Securing Email with Exchange Online Protection and Defender for Office 365

Microsoft 365 services provide email protection against spoofing and phishing attacks, spam, and malware with Exchange Online Protection (EOP). EOP provides email security through a combination of techniques, including:

  • IP and URL reputation
  • domain reputation
  • spam filtering
  • malware filtering
  • content filtering
  • connection filtering
  • spoof intelligence

All Microsoft 365 organizations include EOP if they have Exchange Online mailboxes. EOP is also available as a standalone product to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes.

How Exchange Online Protection works

The following graphic displays how EOP processes incoming email:

Diagram showing how Exchange Online Protection processes incoming email.
  1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender’s reputation. EOP stops most spam at this point and rejects the message.
  2. EOP then inspects the message for malware. If EOP finds malware in the message or the attachment(s), it sends the message to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use quarantine policies to specify what users can do to quarantined messages.
  3. The message continues through policy filtering. EOP evaluates it against any mail flow rules (also known as transport rules) that you created. For example, a rule can send a notification to a manager when a message arrives from a specific sender.
  4. In an on-premises organization with Exchange Enterprise CAL with Services licenses, Microsoft Purview Data Loss Prevention (DLP) checks in EOP also occur at this point.
  5. The message passes through content filtering (anti-spam and anti-spoofing), which identify harmful messages as either:
    • spam
    • high confidence spam
    • phishing
    • high confidence phishing
    • bulk (anti-spam policies)
    • spoofing (spoof settings in anti-phishing policies)
  6. You can configure the action to take on the message based on:
    • the filtering verdict (quarantine, move to the Junk Email folder, and so on)
    • what users can do to the quarantined messages using quarantine policies.

EOP sends a message that successfully passes every protection layer to the recipients.

Extend EOP functionality with Microsoft Defender for Office 365

As hackers around the globe launch increasingly sophisticated attacks, organizations need tools that provide extra protection. A typical outbreak consists of two parts:

  • A zero-day attack (malware with unknown signatures).
  • An elongated period of attack.

Traditional anti-virus/anti-spam solutions can’t protect against a zero-day attack, which means attackers can go unnoticed.


The most efficient solution for email security in Microsoft 365 is when the protection provided by EOP is extended by enabling Microsoft Defender for Office 365 in the tenant.

Microsoft Defender for Office 365 is a collection of features designed to combat advanced targeted threats, such as:

  • zero-day malware attacks
  • certain types of phishing campaigns
  • malicious URLs embedded in email and documents

The Microsoft Defender for Office 365 policies that an organization defines determine the behavior and protection level for predefined threats. The policy options offer extreme flexibility. For example, an organization’s security team can set fine-grained threat protection at the user, organization, recipient, and domain level. It’s important to review your policies regularly because new threats and challenges emerge daily.

Key features in Microsoft Defender for Office 365 include:

  • Safe Attachments. Protects against zero-day malicious attachments by opening a suspected, unknown attachment in a special hypervisor environment and testing for malicious activity. It’s designed to detect malicious attachments even before anti-virus signatures are available.
  • Safe Links. Provides time-of-click protection, which prevents users from going to malicious web sites and phishing scams when they select links in email and documents.
  • Spoof intelligence. Detects when a sender appears to be sending mail on behalf of one or more user accounts within one of your organization’s domains. It enables you to review all senders who are spoofing your domain. You can then choose to allow the sender to continue or block the sender. Spoof intelligence is available in the Microsoft 365 Defender portal on the Anti-spam settings page (Email & collaboration > Policies & rules > Threat policies > Anti-spam in the Policies section**)**
  • Quarantine. EOP sends messages to quarantine that it identifies as either:
    • spam
    • bulk mail
    • phishing mail
    • containing malware
    • they matched a mail flow rule
    By default, Microsoft 365 sends phishing messages and messages containing malware directly to quarantine. Authorized users can review, delete, or manage email messages sent to quarantine.
  • Anti-phishing policies. Applies a set of machine learning models together with impersonation detection algorithms to incoming messages. This process provides protection from commodity and spear phishing attacks. All messages are subject to an extensive set of machine learning models that detect phishing messages. They’re also subject to a set of advanced algorithms used to protect against various user and domain impersonation attacks. Anti-phishing features within Microsoft Defender for Office 365 protect your organization according to policies that your Microsoft 365 Global or Security administrators set.

The following graphic shows EOP and the primary Microsoft Defender for Office 365 features against threats that are incoming through email.

Diagram showing how Exchange Online Protection acts against threats that are incoming through email.

Microsoft Defender for Office 365 Plan 1 and Plan 2

Two plans are available for Microsoft Defender for Office 365. The following table summarizes the features in each plan.

Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Configuration, protection, and detection capabilities:

– Safe Attachments
– Safe Links
– Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
– Anti-phishing protection in Defender for Office 365
– Real-time detections
Defender for Office 365 Plan 1 capabilities

— plus —

Automation, investigation, remediation, and education capabilities:

– Threat Trackers
– Threat Explorer
– Automated investigation and response
– Attack simulation training
– Proactively hunt for threats with advanced hunting in Microsoft 365 Defender
– Investigate incidents in Microsoft 365 Defender
– Investigate alerts in Microsoft 365 Defender

Use threat investigation and response capabilities

Microsoft Defender for Office 365 Plan 2 includes best-of-class threat investigation and response tools. These features enable your organization’s security team to anticipate, understand, and prevent malicious attacks.

  • Threat trackers. Provides the latest intelligence on prevailing cybersecurity issues. For example, you can view information about the latest malware, and take countermeasures before it becomes an actual threat to your organization. Available trackers include Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.
  • Threat Explorer. Provides real-time reporting that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods.
  • Attack simulation training. Allows you to run realistic attack scenarios in your organization to identify vulnerabilities. Simulations of current types of attacks are available. Simulation scenarios include spear phishing credential harvest and attachment attacks, and password spray and brute force password attacks.