typing on a computer

Exchange Online Protection (EOP) Security Overview

Exchange Online Protection (EOP) is one of the most foundational building blocks of a cybersecurity strategy. The service helps organizations to prevent and detect email attacks, providing a range of cybersecurity tools that protect the inboxes of every single employee. 

As digital-first communication increasingly becomes the norm, organizations are relying on email communication more than ever. Attackers are all too aware of this, and new attack strategies are constantly being conceived that leverage email inboxes as a point of weakness.

In all, 91% of cyberattacks begin with spear phishing. Of course, cybersecurity awareness training is an important step to ensure your employees know the warning signs of an attack, but a more comprehensive approach leverages tools like EOP to prevent your employees from even receiving the majority of phishing emails in the first place. 

In this overview, we’ll explore the key features of Microsoft 365 Exchange Online Protection and share how you can start leveraging them to harden your organization’s overall cybersecurity posture.

What is Exchange Online Protection?

Exchange Online Protection, often shortened to EOP, is a cloud-based email-filtering service that comes standard with all Microsoft Office 365 enterprise subscriptions with Exchange Online mailboxes. It is also available as a standalone security product to protect on-premise and hybrid Exchange mailboxes. 

By using EOP, organizations can prevent and detect a wide variety of broad, volume-based attacks, safeguarding their employees from potentially threatening emails. Specific threats that EOP offers protection against include spear phishing, spam, and malware.

It’s important to note that EOP is only one element of a more comprehensive Microsoft Office 365 security strategy. Other critical components of email security include mailbox auditing, implementing multi-factor authentication, and setting up DMARC, SPF, and DKIM records. 

Related: 10 Office 365 Security Best Practices

How Does Exchange Online Protection Work?

EOP routes all emails––incoming and outgoing––through a series of security filters to determine whether they are safe. Filters include connection, malware, policy, and content filters. Any messages that are flagged are either quarantined or sent to junk mail, and those deemed safe are released to the recipient’s mailbox. 

There are a range of preconfigured filters that come as standard, but it’s possible for cybersecurity leaders, or professionals from a Managed Cybersecurity Service Provider, to define more specific filters and security policies for their organization. 

The service provides organizations with fast and reliable cloud-based email filtering, delivered using a worldwide network of data centers. This keeps the load off of individual organization’s servers. Data centers in every continent ensure high levels of availability and timely email delivery.

By implementing EOP successfully, cybersecurity leaders can minimize their organization’s exposure to spam, malware, and phishing attacks, dramatically reducing the attack surface that external bad actors could potentially exploit. 

Exchange Online Protection: Key Features

EOP comes with a range of features, the majority of which are geared towards attack prevention and detection. Working together, these features streamline the way that cybersecurity professionals manage email security, working on the basis of a series of predefined rules that specify how different types of email should be treated. 

Let’s explore how each of these features work in more detail. 

Spam Confidence Level

One of the first filters emails pass through is a spam filter, which assigns a numeric value to the probability that the email is a spam message. There are a variety of levels, ranging from -1 (non-spam messages from a whitelisted domain, sender, or IP address), to 9 (emails which are determined, with a high degree of confidence, to be spam). 

Organizations can set their own policies that govern how emails are classified, and can specify how to treat emails at each level. Potential actions include routing an email to quarantine, adding a warning message to the subject line, or sending the email straight to the recipient’s junk folder. 

EOP also uses technologies including connection filtering, which identifies the veracity of the email source server, and outbound spam filtering, which ensures no employee accounts are being used to send outbound spam. Microsoft also maintains a list of known spam and phishing threats, and blocks emails from these IP addresses. 

Spam Filtering

When it comes to setting up the spam filtering rules for your organization, it’s generally best to configure these yourself, or with the help of trusted IT consultants. There are various ways that organizations can configure their spam filters. Let’s look at some of the most common:

  • Whitelists: a list of approved safe senders. They typically include partners, vendors, customers, and other trusted organizations. Whitelists are formed of the domains or IP addresses of approved senders, and ensure an organization’s employees never miss important emails. 
  • Blacklists: a list of blocked senders known to be unsafe. Organizations can block specific senders, IP addresses, or entire domains. 
  • Language Filters: if your company operates solely in the US, it’s unlikely you’ll be receiving many emails in other languages. If you’re receiving a lot of spam emails written in different languages, it’s possible to block all emails in that language. Administrators can also block emails sent from servers hosted in particular countries or regions. 

By setting up these spam filters to your specifications, security teams can minimize the level of spam their employees encounter on a daily basis.  

Bulk Email Complaints

These days, it’s hard to find someone who doesn’t feel like they receive too many emails. Configuring EOP to route bulk emails to junk folders streamlines employee’s inboxes and removes distractions. 

Bulk emails are not necessarily spam; they tend to be marketing emails or newsletters that are sent to huge mailing lists. To ensure these types of emails are routed to junk folders rather than employee’s primary mailboxes, IT teams can create Bulk Complaint Levels. This is done in a similar manner to Spam Confidence Levels, where administrators can specify criteria and thresholds that define how EOP should treat incoming bulk emails. 

Correcting False Positives

Every so often, your filters will classify messages as spam that are not actually spam. This is called a false positive. The opposite is also possible: spam or a harmful email could pass through your filters and land in a recipient’s inbox. These events are called false negatives, and no matter how rigorously your filters are set up, they’re always a possibility. 

In these instances, users can report false-positives or false-negatives to Microsoft, which uses the data to improve the accuracy of the filtering process. For individual messages, it’s easy to take manual action. Administrators can view quarantined emails and reroute messages that have been wrongly flagged to the intended recipients. 


When EOP determines that emails are malicious or spam, they are sent directly to quarantine. The main purpose of this quarantine is to store potentially dangerous emails in a contained environment that is separated from other systems. Quarantine is only accessible by system administrators, who can review the email and decide on the appropriate course of action. 

If an organization is using default EOP settings, then messages that are sent to quarantine by virtue of a high Spam Confidence Level are stored for 15 days, whereas messages that are moved because of a network filtering rule are held for 7 days. Administrators can allow individual users to access their own quarantine, but it’s generally best to leave messages in quarantine to be reviewed by experienced cybersecurity professionals. 

Anti-Malware & Safe Attachments

EOP doesn’t only filter emails; it also scans any attached files for malware. Administrators can specify how these scans should be conducted. Common strategies include flagging any attachments with potentially malicious file types, such as .EXE or .CMD files. However, bear in mind that EOP does not come with zero-day protection, instead relying on malware signatures.

For a stronger approach, security teams should use the Safe Attachments feature of Microsoft 365 Defender. This adds zero-day protection, and routes email attachments to a protected sandbox environment, where attachments are scanned for the presence of malicious code. 

Advanced Threat Protection: Anti-Phishing

As phishing scams have become more sophisticated, so too have the tools used to defend organizations against them. EOP offers Advanced Threat Protection (ATP) anti-phishing tools. These tools, including spoof intelligence and email authentication, help organizations to flag more sophisticated phishing attacks and manually block these attackers. 

There are a variety of additional ATP tools available as part of Microsoft 365 Defender, including ATP for other communication tools, such as Sharepoint, OneDrive, and Teams. If organizations rely on these communication tools as much as they do email, it’s definitely worth considering upgrading from EOP to Microsoft 365 Defender Plan 1 or 2.

Get Started with Managed Microsoft 365 Security

Ensuring your EOP is configured to the needs of your organization is an important task, and often it’s best to partner with cybersecurity experts to ensure your organization is set up for success. 

At TechHeads, we’re a proud Microsoft Partner and offer deployment and consulting services across the entire Microsoft Security tool suite. Learn more about our Microsoft 365 Security Services, or schedule a call to talk to an expert about your needs.