Anti-spam and anti-malware protection in Exchange Online Protection
In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP provides built-in malware and spam filtering capabilities that help protect inbound and outbound messages from malicious software and help protect your network from spam transferred through email. Admins do not need to set up or maintain the filtering technologies, which are enabled by default. However, admins can make company-specific filtering customizations.
Looking for information about all EOP features? See the Exchange Online Protection service description.
Anti-malware protection
Using multiple anti-malware engines, EOP offers multilayered protection that's designed to catch all known malware. Messages transported through the service are scanned for malware (viruses and spyware). If malware is detected, the message is deleted. Notifications may also be sent to senders or admins when an infected message is deleted and not delivered. You can also choose to replace infected attachments with either default or custom messages that notify the recipients of the malware detection.
Note
Anti-malware scanning can't be disabled.
For standalone EOP customers, the service only scans inbound and outbound messages that are routed by the service, and does not scan messages sent from a sender in your organization to a recipient in your organization. However, for another layer of defense, you can pair the service with the built-in anti-malware protection capabilities of Exchange Server, which scans internal messages for malware.
For Exchange Online customers and the EOP that's included in Exchange Enterprise CAL with Services for on-premises Exchange customers, EOP scans inbound and outbound messages that are routed by the service, as well as internal messages sent from a sender in your organization to a recipient in your organization.
For more information, see Anti-malware protection in EOP and Anti-malware protection FAQ.
Customize anti-malware policies
You can configure the default policy for company-wide settings. For greater granularity, you can also create custom anti-malware policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see Configure anti-malware policies in EOP.
Anti-spam protection
EOP uses proprietary anti-spam technology to help achieve high accuracy rates. EOP provides strong connection filtering and spam filtering on all inbound messages. Outbound spam filtering is also always enabled if you use the service for sending outbound email, thereby helping to protect organizations using the service and their intended recipients.
For more information, see Anti-spam protection in EOP and Anti-spam protection FAQ.
Customize anti-spam policies
Spam filtering is automatically enabled for all inbound and outbound email messages that are processed by EOP. You can't completely disable spam filtering, but you can modify specific company-wide settings in your default anti-spam policy. For greater granularity, you can also create custom anti-spam policies and apply them to specific users, groups, or domains in your organization. By default, custom policies take precedence over the default policy, but you can change the priority (running order) of your custom policies.
For more information, see the following topics:
Anti-spoofing protection
The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body (used to display the message sender in email clients). When EOP has high confidence that the From header is forged, the message is identified as spoofed.
For more information, see Anti-spoofing protection in EOP
Quarantine
By default, EOP sends phishing messages and messages that contain malware directly to quarantine. Spam and bulk mail is sent to the user's Junk Email folder, unless an admin configures an anti-spam policy to send these messages to quarantine instead. Depending on why the message was quarantined, admins and end users can view and manage messages in quarantine.
For more information, see Quarantined email messages in EOP.
Report messages to Microsoft for analysis
The submission feature allows admins and end users to easily report items that they believe were incorrectly classified as junk (false positives) or missed by the filters (false negatives). Depending on the results of the analysis, we can then adjust the filtering stack to help reduce the number and impact of junk email messages filtered or allowed by the service.
For more information, see Report messages and files to Microsoft.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.
Mail flow in Exchange Online Protection
For most organizations that use Microsoft, we host your mailboxes and take care of mail flow. It's the simplest configuration and means that Microsoft manages all mailboxes and filtering. However, some organizations have a business need to keep all their mailboxes on premises. Exchange Online Protection (EOP) lets you do that and provides antivirus and anti-spam mail processing in the cloud. For more information and to purchase EOP, go to Exchange Online Protection.
Looking for information about domain management or Directory Based Edge Blocking (DBEB)? See Recipient, domain, and company management. To learn more about all EOP features, see the Exchange Online Protection service description.
Routing email between Microsoft and your own email servers
You can configure a connector to enable mail flow between Microsoft (including Exchange Online or EOP) and an SMTP-based email server such as Exchange. For details about this, see Do I need a connector? And Set up connectors to route mail between Microsoft and your own email servers.
Secure messaging with a trusted partner
As an EOP customer, you can set up secure mail flow with a trusted partner by using Microsoft connectors. Microsoft supports secure communication through Transport Layer Security (TLS), and you can create a connector to enforce encryption via TLS. TLS is a cryptographic protocol that provides security for communications over the internet. By using connectors, you can configure both forced incoming and outgoing TLS using self-signed or certification authority (CA)-validated certificates. You can also apply other security restrictions, such as specifying domain names or IP address ranges from which your partner organization sends mail.
For more information, see Set up connectors for secure mail flow with a partner organization.
Safe listing a partner's IP address
You can add a trusted partner's IP address to a safe list to ensure that messages they send to you are not subject to spam filtering. To do this, you can use the connection filter's IP Allow list. For more information, see Configure the connection filter policy.
Conditional mail routing
You can configure a connector with a Transport rule that routes mail to a specific site, based on conditions. For more information, see Scenario: Conditional email routing.
Hybrid mail routing
Hybrid means that you host a portion of your mailboxes on premises, and a portion in the cloud (Exchange Online). You can move from a standalone (on-premises) deployment to a hybrid deployment.
If you have a hybrid deployment, you can protect your cloud and on-premises mailboxes with EOP. Standalone licenses are required for on-premises mailboxes, when they are protected by EOP. For more information about mail routing in a hybrid deployment, see Transport routing in Exchange hybrid deployments.
The Microsoft Exchange Server Deployment Assistant also provides detailed hybrid deployment provisioning and hybrid message transport guidance.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.
Administration and management in Exchange Online Protection
This article describes management interfaces that are available to Microsoft Exchange Online Protection (EOP) administrators.
Looking for information about all EOP features? See the Exchange Online Protection service description.
Access to the Microsoft 365 admin center
The Microsoft 365 admin center is the web portal from which each company's service administrator can manage user accounts and settings for each of the Microsoft services to which they subscribe. From within the Microsoft 365 admin center, administrators can follow links to the EAC, where they can manage settings specific to EOP.
Access to the Exchange admin center
The Exchange admin center (EAC) is a single unified management console that allows for ease of use and is optimized for all types of deployments. The new and improved EAC replaces the Forefront Online Protection for Exchange Administration Center. EAC provides a tighter integration with Microsoft 365 and a consistent, seamless UI experience across Exchange products (Microsoft Exchange Online and Microsoft Exchange Server 2013). For more information about the EAC, see Exchange Admin Center in Exchange Online Protection.
Remote Windows PowerShell access
Administrators can use Remote Windows PowerShell to perform management tasks from the command line. For more information about how to use Windows PowerShell, including information about creating a remote Shell session and documentation about each cmdlet, see Exchange Online PowerShell.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.
Messaging policy and compliance in Exchange Online Protection
Microsoft Exchange Online Protection (EOP) provides messaging policy and compliance features that can help you manage your email data.
Looking for information about all EOP features? See the Exchange Online Protection service description.
Mail flow rules
Mail flow rules (also known as transport rules) provide you with the flexibility to apply your own company-specific policies to email. Mail flow rules are made up of flexible criteria, which allow you to define conditions, exceptions, and actions to take based on the criteria. For more information, see Mail flow rules (transport rules) in Exchange Online Protection.
Audit logging
Audit logging lets you track specific changes made by administrators to your organization. These reports help you meet regulatory, compliance, and litigation requirements. For more information, see Auditing reports in EOP.
Microsoft Purview data loss prevention
Not available to EOP standalone customers. Data loss prevention (DLP) helps you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems because business-critical email includes sensitive data that needs to be protected. The DLP feature lets you protect sensitive data without affecting worker productivity.
You can configure DLP policies in the EAC, which allows you to:
Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
Use the full power of existing mail flow rule criteria and actions and add new mail flow rules.
Test the effectiveness of your DLP policies before fully enforcing them.
Incorporate your own custom DLP policy templates and sensitive information types.
Detect sensitive information in message attachments, body text, or subject lines and adjust the confidence level at which the service takes action.
Detect sensitive form data by using Document Fingerprinting. Document Fingerprinting helps you easily create custom sensitive information types based on text-based forms that you can use to define mail flow rules and DLP policies.
Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook 2013, Outlook on the web, and OWA for Devices users and can also improve the effectiveness of your policies by allowing false-positive reporting.
Review incident data in DLP reports or add your own specific reports by using a generate incident report action.
Note
DLP policies are applied only to mail that passes in or out of the organization. Intra-organizational (internal) mail does not have DLP policies applied unless you run Exchange Server 2013 with DLP on-premises. This also applies to DLP policy tips, which inform users about potential policy violations before sensitive data is mistakenly sent to unauthorized recipients.
To learn more about DLP, see Data loss prevention (DLP) in Exchange Online.
Microsoft Purview Message Encryption
Microsoft Purview Message Encryption, a part of Azure Information Protection, is an online service that allows email users to send encrypted email messages to anyone. On-premises customers can access Microsoft Purview Message Encryption by purchasing Azure Information Protection and using Exchange Online Protection to set up mail flow through Exchange Online. To learn more about Microsoft Purview Message Encryption in Exchange Online, see Microsoft Purview Message Encryption in the Exchange Online service description.
Messaging policy and compliance features across EOP options
| Feature |
EOP standalone |
EOP features in
Exchange Online |
Exchange Enterprise
CAL with Services |
| Mail flow rules |
Yes1 |
Yes1 |
Yes1, 3 |
| Audit logging |
Yes2 |
Yes |
Yes |
| Data loss prevention (DLP) |
No |
Yes |
Yes3 |
| Microsoft Purview Message Encryption |
Yes4 |
Yes |
Yes4 |
Note
1 The available mail flow rule conditions, exceptions, and actions differ slightly between EOP and Exchange Online. These differences are noted in Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule actions in Exchange Online.
2 EOP auditing reports are a subset of Exchange Online auditing reports that exclude information about mailboxes.
3 DLP policy tips are not available for Exchange Enterprise CAL with Services customers.
4 Supported for on-premises customers who purchase the Azure Information Protection add-on and use Exchange Online Protection to route email through Exchange Online. For the desktop experience, in addition to the Azure Information Protection add-on, Microsoft 365 Apps for enterprise needs to be purchased.
Reporting and message trace in Exchange Online Protection
Microsoft Exchange Online Protection (EOP) offers many different reports that can help you determine the overall status and health of your organization. Some reports are available in the Microsoft 365 admin center, while others are available in the Exchange admin center (EAC).
Looking for information about all EOP features? See the Exchange Online Protection service description.
Microsoft 365 admin center reports
The Reports page in the Microsoft 365 admin center provides information about message traffic, spam and malware detections, and messages affected by mail flow rules (also known as transport rules) or Microsoft Purview Data Loss Prevention (DLP) policies. The enhanced reports for protection, rules, and DLP offer an interactive reporting experience for EOP admins. These reports provide summary data and the ability to drill down into details about individual messages.
For more detailed information about these reports, see Use mail protection reports to view data about malware, spam, and rule detections.
Reporting using web services
Note
Many of the REST-based reporting features and related cmdlets were deprecated in January, 2018. For information about the available replacement Microsoft Graph reports in Office 365, see the subtopics of Working with usage reports in Microsoft Graph.
Not available to EOP standalone customers. You can use the REST/OData Tenant Reporting web service to programmatically collect summary and detailed reports about messaging data, and you can display the data on a web page in a custom web management portal.
Message trace
The message trace feature in the EAC lets you, as an administrator, follow email messages as they pass through the EOP. It helps you determine whether a targeted email message was received, rejected, deferred, or delivered by the service. It also shows what actions have occurred to the message before reaching its final status. Obtaining detailed information about a specific message lets you efficiently answer your user's questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance. For more information, see Run a message trace and view the results in the Exchange admin center.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.
Recipient, domain, and company management in Exchange Online Protection
Microsoft Exchange Online Protection (EOP) offers several means of managing your recipient, domain, and company information. As an administrator, you can perform certain management tasks within the Exchange admin center (EAC), and verify other management tasks performed in the Microsoft 365 admin center.
Looking for information about all EOP features? See the Exchange Online Protection service description.
Mail recipients
Mail recipients are categorized as mail users or groups and can be managed through directory synchronization, directly in the EAC, or via remote Windows PowerShell. If you're managing your recipients on-premises, you must run directory synchronization in order for your mail recipients to be reflected in the EAC. Users managed solely in the Microsoft 365 admin center aren't viewable in the EAC, but they can be added to or removed from membership in an administrator role group in the EAC. For more information about recipients in EOP, see Recipients in EOP.
Admin role group permissions
In EOP, you can configure administrative roles only. Users can be added and removed from default admin role groups directly in the EAC. No RBAC customization is available. For more information, see Manage Admin Role Group Permissions in EOP.
Domain management
Managed domains are domains that are protected by EOP. Managed domains can be viewed and domain types can be edited in the EAC. Domain provisioning and management occurs in the Microsoft 365 admin center and changes are reflected in the EAC. For more information, see View or Edit Managed Domains in EOP.
Match subdomains
In EOP, you can enable mail flow to subdomains of a managed domain. For more information, see Enable Email Flow for Subdomains in EOP.
Directory Based Edge Blocking (DBEB)
The Directory Based Edge Blocking feature lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Microsoft and block all messages sent to email addresses that aren't present in Microsoft. If a message is sent to a valid email address present in Microsoft, the message continues through the rest of the service filtering layers (anti-malware, anti-spam, transport rules). If the address is not present, the service blocks the message before filtering even occurs, and a non-delivery report (NDR) is sent to the sender informing them that their message was not delivered.
Enabling DBEB requires some user and domain configuration. For more information, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.