Anti-spam and anti-malware protection in Exchange Online Protection

In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP provides built-in malware and spam filtering capabilities that help protect inbound and outbound messages from malicious software and help protect your network from spam transferred through email. Admins do not need to set up or maintain the filtering technologies, which are enabled by default. However, admins can make company-specific filtering customizations.

Looking for information about all EOP features? See the Exchange Online Protection service description.

Anti-malware protection

Using multiple anti-malware engines, EOP offers multilayered protection that's designed to catch all known malware. Messages transported through the service are scanned for malware (viruses and spyware). If malware is detected, the message is deleted. Notifications may also be sent to senders or admins when an infected message is deleted and not delivered. You can also choose to replace infected attachments with either default or custom messages that notify the recipients of the malware detection.

Note

Anti-malware scanning can't be disabled.

For standalone EOP customers, the service only scans inbound and outbound messages that are routed by the service, and does not scan messages sent from a sender in your organization to a recipient in your organization. However, for another layer of defense, you can pair the service with the built-in anti-malware protection capabilities of Exchange Server, which scans internal messages for malware.

For Exchange Online customers and the EOP that's included in Exchange Enterprise CAL with Services for on-premises Exchange customers, EOP scans inbound and outbound messages that are routed by the service, as well as internal messages sent from a sender in your organization to a recipient in your organization.

For more information, see Anti-malware protection in EOP and Anti-malware protection FAQ.

Customize anti-malware policies

You can configure the default policy for company-wide settings. For greater granularity, you can also create custom anti-malware policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see Configure anti-malware policies in EOP.

Anti-spam protection

EOP uses proprietary anti-spam technology to help achieve high accuracy rates. EOP provides strong connection filtering and spam filtering on all inbound messages. Outbound spam filtering is also always enabled if you use the service for sending outbound email, thereby helping to protect organizations using the service and their intended recipients.

For more information, see Anti-spam protection in EOP and Anti-spam protection FAQ.

Customize anti-spam policies

Spam filtering is automatically enabled for all inbound and outbound email messages that are processed by EOP. You can't completely disable spam filtering, but you can modify specific company-wide settings in your default anti-spam policy. For greater granularity, you can also create custom anti-spam policies and apply them to specific users, groups, or domains in your organization. By default, custom policies take precedence over the default policy, but you can change the priority (running order) of your custom policies.

For more information, see the following topics:

Important

In hybrid deployments where EOP protects on-premises mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to detect the EOP spam filtering headers that are added to messages. For details, see Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments.

Anti-spoofing protection

The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body (used to display the message sender in email clients). When EOP has high confidence that the From header is forged, the message is identified as spoofed.

As of October 2018, anti-spoofing protection is available in EOP. Before then, anti-spoofing protection was only available in organizations with Office 365 Advanced Threat Protection (ATP).

For more information, see Anti-spoofing protection in EOP

Quarantine

By default, EOP sends phishing messages and messages that contain malware directly to quarantine. Spam and bulk mail is sent to the user's Junk Email folder, unless an admin configures an anti-spam policy to send these messages to quarantine instead. Depending on why the message was quarantined, admins and end users can view and manage messages in quarantine.

For more information, see Quarantined email messages in EOP.

Report messages to Microsoft for analysis

The submission feature allows admins and end users to easily report items that they believe were incorrectly classified as junk (false positives) or missed by the filters (false negatives). Depending on the results of the analysis, we can then adjust the filtering stack to help reduce the number and impact of junk email messages filtered or allowed by the service.

For more information, see Report messages and files to Microsoft.

Feature availability

To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.