This chapter covers Exchange Online Protection (EOP), Microsoft's cloud-based email filtering service that protects Exchange Online mailboxes from spam, malware, and phishing attacks. EOP is a core component of Microsoft 365 security and is included in all Microsoft 365 subscriptions that include Exchange Online. On the MS-900 exam, questions on EOP typically appear under objective 3.1 (Describe security capabilities of Microsoft 365) and represent approximately 5-8% of the security domain questions. You will be expected to understand EOP's role, its default protection features, and how it integrates with other Microsoft 365 security tools like Microsoft Defender for Office 365.
Jump to a section
Imagine a massive postal distribution center that processes all incoming mail for a large city. Every letter or package arrives at the loading dock, where it first passes through an X-ray scanner that checks for obvious threats like explosives or hazardous materials (malware detection). Next, each piece is examined by a team of inspectors who look at the return address and compare it against a list of known fraudulent senders (anti-spoofing and sender reputation). If the sender is on a global blocklist, the item is immediately destroyed without further processing. For items that pass this check, the inspectors open a random sample of envelopes to verify the contents match the declared description (content filtering and data loss prevention). Finally, before the mail is handed to the delivery trucks, a supervisor reviews any suspicious items that were flagged by automated rules (quarantine and admin review). This entire process happens in seconds, and the center can handle millions of pieces per day without slowing down the normal mail flow. If a piece is deemed dangerous, it is held in a secure area (quarantine) and the intended recipient is notified. The recipient can request a re-inspection (release from quarantine) or have it permanently destroyed. The center also keeps logs of all inspections for auditing and reporting.
What is Exchange Online Protection (EOP)?
Exchange Online Protection (EOP) is Microsoft's cloud-hosted email security service that filters inbound and outbound email traffic for Exchange Online mailboxes. It is designed to protect organizations from spam, malware, and phishing attacks before messages reach user inboxes. EOP is automatically provisioned for every Exchange Online mailbox in Microsoft 365, including standalone Exchange Online plans and all Microsoft 365 subscriptions that include Exchange Online (Business, Enterprise, Education, and Government). It operates at the network edge, inspecting messages in transit and applying a multi-layered defense.
Why EOP Exists
Email remains the primary attack vector for cyber threats. According to Microsoft, over 400 billion emails are sent daily, with a significant portion being malicious. Without a robust filtering service, organizations would need to deploy, configure, and maintain their own email security gateways, which is complex and costly. EOP provides a cloud-native solution that leverages Microsoft's vast telemetry from over a trillion email signals daily, machine learning models, and threat intelligence from the Microsoft Intelligent Security Graph. This allows EOP to adapt rapidly to new threats and reduce false positives.
How EOP Works Internally
EOP processes every message through a series of filtering layers in a predefined order. The layers are:
Connection Filtering: This is the first line of defense. EOP uses IP allow lists and block lists, as well as the Microsoft proprietary sender reputation system, to accept or reject connections at the SMTP protocol level. If the sending IP is on a real-time blocklist (RBL) or has a poor reputation score, the connection is rejected before the message is even accepted. This reduces load on subsequent filters.
Anti-Malware Filtering: Messages that pass connection filtering are scanned for malware. EOP uses multiple antivirus engines (including Microsoft Defender and third-party engines) to detect known and unknown malware. It examines attachments, embedded objects, and links. If malware is detected, the message is quarantined and not delivered. The default action is to quarantine the message, and the recipient receives a notification (if configured). Malware filtering cannot be disabled.
Anti-Spam Filtering: This layer uses machine learning classifiers, including the SmartScreen technology (now part of Microsoft's AI models), to evaluate the likelihood that a message is spam. It assigns a spam confidence level (SCL) from -1 (not spam) to 9 (definite spam). Messages with SCL 5 or 6 are sent to the user's Junk Email folder. Messages with SCL 7, 8, or 9 are sent to quarantine. Administrators can adjust thresholds using anti-spam policies.
Anti-Phishing Filtering: EOP includes built-in anti-phishing protection that uses machine learning to detect phishing attempts, including impersonation of well-known domains (e.g., microsoft.com) and internal users. It also checks for spoofed senders using SPF, DKIM, and DMARC authentication. If a message fails authentication checks, it may be marked as phishing and quarantined.
Transport Rules (Mail Flow Rules): After the security filters, messages are evaluated against transport rules (also known as mail flow rules) defined by administrators. These rules can apply additional actions like adding disclaimers, redirecting messages, or rejecting messages based on content patterns.
Key Components, Values, and Defaults
Default spam threshold: SCL 5 for Junk folder, SCL 7 for quarantine. Administrators can change these values in anti-spam policies.
Quarantine retention period: 30 days for spam and phishing messages, 15 days for malware. After that, messages are automatically deleted.
Connection filtering: Default IP block list includes known malicious IPs. Administrators can add custom allow/block lists.
Anti-malware policies: Default policy applies to all recipients. Common attachment types (e.g., .exe, .scr, .vbs) are automatically blocked. The default action for detected malware is quarantine.
Anti-phishing policies: Default policy protects against impersonation of the organization's domain and internal users. Custom policies can extend protection to other domains.
Sender reputation: EOP uses a reputation score based on sending history, complaint rates, and other signals. IPs with low reputation are throttled or blocked.
Configuration and Verification Commands
While most EOP configuration is done through the Microsoft 365 Defender portal (security.microsoft.com), administrators can also use Exchange Online PowerShell. Common commands include:
- Get the default anti-spam policy:
Get-HostedContentFilterPolicy -Identity Default- Set the spam quarantine threshold:
Set-HostedContentFilterPolicy -Identity Default -SpamQuarantineThresholdAction Quarantine -HighConfidenceSpamAction Quarantine- View quarantine messages:
Get-QuarantineMessage -Type Spam- Release a quarantined message:
Release-QuarantineMessage -Identity <MessageId>How EOP Interacts with Related Technologies
EOP is the foundation of email security in Microsoft 365. For enhanced protection, organizations can add Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection). Defender for Office 365 adds:
Safe Attachments: Detonates attachments in a sandbox before delivery.
Safe Links: Scans URLs in messages at click time.
Advanced anti-phishing: Protects against impersonation of executives and sensitive domains.
EOP and Defender for Office 365 work together: EOP handles the basic filtering, while Defender for Office 365 provides additional layers for advanced threats. Additionally, EOP integrates with Microsoft's compliance solutions like Data Loss Prevention (DLP) and retention policies via transport rules.
Connection Filtering at SMTP Edge
When an external mail server attempts to deliver a message to an Exchange Online recipient, it initiates an SMTP connection to Microsoft's edge servers. The edge servers first check the connecting IP against Microsoft's proprietary IP reputation list and real-time blocklists (RBLs) like Spamhaus. If the IP has a poor reputation or is on a blocklist, the server sends a 550 SMTP rejection code and does not accept the message. This prevents malicious traffic from entering the pipeline and conserves resources. Administrators can also configure custom allow/block lists in the Microsoft 365 Defender portal under Policies > Threat Policies > Anti-Spam > Connection Filter Policy. The default connection filter policy allows messages from trusted sources like Exchange Online Protection connectors.
Anti-Malware Scanning with Multiple Engines
After the message is accepted, it is passed to the malware filtering engine. EOP uses multiple antivirus engines that scan the message body, attachments, and embedded objects. The engines check against known malware signatures and heuristics. If a message contains a file type that is commonly used to spread malware (e.g., .exe, .js, .vbs), the file is blocked by default. The scanning happens in near real-time; typical latency is under one second. If malware is detected, the message is moved to quarantine and the sender and recipient are notified (if configured). The default anti-malware policy applies to all recipients and cannot be deleted, but custom policies can be created with different actions.
Anti-Spam Filtering with SCL Assignment
Messages that pass malware scanning are evaluated by the anti-spam filter. The filter uses machine learning models trained on millions of spam and ham (non-spam) samples. It assigns a Spam Confidence Level (SCL) from -1 to 9. SCL -1 means the message is from a trusted source (e.g., safe sender list). SCL 0-4 is considered non-spam. SCL 5-6 is likely spam; these messages are delivered to the user's Junk Email folder. SCL 7-9 is high-confidence spam; these messages are quarantined. The default thresholds are set in the default anti-spam policy. Administrators can adjust these thresholds and also configure advanced spam options like bulk email filtering (BCL) and international spam filtering.
Anti-Phishing and Spoof Detection
The anti-phishing filter checks the message for signs of phishing, such as forged sender addresses, mismatched domains, and impersonation attempts. It uses SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) to verify the sender's domain. If SPF fails (e.g., the sending IP is not authorized), the message may be marked as phishing. Additionally, the filter uses machine learning to detect impersonation of high-profile users (like the CEO) or well-known domains. If a message is determined to be phishing, it is quarantined. The default anti-phishing policy includes impersonation protection for the organization's domain and internal users. Administrators can add custom domains and users to protect.
Transport Rules and Final Delivery
After security filtering, the message is evaluated against transport rules (also called mail flow rules) defined by the administrator. These rules can apply actions like adding a disclaimer, redirecting the message to a moderator, or rejecting the message based on content patterns (e.g., credit card numbers). Transport rules are processed in order of priority (lowest number first). If a rule matches, the specified action is taken. If no rule matches, the message is delivered to the recipient's mailbox. The entire pipeline from connection to delivery typically completes in under 5 seconds for most messages. Administrators can monitor message flow using the Message Trace feature in the Exchange admin center or the Microsoft 365 Defender portal.
Enterprise Scenario 1: A Multinational Corporation Using EOP for Basic Protection
A global company with 50,000 mailboxes uses EOP as its primary email security gateway. They rely on the default anti-spam and anti-malware policies, which filter approximately 10 million messages per day. The company's IT team occasionally reviews quarantine reports and releases false positives. They have configured custom connection filtering to block all traffic from countries where they do business, reducing inbound spam by 20%. They also use transport rules to enforce disclaimers on external emails. Performance is excellent; EOP handles the load without any noticeable delay. However, they experience occasional phishing attacks that bypass EOP's basic filters, prompting them to consider upgrading to Defender for Office 365.
Enterprise Scenario 2: A Financial Services Firm with Strict Compliance
A bank with 5,000 mailboxes needs to comply with financial regulations that require advanced threat protection and data loss prevention. They use EOP in conjunction with Microsoft Defender for Office 365 Plan 2. EOP handles spam and malware, while Defender provides Safe Attachments and Safe Links. The bank has configured strict anti-phishing policies that impersonation-protect their top 50 executives. They also use transport rules to block emails containing sensitive data like account numbers. The security team monitors the Threat Explorer daily. One common issue is false positives from Safe Links, which can block legitimate URLs; they maintain an allow list for trusted domains. The bank also uses the quarantine portal to manage messages flagged by EOP and Defender.
Common Misconfigurations and Pitfalls
Overly restrictive connection filtering: Blocking entire IP ranges can block legitimate senders, such as partners or customers. Always test with a small scope first.
Ignoring quarantine notifications: Users often ignore quarantine digests, leading to missed legitimate emails. Configure end-user spam notifications and educate users to release false positives promptly.
Not adjusting SCL thresholds: The default SCL 5 for junk folder may cause too many false positives for some organizations. Administrators should monitor spam detection rates and adjust thresholds accordingly.
Failure to configure SPF, DKIM, DMARC: Without proper email authentication, EOP's anti-phishing filters may not work effectively, leading to spoofed emails reaching inboxes.
What MS-900 Tests on EOP
The MS-900 exam (objective 3.1) expects you to understand the role of EOP as a built-in email security service that protects against spam, malware, and phishing. You should know that EOP is included in all Microsoft 365 subscriptions that include Exchange Online, and that it provides connection filtering, anti-malware, anti-spam, and anti-phishing. The exam does not require deep technical configuration details but may ask about the order of filtering layers or default actions.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: "EOP is an add-on service that requires an additional license." - Why chosen: Candidates confuse EOP with Defender for Office 365, which is an add-on. EOP is included with Exchange Online. 2. Wrong answer: "EOP can be disabled to reduce costs." - Why chosen: Some think they can turn off security features to save money. EOP is always on and cannot be disabled. 3. Wrong answer: "EOP only protects against spam, not malware." - Why chosen: They may think malware protection requires Defender for Office 365. In reality, EOP includes anti-malware. 4. Wrong answer: "EOP quarantines all spam messages." - Why chosen: They overlook that low-confidence spam (SCL 5-6) goes to Junk folder, not quarantine. Only SCL 7-9 is quarantined.
Specific Numbers and Terms That Appear on the Exam
SCL thresholds: SCL 5-6 to Junk, SCL 7-9 to quarantine.
Quarantine retention: 30 days for spam/phishing, 15 days for malware.
Default anti-malware action: Quarantine.
Connection filtering: Uses IP reputation and block lists.
Anti-spoofing: Uses SPF, DKIM, DMARC.
Edge Cases and Exceptions
Internal email: EOP does not filter internal email between users in the same organization unless a transport rule is applied.
Outbound filtering: EOP also filters outbound email for spam and malware, but default policies are more lenient to avoid blocking legitimate outbound mail.
Hybrid deployments: In hybrid scenarios, on-premises mailboxes can also benefit from EOP by routing email through Exchange Online.
How to Eliminate Wrong Answers
If an answer says EOP is an add-on or requires extra cost, it is wrong because EOP is included.
If an answer says EOP only protects against one type of threat, it is likely wrong because EOP covers multiple layers.
If an answer mentions features like Safe Attachments or Safe Links, those belong to Defender for Office 365, not EOP.
EOP is included with all Microsoft 365 subscriptions that include Exchange Online.
EOP filters inbound and outbound email for spam, malware, and phishing.
EOP operates in layers: connection filtering, anti-malware, anti-spam, anti-phishing, and transport rules.
Default spam threshold: SCL 5-6 to Junk folder, SCL 7-9 to quarantine.
Quarantine retention: 30 days for spam/phishing, 15 days for malware.
EOP cannot be disabled; it is always on.
EOP uses SPF, DKIM, and DMARC for anti-spoofing.
Enhanced protection requires Microsoft Defender for Office 365 (add-on).
Administrators can customize policies in the Microsoft 365 Defender portal or via PowerShell.
Common exam wrong answers: EOP is an add-on, EOP can be disabled, EOP only filters spam.
These come up on the exam all the time. Here's how to tell them apart.
Exchange Online Protection (EOP)
Included with all Exchange Online subscriptions
Provides basic spam, malware, and phishing protection
Uses connection filtering, anti-malware, anti-spam, and anti-phishing
Default quarantine retention: 30 days for spam/phishing, 15 days for malware
No sandboxing or time-of-click URL protection
Microsoft Defender for Office 365
Requires an additional license (Plan 1 or Plan 2)
Adds advanced threat protection: Safe Attachments, Safe Links, and advanced anti-phishing
Includes Threat Explorer and automated investigation and response (Plan 2)
Safe Attachments detonates attachments in a sandbox before delivery
Safe Links scans URLs at click time and can block malicious links
Mistake
EOP is an optional add-on that must be purchased separately.
Correct
EOP is included with all Microsoft 365 subscriptions that include Exchange Online, such as Microsoft 365 Business Basic, Standard, Premium, and Enterprise plans. No additional purchase is required.
Mistake
EOP can be disabled by an administrator.
Correct
EOP is always on and cannot be disabled. Administrators can configure policies but cannot turn off the service. This ensures baseline protection for all mailboxes.
Mistake
EOP only filters inbound email from external senders.
Correct
EOP filters both inbound and outbound email. Outbound filtering helps prevent spam and malware from leaving the organization and protects the organization's reputation.
Mistake
All spam messages detected by EOP are quarantined.
Correct
Only high-confidence spam (SCL 7-9) is quarantined. Messages with SCL 5-6 are delivered to the user's Junk Email folder. Administrators can adjust these thresholds.
Mistake
EOP provides the same level of protection as Microsoft Defender for Office 365.
Correct
EOP provides basic protection against spam, malware, and phishing. Defender for Office 365 adds advanced features like Safe Attachments, Safe Links, and advanced anti-phishing, offering a higher level of security.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. Exchange Online Protection is included with all Microsoft 365 subscriptions that include Exchange Online, including Microsoft 365 Business Basic, Standard, Premium, and all Enterprise plans. No additional license is needed. EOP provides baseline email security for all mailboxes in the organization.
No. EOP is a core security feature that cannot be disabled. It runs automatically to protect mailboxes from spam, malware, and phishing. Administrators can configure policies to adjust filtering behavior but cannot turn off the service entirely. This ensures that all mailboxes have at least basic protection.
EOP provides basic email security: spam filtering, malware scanning, and phishing detection. Defender for Office 365 is an add-on that provides advanced protection, including Safe Attachments (sandboxing), Safe Links (time-of-click URL scanning), and advanced anti-phishing (impersonation protection). Defender for Office 365 builds on top of EOP; you need EOP as a prerequisite.
Quarantined messages are stored in Microsoft's cloud-based quarantine. Administrators and end users (if enabled) can access the quarantine through the Microsoft 365 Defender portal (security.microsoft.com/quarantine). Messages are retained for 30 days for spam and phishing, and 15 days for malware, after which they are automatically deleted.
By default, EOP does not filter internal email sent between users in the same organization. However, administrators can create transport rules to apply filtering or other actions to internal messages. For example, a rule could block internal emails containing sensitive data or add a disclaimer.
EOP filters outbound email as well. If a user's account is compromised and used to send spam, EOP can detect the high volume of outbound messages and block the user from sending further emails. Administrators can configure outbound spam policies to set limits on the number of recipients per message or per day. The default outbound spam policy quarantines messages that exceed these limits.
The default action for malware is to quarantine the message. The sender and recipient are not notified by default, but administrators can configure notifications. The message is retained in quarantine for 15 days. Additionally, EOP blocks common malicious attachment types (e.g., .exe, .scr, .vbs) at the connection level.
You've just covered Exchange Online Protection (EOP) — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?