This chapter covers Exchange Online Protection (EOP) and anti-phishing capabilities within Microsoft 365, which are core components of the security stack tested in the MS-102 exam. Understanding how EOP filters mail, detects malware, and blocks phishing attempts is essential, as questions on threat protection typically account for 15-20% of the exam. We will dissect the layered filtering process, default policies, and configuration options for anti-phishing, safe attachments, and safe links, with emphasis on exam-critical details like policy precedence, spoof intelligence, and impersonation protection.
Jump to a section
Think of Exchange Online Protection (EOP) and anti-phishing as a corporate mail room that processes every incoming letter and package. The mail room has multiple layers of inspection. First, a clerk checks the sender's address against a blocklist (IP Allow/Block lists). Then, each envelope passes through a high-speed scanner that looks for known malicious patterns — like a specific return address or suspicious barcode (signature-based malware detection). Next, a more advanced scanner examines the envelope's texture and weight, flagging anything that feels abnormal (heuristic analysis). After that, every letter is opened and the content is analyzed by a team of experts who look for deceptive language, urgent requests, and mismatched URLs (anti-phishing). Finally, a separate team inspects attachments by opening them in a sandbox — a sealed glass room — to see if they behave maliciously (safe attachments). If any layer flags the item, it is either quarantined or delivered with a warning label. The entire process happens in seconds, and each layer is tuned with specific thresholds (e.g., bulk complaint level, spoof intelligence) that administrators can adjust via policies. Just as a mail room can be bypassed if an attacker uses a trusted courier (compromised legitimate sender), EOP can be tricked by sophisticated phishing that mimics trusted domains — hence the need for advanced anti-phishing policies and user reporting.
What is Exchange Online Protection (EOP)?
Exchange Online Protection (EOP) is the cloud-based email filtering service that protects Exchange Online mailboxes from spam, malware, and phishing. It is built into every Microsoft 365 subscription that includes Exchange Online, whether standalone or part of a suite. EOP operates as a series of filtering layers that process inbound email before it reaches the user's mailbox. The layers are applied in a fixed order: connection filtering, anti-malware, anti-spam, anti-phishing, and then transport rules (mail flow rules). Each layer can quarantine, reject, or allow messages based on policy settings.
How EOP Works Internally
When an external sender sends an email to a Microsoft 365 recipient, the message first arrives at a Microsoft datacenter edge server. The server performs connection filtering by checking the sending IP against IP Allow and IP Block lists (manually configured or from threat intelligence feeds). If the IP is blocked, the connection is refused at the SMTP level. If allowed, the message proceeds to anti-malware scanning.
Anti-malware scanning uses multiple engines (Microsoft Defender Antivirus and optionally a third-party engine) to check attachments and the message body for known malware signatures. If malware is detected, the message is quarantined or deleted based on policy. If clean, the message moves to anti-spam filtering.
Anti-spam filtering uses the SmartScreen technology (now replaced by machine learning models) to assign a spam confidence level (SCL) from -1 (not spam) to 9 (definitive spam). The SCL is based on content analysis, sender reputation, and bulk email characteristics. Messages with SCL 5-6 are marked as spam and sent to Junk Email folder; SCL 7-9 are typically quarantined. Bulk email is assigned a Bulk Complaint Level (BCL) from 0 to 9; by default, BCL 7+ is treated as spam.
Anti-phishing filtering comes next, but it is actually split into two parts: the default anti-phishing policy (built into EOP) and advanced anti-phishing policies (part of Microsoft Defender for Office 365 Plan 1 or 2). The default policy includes spoof intelligence and mailbox intelligence. Spoof intelligence analyzes sender behavior to detect forged senders (e.g., a message claiming to be from your CEO but actually from a different domain). Mailbox intelligence learns from user interactions (e.g., users reporting messages as phishing) and adjusts filtering.
Finally, transport rules (mail flow rules) can be applied to modify or redirect messages based on conditions.
Key Components, Values, Defaults, and Timers
IP Allow/Block Lists: Up to 1273 entries per list. You can add IP addresses or CIDR ranges. These are checked first.
Spam Confidence Level (SCL): Range -1 to 9. Default threshold for quarantine is 7 (for high confidence spam). For junk folder, SCL 5-6. SCL -1 means the message bypassed spam filtering (e.g., from a safe sender).
Bulk Complaint Level (BCL): Range 0 to 9. Default threshold for spam is 7. BCL is based on feedback from ISPs about the sending domain.
Quarantine Retention: Default 30 days for spam, malware, and phishing. Administrators can adjust retention up to 30 days for all types.
End-user Spam Notifications: Enabled by default. Users receive periodic digests (every 3 days) of quarantined messages they can release.
Spoof Intelligence: Enabled by default in the default anti-phishing policy. It automatically blocks spoofed senders unless they are authenticated (SPF, DKIM, DMARC).
Impersonation Protection (Defender for Office 365 only): Requires configuration of protected users (e.g., CEO, CFO) and protected domains (e.g., your own domain, partner domains). It uses machine learning to detect impersonation attempts in display names and email addresses.
Configuration and Verification Commands
Administrators manage EOP via the Microsoft 365 Defender portal (security.microsoft.com) or PowerShell (Exchange Online PowerShell).
#### PowerShell Examples
To view the default anti-spam policy:
Get-HostedContentFilterPolicy -Identity DefaultTo modify the spam quarantine threshold:
Set-HostedContentFilterPolicy -Identity Default -HighConfidenceSpamAction Quarantine -SpamThresholdAction Quarantine -SpamThresholdLevel 7To view anti-phishing policies:
Get-AntiPhishPolicy | Format-List Name, Enabled, SpoofEnabled, ImpersonationProtectionTo enable impersonation protection for a user:
Set-AntiPhishPolicy -Identity Default -EnableTargetedUserProtection $true -TargetedUsersToProtect CEO@contoso.com,CFO@contoso.comTo view quarantine:
Get-QuarantineMessage | Format-Table ReceivedTime, SenderAddress, RecipientAddress, TypeInteraction with Related Technologies
EOP works closely with Microsoft Defender for Office 365 (MDO), which adds Safe Attachments, Safe Links, and advanced anti-phishing. Safe Attachments uses detonation chambers (sandbox) to open attachments in a virtual environment before delivery. Safe Links wraps URLs to check them at click time against a dynamic blocklist. Advanced anti-phishing adds impersonation protection and machine learning models that detect phishing patterns beyond spoofing.
EOP also integrates with mail flow rules (transport rules) to apply custom logic. For example, you can create a rule that appends a disclaimer to messages that bypass spam filtering.
Default Policies and Precedence
Every tenant has a default policy for each EOP component (anti-spam, anti-malware, anti-phishing). These policies apply to all recipients unless overridden by custom policies. Custom policies have priority over the default. Priority is numeric (1 is highest). If multiple policies apply to the same recipient, the one with the highest priority wins. Policies can be scoped to specific users, groups, or domains.
Exam-Critical Numbers
Default spam quarantine threshold: SCL 7 (high confidence spam).
Default bulk threshold: BCL 7.
Quarantine retention: 30 days (cannot be changed for malware and phishing; for spam, you can set 1-30 days).
IP Allow/Block list limit: 1273 entries.
Safe Links URL wrapping: applies to messages from both internal and external senders (if policy is configured).
Safe Attachments: supports up to 10MB attachment size for detonation (larger files are bypassed).
Trap Patterns on the Exam
Candidates often confuse anti-spam and anti-phishing policies. Remember: anti-spam handles bulk and spam (SCL/BCL), while anti-phishing handles spoofing and impersonation. Also, the default anti-phishing policy does NOT include impersonation protection — that requires Defender for Office 365. Another trap: IP Allow list bypasses all filtering (including anti-malware) for that sender, which is a security risk. The exam tests that IP Block list applies at connection level, not after filtering.
Connection Filtering: IP Reputation Check
The sending mail server's IP address is checked against the tenant's IP Allow and IP Block lists. If the IP is on the Block list, the SMTP connection is refused with a 550 error. If on the Allow list, the message bypasses all subsequent filtering layers. This is the first line of defense and is based solely on IP reputation. Connection filtering also uses Microsoft's threat intelligence feeds to block known malicious IPs automatically. Administrators can add up to 1273 entries per list. Note that IP Allow is a double-edged sword: it can allow legitimate bulk mailers but also bypass malware scanning.
Anti-Malware Scanning: Signature and Heuristic Analysis
The message is scanned by multiple anti-malware engines (Microsoft Defender and optionally a third-party engine). The engines check attachments and the message body for known malware signatures. If a match is found, the message is quarantined or deleted based on the anti-malware policy. Heuristic analysis looks for suspicious behavior (e.g., macros, obfuscated scripts). If the attachment is over 10MB, it is bypassed. The default action for malware is to quarantine the entire message. Administrators can choose to also notify recipients or send a copy to a specified email address.
Anti-Spam Filtering: SCL and BCL Assignment
The message content, headers, and sender reputation are analyzed to assign a Spam Confidence Level (SCL) from -1 to 9 and a Bulk Complaint Level (BCL) from 0 to 9. SCL -1 means the message is from a safe sender or passed through a mail flow rule that bypasses spam filtering. SCL 5-6 moves the message to the recipient's Junk Email folder. SCL 7-9 quarantines the message. BCL 7+ triggers spam action. Default actions: SCL 5-6 -> move to Junk, SCL 7-9 -> quarantine. Administrators can set the threshold for quarantine (e.g., SCL 5 instead of 7). The spam filtering also uses machine learning models trained on millions of messages.
Anti-Phishing: Spoof and Impersonation Detection
The default anti-phishing policy checks for spoofed senders using SPF, DKIM, and DMARC validation. If a message fails authentication, it may be flagged as spoofed. Spoof intelligence automatically allows or blocks senders based on historical behavior. If you have Defender for Office 365, advanced anti-phishing policies add impersonation protection: it compares the sender's display name and email address against a list of protected users (e.g., executives) and domains. Machine learning models detect lookalike domains (e.g., contoso.com vs c0ntoso.com). If impersonation is detected, the message is quarantined or redirected. The exam tests that impersonation protection must be explicitly configured.
Transport Rules and Final Delivery
After all filtering layers, mail flow rules (transport rules) can apply additional actions, such as adding a disclaimer, redirecting messages to a moderator, or blocking specific attachments. These rules are processed in order of priority. Finally, the message is delivered to the recipient's mailbox. If the message was quarantined at any step, it is stored in the quarantine and the recipient (if end-user notifications are enabled) receives a digest every 3 days. Administrators can also release messages manually. The quarantine retention is 30 days for all message types.
Enterprise Scenario 1: Protecting Against CEO Fraud
A multinational corporation with 50,000 users wants to prevent attackers from impersonating the CEO to request wire transfers. The security team configures an advanced anti-phishing policy in Defender for Office 365 Plan 2. They add the CEO's email address and display name to the protected users list, and the company's domain to the protected domains list. They also enable mailbox intelligence to learn from user-reported phishing. The policy is set to quarantine impersonation messages and notify the security team. In production, the policy catches a phishing email where the display name is exactly the CEO's name but the email address is ceo@c0ntoso.com (note the zero). The message is quarantined, and the security team investigates. Without impersonation protection, the email would have reached the CFO's inbox. The team also enables Safe Links to wrap URLs in all messages, so that even if a phishing link is clicked, the user is redirected to a warning page if the URL is later found malicious.
Enterprise Scenario 2: Handling Bulk Email and False Positives
A large e-commerce company receives high volumes of marketing emails that are often misclassified as spam. The administrators adjust the bulk complaint level threshold from 7 to 6 to reduce false positives, but then legitimate newsletters start landing in the Junk folder. They instead create a custom anti-spam policy for a specific group of users who need all bulk email, with a higher threshold (BCL 8). They also set up a mail flow rule that bypasses spam filtering for emails from specific trusted domains. To monitor false positives, they enable end-user spam notifications so users can release quarantined messages. The security team reviews the quarantine reports weekly to fine-tune the IP Allow list and sender reputation. They also configure spoof intelligence to automatically allow senders that are legitimate but fail SPF (e.g., third-party email marketing services).
Scenario 3: Compliance with Data Privacy Regulations
A financial services firm must ensure that all email attachments are scanned for malware before delivery, but they also need to protect sensitive data from being exfiltrated via email. They enable Safe Attachments with the 'Dynamic Delivery' option, which sends a placeholder attachment while the real attachment is being scanned. If the scan is clean, the real attachment is made available. This allows users to read the message body immediately. However, they must be aware that Dynamic Delivery does not protect against zero-day malware in the attachment body itself. They also configure anti-phishing policies to quarantine messages that contain specific keywords (e.g., 'wire transfer', 'confidential') using transport rules. The security team uses the Threat Explorer in Defender for Office 365 to investigate phishing incidents and track user clicks on malicious URLs.
What MS-102 Tests on This Topic
The MS-102 exam objective 3.2 'Implement and manage threat protection' includes EOP and anti-phishing. Specifically, you must know how to configure anti-spam, anti-malware, and anti-phishing policies, and understand the differences between EOP and Defender for Office 365. The exam tests: default actions (quarantine vs. move to Junk), thresholds (SCL, BCL), IP Allow/Block lists, spoof intelligence, impersonation protection, Safe Links, and Safe Attachments. Expect scenario-based questions where you choose the correct policy action.
Common Wrong Answers and Why
Choosing 'Move to Junk' for high confidence spam: Many candidates think high confidence spam goes to Junk, but the default is quarantine (SCL 7-9). The exam tests this distinction.
Thinking anti-phishing policies include impersonation protection by default: They do not. The default anti-phishing policy only includes spoof intelligence. Impersonation protection requires a custom policy in Defender for Office 365.
Selecting 'IP Block list' to block a specific sender domain: The IP Block list blocks by IP, not domain. To block a domain, use a domain block list in the anti-spam policy or a mail flow rule.
Assuming Safe Links protects against all malicious URLs: Safe Links checks URLs at click time, but it relies on a dynamic blocklist. It can miss new malicious URLs until they are reported. It is not a substitute for user training.
Specific Numbers and Terms on the Exam
Default SCL quarantine threshold: 7
Default BCL threshold: 7
Quarantine retention: 30 days
IP Allow/Block list limit: 1273 entries
Safe Attachments maximum size for detonation: 10MB
End-user spam notification frequency: every 3 days
Anti-phishing policy types: Default (spoof intelligence) vs. Custom (impersonation)
Edge Cases and Exceptions
If a message is on the IP Allow list, it bypasses ALL filtering, including malware. This is a security risk.
Safe Attachments with Dynamic Delivery: The attachment is replaced with a placeholder. If the scan takes too long, the user may see the placeholder indefinitely.
Spoof intelligence: If a sender is spoofing your own domain, it is automatically blocked unless you explicitly allow it.
Mail flow rules can override quarantine actions? No, mail flow rules run after filtering; they cannot release quarantined messages.
How to Eliminate Wrong Answers
If a question mentions 'impersonation of a specific executive', the answer must involve a custom anti-phishing policy with targeted user protection.
If a question asks about 'bulk email threshold', look for BCL, not SCL.
If a question involves 'blocking a specific sender domain', the answer is not IP Block list but a domain block in anti-spam policy or a mail flow rule.
If a question mentions 'zero-day malware in an attachment', the answer should involve Safe Attachments with detonation (not just signature-based).
EOP applies filtering in order: connection filtering, anti-malware, anti-spam, anti-phishing, then transport rules.
Default spam quarantine threshold is SCL 7 (high confidence spam); default bulk threshold is BCL 7.
Quarantine retention is 30 days for all message types (cannot be extended for malware/phishing).
IP Allow list bypasses all filtering; IP Block list rejects at connection level.
Default anti-phishing policy includes spoof intelligence only; impersonation protection requires custom policy in Defender for Office 365.
Safe Links wraps URLs at delivery and checks them at click time; Safe Attachments detonates attachments in a sandbox (max 10MB).
End-user spam notifications are enabled by default and sent every 3 days.
Custom policies have higher priority than default policies; priority is numeric (1 highest).
Mail flow rules run after all filtering layers; they cannot release quarantined messages.
Spoof intelligence automatically blocks spoofed senders unless they are authenticated via SPF, DKIM, DMARC.
These come up on the exam all the time. Here's how to tell them apart.
EOP (Exchange Online Protection)
Includes anti-spam, anti-malware, and default anti-phishing (spoof intelligence).
No impersonation protection, Safe Links, or Safe Attachments.
Included in all Exchange Online licenses.
Quarantine retention 30 days for spam, malware, phishing.
Spam filtering uses SCL and BCL thresholds.
Defender for Office 365 (MDO)
Adds advanced anti-phishing (impersonation protection), Safe Links, Safe Attachments, and Threat Explorer.
Safe Attachments uses detonation chambers for zero-day malware.
Requires add-on license (Plan 1 or Plan 2).
Safe Links checks URLs at click time against a dynamic blocklist.
Includes Attack Simulation Training and automated investigation and response (AIR) in Plan 2.
Mistake
The default anti-phishing policy protects against impersonation of executives.
Correct
The default anti-phishing policy only includes spoof intelligence and mailbox intelligence. Impersonation protection (targeted user protection) must be explicitly configured in a custom anti-phishing policy, which requires Defender for Office 365 Plan 1 or 2.
Mistake
IP Allow list bypasses only spam filtering, not malware scanning.
Correct
IP Allow list bypasses ALL filtering layers, including anti-malware. This is a significant security risk and should be used sparingly.
Mistake
Safe Links checks all URLs in email at the time of delivery.
Correct
Safe Links wraps URLs at delivery time, but the actual block check occurs when the user clicks the link. The URL is checked against a dynamic blocklist at click time. Safe Links does not perform a static scan of all URLs at delivery.
Mistake
High confidence spam messages are moved to the Junk Email folder by default.
Correct
By default, high confidence spam (SCL 7-9) is quarantined, not moved to Junk. Only spam with SCL 5-6 is moved to Junk. This is a common exam trap.
Mistake
You can use the IP Block list to block emails from a specific domain.
Correct
IP Block list blocks by IP address or CIDR range, not by domain. To block a domain, use the domain block list in the anti-spam policy or create a mail flow rule.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Anti-spam policies handle bulk email and spam by assigning SCL and BCL values, with actions like move to Junk or quarantine. Anti-phishing policies focus on spoof detection (using SPF, DKIM, DMARC) and, in Defender for Office 365, impersonation protection. The default anti-phishing policy only includes spoof intelligence. Anti-spam policies do not detect spoofing; they rely on content and reputation.
Yes, but with caution. Adding a sender's IP to the IP Allow list bypasses all filtering, including anti-malware. This can expose users to malware from that sender if the sender is compromised. A better approach is to use the domain allow list in the anti-spam policy or a mail flow rule to bypass spam filtering only while still scanning for malware.
Files larger than 10MB are not detonated in the sandbox. They are delivered based on the policy setting: if the policy is set to 'Dynamic Delivery', the attachment is replaced with a placeholder and the user can access it once the scan completes (but for large files, no scan occurs). It is recommended to set the policy to 'Block' for unknown attachments or use a transport rule to block large attachments.
The default action is to quarantine the entire message. The recipient is not notified by default, but administrators can configure notifications. The quarantine retention is 30 days. You can also choose to delete the message or send a copy to a specified email address.
Impersonation protection requires a custom anti-phishing policy in Defender for Office 365. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing. Create a new policy or edit an existing one. Under 'Impersonation', enable 'Protect users' and add the CEO's email address. You can also protect domains (e.g., your own domain). Set the action to 'Quarantine the message' and enable impersonation safety tips.
Spoof intelligence detects when a sender forges the From address (e.g., using your domain) and is based on email authentication (SPF, DKIM, DMARC). It is part of the default anti-phishing policy. Impersonation protection detects when a sender attempts to impersonate a specific user (e.g., display name or email address similar to your CEO) using machine learning. It requires a custom policy and Defender for Office 365.
Yes, if end-user spam notifications are enabled (default). Users receive a digest every 3 days of messages quarantined as spam or bulk. They can release messages from the digest. However, messages quarantined as malware or phishing cannot be released by users; only administrators can release them.
You've just covered Exchange Online Protection and Anti-Phishing — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?