectors. Opportunistic TLS attempts a TLS connection but uses an SMTP connection if the TLS connection is unsuccessful. Force TLS enforces TLS connections, meaning that the message is rejected if the TLS connection is unsuccessful. For more information about TLS, security, and connectors, see Set up connectors for secure mail flow with a partner organization.
Regional routing (the restriction of mail flow to a specific region) For more information, see the "EOP datacenters" section in the Exchange Online Protection overview.
The SMTP Connectivity Checker tool For more information about using this tool to test your mail flow, see Test Mail Flow with the Remote Connectivity Analyzer.
Match subdomains For more information about enabling mail flow to and from subdomains of your accepted domains, see Enable email flow for subdomains in EOP.
Mail flow rules
Policy-based filtering and actions Custom policies are based on Exchange mail flow rules. You can filter by domain, keyword, file name, file type, subject line, message body, sender, recipient, header, and IP address. For more information, see Mail flow rules (transport rules) in Exchange Online Protection.
Filter by text patterns Mail flow rules can use an array or regular expressions to match text. You can also use one string or an array of strings to match many message properties, such as the address, subject, body, or attachment names. For more information, see Mail flow rules (transport rules) in Exchange Online Protection
Custom dictionaries Mail flow rules can include long lists of text and keywords, providing the same functionality as a custom dictionary.
Per-domain policy rules The scope of a mail flow rule can be customized to match sender or recipient domain names, IP address ranges, address keywords or patterns, group memberships, and other conditions.
Attachment scanning Rules can be created to scan the file name, extension, and content of the attachment.
Send policy rule notifications to the sender You can reject messages and send a non-delivery report (NDR) to the sender via the Reject the message with the explanation or Reject the message with the enhanced status code action. For more information, see Mail flow rule actions.
Send messages to fixed addresses (such as redirecting or copying a message to a specific address) Mail flow rules can redirect, add recipients by carbon copy or blind carbon copy, simply add recipients, and other options. For more information, see Mail flow rule actions.
The ability to easily adjust rule priority across multiple rules Use the Exchange admin center to change the order in which rules are processed.
The ability to filter messages and then change the routing or attributes of a message You can filter messages based on a wide variety of conditions and then apply a series of actions to each message. For more information, see Mail flow rules (transport rules) in Exchange Online Protection.
Change the spam confidence level of a message by rule. You can inspect an in-transit message and assign a spam confidence level to it based on criteria that you choose. For more information, see Use mail flow rules to set the spam confidence level (SCL) in messages.
Inspect message attachments You can examine the content of an attachment or the characteristics of an attached file and define an action to take based on what is found. For more information, see Using mail flow rules to inspect message attachments.
Administration
Web-based administration EOP administrators can manage the service via the Exchange admin center (EAC) interface, which is supported in 60 languages. For more information, see Exchange admin center in Exchange Online Protection .
Directory synchronization Directory synchronization is available via the Azure Active Directory Sync tool. For more information, see the "Use directory synchronization to manage mail users" section in Manage mail users in EOP.
Directory Based Edge Blocking (DBEB) The DBEB feature lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Office 365 and block all messages sent to email addresses that aren't present in Office 365. For more information about configuring DBEB, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.
Remote Windows PowerShell access Full EOP functionality is available via remote Windows PowerShell. For more information, see PowerShell in Exchange Online Protection.
Reporting and logging
Message tracing The message trace feature enables you as an administrator to follow email messages as they pass through the service. It helps you determine whether a targeted email message was received, rejected, deferred, or delivered by the service. This lets you efficiently answer your users' questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance. For more information, see Trace an Email Message.
Web-based reports The mail protection reports in the Microsoft 365 admin center provide messaging data. For example, you can monitor how much spam and malware is being detected or how often your mail flow rules are being matched. With these interactive reports, you can quickly get a visual report of summary data and drill down into details about individual messages, for as far back as 90 days. For more information, see Use mail protection reports in Office 365 to view data about malware, spam, and rule detections.
Detailed reporting via the Excel reporting workbook The email protection reports in the Excel 2013 reporting workbook are also available. However, we recommend using the admin center reports instead. The Excel 2013 reporting workbook is planned to be deprecated in the future.
Audit logging The administrator role group report and the administrator audit log are available for EOP admins. For more information, see Auditing reports in EOP.
Service Level Agreements (SLAs) and support
Spam effectiveness SLA >99%
False positive ratio SLA <1:250,000
Virus detection and blocking SLA 100% of known viruses
Monthly uptime SLA 99.999%
Phone and web technical support 24 hours a day, seven days a week For more information about EOP help and support options, see Help and support for EOP.
Other features
A geo-redundant global network of servers EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the "EOP data centers" section in Exchange Online Protection overview.
Message queuing when the on-premises server cannot accept mail Messages in deferral remain in our queues for 2 days. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see EOP queued, deferred, and bounced messages FAQ.
Office 365 Message Encryption available as an add-on service For more information, see Encryption in Office 365.