Exchange Online Protection (EOP): what it does, how it works, its main features and its limitations


Source: Microsoft

All emails (inbound and outbound) processed by EOP go through four stages of filtering:

Connection filtering

This first step checks the reputation of the sender. Depending on the connection filtering rules set by your organization, the email is either accepted or rejected, depending on the senders’ IP addresses. Most unsolicited spam emails are filtered out at this stage.


The next step is to scan the emails for malware. If the message or attachment(s) contain malware, the email is quarantined. By default, only administrators can access email quarantined by malware; however, they can use quarantine policies to define what users can do with quarantined messages.

Filtering mail flow policies and rules

During this step, the email goes through policy filtering. Here, the email is checked against mail flow rules or transport rules that your organization has set. Your organization can create custom rules for incoming email. For example, configure EOP to automatically delete emails from a specific sender or warn users of potentially harmful content based on keywords.

Content filtering

This is the last step where the email is scanned against anti-spam and anti-spoofing policies. Messages deemed harmful are identified as spam, high-trust spam, phishing, high-trust phishing, bulk, or spoofing. You can configure settings to specify actions to be taken based on content filtering results, such as quarantine, send to Junk Email folder, and more.

Main features of Exchange Online Protection

EOP includes several security features to effectively combat email-related threats. Some of the key features are listed below:

Protective Features

EOP helps protect against malware and other potential email threats that could compromise your organization’s security.

  • Malware filter: Help protect your emails with multi-layered malware protection. EOP is designed to identify and stop viruses, spyware and ransomware.
  • Spam filter: EOP anti-spam technology protects you from spam and fraudulent email threats.
  • Connection filter: The EOP connection filter helps identify the source of mail servers based on their IP addresses.
  • Anti-Phishing: You can create and use custom anti-phishing policies to keep sophisticated threats away from your mailbox, including identifying spoofing and impersonation.
  • Anti-spoofing: EOP uses anti-spoofing technology to scan the “From” header in the body of the email to validate its authenticity. EOP blocks messages that standard email authentication methods and sender reputation techniques fail to validate.

Quarantine and submission features

The Quarantine and Submission features in EOP allow users to perform specific actions on quarantined messages and submit emails for analysis.

  • Quarantine: Quarantined messages can be potentially dangerous. Administrators can manage these messages and files, such as releasing or deleting all quarantined messages. They can also use quarantine policies to specify what users can do with quarantined messages.
  • Submissions: Administrators can use the Submissions Portal to send suspicious emails, URLs, and attachments to Microsoft for analysis.

Mail flow features

Mail flow rules, also known as transport rules in Exchange Online, identify and perform specific actions on email that enters your organization’s mailbox.

  • Mail flow rules: These rules include conditions, exceptions, and actions that give you greater flexibility in handling messages.
  • Accepted domains: Domains added to Microsoft 365 or Office 365 are called accepted domains. Accepted domain users can send and receive email.
  • Connectors: The Exchange Online Protection overview documentation defines connectors as “a collection of instructions that customize how your email flows to and from your Microsoft 365 or Office 365 organization.”

Monitoring functions

EOP helps you monitor, report, and trace messages.

  • Message tracking: This function lets you know if a message has been received, rejected, deferred or delivered. Besides showing what happened to the email, it also shows what actions were taken on the email.
  • Email reporting and collaboration: Email Security reports provide detailed information on how Microsoft 365 anti-spam, anti-malware, and encryption features help protect your organization.
  • Alert Rules: You can create alert policies or use the default alert policies to keep tabs on activity such as phishing attacks, unusual file deletion, or external sharing. You can view alerts triggered when certain activities match the terms of an alert policy.

What are the limits of Exchange Online Protection?

Although EOP provides several email security features, it also has some limitations regarding end-user control and combating emerging threats. EOP contributes to email hygiene by filtering spam and sending malicious messages to quarantine. However, users can still access these messages, increasing the risk of leaking potentially dangerous messages that were previously blocked and quarantined.

Despite the EOP email security service, Egress’ Outbound Email: Microsoft 365’s Security Blind Spot report found that 85% of organizations using Microsoft 365 experienced an email data breach in 2020. A Gartner report noted that its customers have consistently expressed dissatisfaction with EOP and ATP, citing the need for third-party protection.

Superior Microsoft 365 Data Protection with Spanning

Microsoft 365 is the most popular target and vector for phishing attacks. Around 90% of incidents that end in a data breach begin with a phishing email. While it’s essential to have a strong defense in place against phishing and other email-related threats, a security breach due to human error or misconfiguration can render data unrecoverable. That’s why backing up your valuable Microsoft 365 data is important to avoid costly downtime and data loss and to maintain business continuity.

Spanning Backup for Microsoft 365 protects all your data from Exchange Online, SharePoint Online, OneDrive and Microsoft Teams with cloud-to-cloud backup and recovery.

To learn more about Microsoft 365 data protection and best practices for Microsoft 365 business continuity, download our eBook.

Download the e-book


Comments are closed.