Anti-spam and anti-malware protection in Exchange Online Protection
In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP provides built-in malware and spam filtering capabilities that help protect inbound and outbound messages from malicious software and help protect your network from spam transferred through email. Admins do not need to set up or maintain the filtering technologies, which are enabled by default. However, admins can make company-specific filtering customizations.
Using multiple anti-malware engines, EOP offers multilayered protection that's designed to catch all known malware. Messages transported through the service are scanned for malware (viruses and spyware). If malware is detected, the message is deleted. Notifications may also be sent to senders or admins when an infected message is deleted and not delivered. You can also choose to replace infected attachments with either default or custom messages that notify the recipients of the malware detection.
Note
Anti-malware scanning can't be disabled.
For standalone EOP customers, the service only scans inbound and outbound messages that are routed by the service, and does not scan messages sent from a sender in your organization to a recipient in your organization. However, for another layer of defense, you can pair the service with the built-in anti-malware protection capabilities of Exchange Server, which scans internal messages for malware.
For Exchange Online customers and the EOP that's included in Exchange Enterprise CAL with Services for on-premises Exchange customers, EOP scans inbound and outbound messages that are routed by the service, as well as internal messages sent from a sender in your organization to a recipient in your organization.
You can configure the default policy for company-wide settings. For greater granularity, you can also create custom anti-malware policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see Configure anti-malware policies in EOP.
Anti-spam protection
EOP uses proprietary anti-spam technology to help achieve high accuracy rates. EOP provides strong connection filtering and spam filtering on all inbound messages. Outbound spam filtering is also always enabled if you use the service for sending outbound email, thereby helping to protect organizations using the service and their intended recipients.
Spam filtering is automatically enabled for all inbound and outbound email messages that are processed by EOP. You can't completely disable spam filtering, but you can modify specific company-wide settings in your default anti-spam policy. For greater granularity, you can also create custom anti-spam policies and apply them to specific users, groups, or domains in your organization. By default, custom policies take precedence over the default policy, but you can change the priority (running order) of your custom policies.
In hybrid deployments where EOP protects on-premises mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to detect the EOP spam filtering headers that are added to messages. For details, see Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments.
Anti-spoofing protection
The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body (used to display the message sender in email clients). When EOP has high confidence that the From header is forged, the message is identified as spoofed.
By default, EOP sends phishing messages and messages that contain malware directly to quarantine. Spam and bulk mail is sent to the user's Junk Email folder, unless an admin configures an anti-spam policy to send these messages to quarantine instead. Depending on why the message was quarantined, admins and end users can view and manage messages in quarantine.
The submission feature allows admins and end users to easily report items that they believe were incorrectly classified as junk (false positives) or missed by the filters (false negatives). Depending on the results of the analysis, we can then adjust the filtering stack to help reduce the number and impact of junk email messages filtered or allowed by the service.
For most organizations that use Microsoft, we host your mailboxes and take care of mail flow. It's the simplest configuration and means that Microsoft manages all mailboxes and filtering. However, some organizations have a business need to keep all their mailboxes on premises. Exchange Online Protection (EOP) lets you do that and provides antivirus and anti-spam mail processing in the cloud. For more information and to purchase EOP, go to Exchange Online Protection.
As an EOP customer, you can set up secure mail flow with a trusted partner by using Microsoft connectors. Microsoft supports secure communication through Transport Layer Security (TLS), and you can create a connector to enforce encryption via TLS. TLS is a cryptographic protocol that provides security for communications over the internet. By using connectors, you can configure both forced incoming and outgoing TLS using self-signed or certification authority (CA)-validated certificates. You can also apply other security restrictions, such as specifying domain names or IP address ranges from which your partner organization sends mail.
You can add a trusted partner's IP address to a safe list to ensure that messages they send to you are not subject to spam filtering. To do this, you can use the connection filter's IP Allow list. For more information, see Configure the connection filter policy.
Conditional mail routing
You can configure a connector with a Transport rule that routes mail to a specific site, based on conditions. For more information, see Scenario: Conditional email routing.
Hybrid mail routing
Hybrid means that you host a portion of your mailboxes on premises, and a portion in the cloud (Exchange Online). You can move from a standalone (on-premises) deployment to a hybrid deployment.
If you have a hybrid deployment, you can protect your cloud and on-premises mailboxes with EOP. Standalone licenses are required for on-premises mailboxes, when they are protected by EOP. For more information about mail routing in a hybrid deployment, see Transport routing in Exchange hybrid deployments.
The Microsoft 365 admin center is the web portal from which each company's service administrator can manage user accounts and settings for each of the Microsoft services to which they subscribe. From within the Microsoft 365 admin center, administrators can follow links to the EAC, where they can manage settings specific to EOP.
Access to the Exchange admin center
The Exchange admin center (EAC) is a single unified management console that allows for ease of use and is optimized for all types of deployments. The new and improved EAC replaces the Forefront Online Protection for Exchange Administration Center. EAC provides a tighter integration with Microsoft 365 and a consistent, seamless UI experience across Exchange products (Microsoft Exchange Online and Microsoft Exchange Server 2013). For more information about the EAC, see Exchange Admin Center in Exchange Online Protection.
Remote Windows PowerShell access
Administrators can use Remote Windows PowerShell to perform management tasks from the command line. For more information about how to use Windows PowerShell, including information about creating a remote Shell session and documentation about each cmdlet, see Exchange Online PowerShell.
Mail flow rules (also known as transport rules) provide you with the flexibility to apply your own company-specific policies to email. Mail flow rules are made up of flexible criteria, which allow you to define conditions, exceptions, and actions to take based on the criteria. For more information, see Mail flow rules (transport rules) in Exchange Online Protection.
Audit logging
Audit logging lets you track specific changes made by administrators to your organization. These reports help you meet regulatory, compliance, and litigation requirements. For more information, see Auditing reports in EOP.
Microsoft Purview data loss prevention
Not available to EOP standalone customers. Data loss prevention (DLP) helps you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems because business-critical email includes sensitive data that needs to be protected. The DLP feature lets you protect sensitive data without affecting worker productivity.
You can configure DLP policies in the EAC, which allows you to:
Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
Use the full power of existing mail flow rule criteria and actions and add new mail flow rules.
Test the effectiveness of your DLP policies before fully enforcing them.
Incorporate your own custom DLP policy templates and sensitive information types.
Detect sensitive information in message attachments, body text, or subject lines and adjust the confidence level at which the service takes action.
Detect sensitive form data by using Document Fingerprinting. Document Fingerprinting helps you easily create custom sensitive information types based on text-based forms that you can use to define mail flow rules and DLP policies.
Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook 2013, Outlook on the web, and OWA for Devices users and can also improve the effectiveness of your policies by allowing false-positive reporting.
Review incident data in DLP reports or add your own specific reports by using a generate incident report action.
Note
DLP policies are applied only to mail that passes in or out of the organization. Intra-organizational (internal) mail does not have DLP policies applied unless you run Exchange Server 2013 with DLP on-premises. This also applies to DLP policy tips, which inform users about potential policy violations before sensitive data is mistakenly sent to unauthorized recipients.
Microsoft Purview Message Encryption, a part of Azure Information Protection, is an online service that allows email users to send encrypted email messages to anyone. On-premises customers can access Microsoft Purview Message Encryption by purchasing Azure Information Protection and using Exchange Online Protection to set up mail flow through Exchange Online. To learn more about Microsoft Purview Message Encryption in Exchange Online, see Microsoft Purview Message Encryption in the Exchange Online service description.
Messaging policy and compliance features across EOP options
Feature
EOP standalone
EOP features in Exchange Online
Exchange Enterprise CAL with Services
Mail flow rules
Yes1
Yes1
Yes1, 3
Audit logging
Yes2
Yes
Yes
Data loss prevention (DLP)
No
Yes
Yes3
Microsoft Purview Message Encryption
Yes4
Yes
Yes4
Note
1 The available mail flow rule conditions, exceptions, and actions differ slightly between EOP and Exchange Online. These differences are noted in Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule actions in Exchange Online. 2 EOP auditing reports are a subset of Exchange Online auditing reports that exclude information about mailboxes. 3 DLP policy tips are not available for Exchange Enterprise CAL with Services customers. 4 Supported for on-premises customers who purchase the Azure Information Protection add-on and use Exchange Online Protection to route email through Exchange Online. For the desktop experience, in addition to the Azure Information Protection add-on, Microsoft 365 Apps for enterprise needs to be purchased.
Reporting and message trace in Exchange Online Protection
Microsoft Exchange Online Protection (EOP) offers many different reports that can help you determine the overall status and health of your organization. Some reports are available in the Microsoft 365 admin center, while others are available in the Exchange admin center (EAC).
The Reports page in the Microsoft 365 admin center provides information about message traffic, spam and malware detections, and messages affected by mail flow rules (also known as transport rules) or Microsoft Purview Data Loss Prevention (DLP) policies. The enhanced reports for protection, rules, and DLP offer an interactive reporting experience for EOP admins. These reports provide summary data and the ability to drill down into details about individual messages.
Many of the REST-based reporting features and related cmdlets were deprecated in January, 2018. For information about the available replacement Microsoft Graph reports in Office 365, see the subtopics of Working with usage reports in Microsoft Graph.
Not available to EOP standalone customers. You can use the REST/OData Tenant Reporting web service to programmatically collect summary and detailed reports about messaging data, and you can display the data on a web page in a custom web management portal.
Message trace
The message trace feature in the EAC lets you, as an administrator, follow email messages as they pass through the EOP. It helps you determine whether a targeted email message was received, rejected, deferred, or delivered by the service. It also shows what actions have occurred to the message before reaching its final status. Obtaining detailed information about a specific message lets you efficiently answer your user's questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance. For more information, see Run a message trace and view the results in the Exchange admin center.
Recipient, domain, and company management in Exchange Online Protection
Microsoft Exchange Online Protection (EOP) offers several means of managing your recipient, domain, and company information. As an administrator, you can perform certain management tasks within the Exchange admin center (EAC), and verify other management tasks performed in the Microsoft 365 admin center.
Mail recipients are categorized as mail users or groups and can be managed through directory synchronization, directly in the EAC, or via remote Windows PowerShell. If you're managing your recipients on-premises, you must run directory synchronization in order for your mail recipients to be reflected in the EAC. Users managed solely in the Microsoft 365 admin center aren't viewable in the EAC, but they can be added to or removed from membership in an administrator role group in the EAC. For more information about recipients in EOP, see Recipients in EOP.
Admin role group permissions
In EOP, you can configure administrative roles only. Users can be added and removed from default admin role groups directly in the EAC. No RBAC customization is available. For more information, see Manage Admin Role Group Permissions in EOP.
Domain management
Managed domains are domains that are protected by EOP. Managed domains can be viewed and domain types can be edited in the EAC. Domain provisioning and management occurs in the Microsoft 365 admin center and changes are reflected in the EAC. For more information, see View or Edit Managed Domains in EOP.
The Directory Based Edge Blocking feature lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Microsoft and block all messages sent to email addresses that aren't present in Microsoft. If a message is sent to a valid email address present in Microsoft, the message continues through the rest of the service filtering layers (anti-malware, anti-spam, transport rules). If the address is not present, the service blocks the message before filtering even occurs, and a non-delivery report (NDR) is sent to the sender informing them that their message was not delivered.
This module examines how Exchange Online Protection (EOP) protects organizations from phishing and spoofing. It also explores how EOP blocks spam, bulk email, and malware before they arrive in users’ mailboxes.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Obtain information about features and requirements for Exchange Online Protection. Included is a list of plans that provide Exchange Online Protection, as well as a comparison of features across those plans.
Admins can learn about the standalone Exchange Online Protection (EOP) that used to protect on-premises email environments (including hybrid environments).
Follow these best-practice recommendations for standalone Exchange Online Protection (EOP) in order to set yourself up for success and avoid common configuration errors.
Admins can learn about anti-malware protection and anti-malware policies that protect against viruses, spyware, and ransomware in Exchange Online Protection (EOP).