Full Overview of Microsoft Exchange Online Protection

Spam is unsolicited messages or other content that is sent to a high number of recipients in bulk via email. Many years ago, spam messages were nothing more than unwanted advertising content. Today, spam can pose a threat because it has become more than just an annoying piece of advertising. Spam senders use sophisticated techniques when sending email spam. They can attach spyware, malware or ransomware to messages, and use XSS injection or just links to viruses. Inattentive users are incapable of identifying these dangerous messages. Infection with such malicious software can be a threat for individual users and entire companies because it can cause hardware failure, data leaks and data loss (corruption).

Fortunately, there are ways to protect your email accounts from spam by using modern software solutions, such as Exchange Online Protection. In this blog post, I will cover what Exchange Online Protection is and how it can be used to protect your Exchange Online accounts. So how good is Exchange Online Protection?

Backup for Microsoft 365 Data

Backup for Microsoft 365 Data

Use the NAKIVO solution to back up Microsoft 365 data in Exchange Online, Teams, OneDrive and SharePoint Online for uninterrupted workflows and zero downtime.

What Is Exchange Online Protection?

Exchange Online Protection (EOP) is a cloud-based email-filtering service from Microsoft. This service aims to protect email users and the entire organization against spam and malware. Users usually ask: Does Microsoft Office 365 include Exchange Online Protection? Yes, Exchange Online Protection is a software component included in Microsoft Office 365 subscriptions for organizations. EOP is part of Microsoft Exchange Online. When a company starts using Microsoft Office 365 email services, it should consider how to protect its accounts from spam as a matter of priority. That’s why, choosing cloud-based email protection services can make a lot of sense. Exchange Online Protection supports several deployment scenarios:

Standalone deployment. You can use Exchange Online Protection for cloud-based protection of your on-premises Exchange servers running on physical or virtual machines.

Cloud-only usage. If you are using Office 365 email services, use the native Exchange Online Protection to protect Exchange Online and users’ mailboxes hosted in the cloud.

Hybrid deployment. You can configure Exchange Online Protection in the cloud to protect both Exchange Online residing in the cloud and on-premises Exchange servers running on your physical servers or virtual machines in your office or datacenter.

The Exchange Protection plan is included in all Microsoft Office 365 subscription plans that include Exchange Online and related email services. You can also purchase EOP separately. Exchange Online Protection can also work with non-Microsoft email services.

Read also how to connect to Exchange online with PowerShell.

What Does Exchange Online Protection Do?

Exchange Online Protection filters inbound and outbound email messages, checking for diverse threats. Filtering of inbound emails is done by using rules and policies based on the sender’s reputation, IP addresses, email addresses and domain address, and keywords and complex Microsoft analysis algorithms. Email messages that are classified as dangerous are rejected and deleted.

Filtering outbound emails is needed to avoid situations in which a user at a company is sending spam to others. If you do not filter such messages, your domain or IP address will be added to a blacklist by other organizations. Being blacklisted as a spammer is damaging and can cause problems when delivering emails sent by users from your organization. It is much easier to configure outbound email filtering than try to exclude your domain from a blacklist. Another case for using outbound filtering is when somebody hacks a user account and uses that compromised account to send spam.

Working Principle

When somebody outside your company sends an email to a user of your organization, the email is routed through a chain of routers and mail servers to your mail server according to MX records configured for your domain. If you use Exchange Online as part of Microsoft 365, your virtual mail server is distributed across datacenters in the Microsoft cloud. Many spam emails are dropped before getting to your Exchange Online email servers. When an email message is delivered to an Exchange datacenter used by your organization, Exchange Online Protection swings into action.

Exchange Online Protection checks the sender’s reputation, IP address, domain name, and the keywords in the title or message text. It then compares that data with the filter configuration. If “allow” conditions are met (for example, there are no blacklisted phrases, IP addresses, email addresses or domains), the email is delivered to a user’s mailbox. If a sender’s IP address (email account name or domain) is in a whitelist, the message is not filtered. Messages are also inspected for malware.

The working principle of Exchange Online Protection

If an email message doesn’t meet the conditions, it is either rejected as junk email (users can find this message in their Junk Email folder) or saved to quarantine and is not delivered to a recipient (depending on settings). Microsoft knows the addresses of many spammers and uses machine learning algorithms to react in time and add new spammers to a blacklist. The partnership of Microsoft with other corporations that fight spam allows it to provide a high level of email protection. This is the advantage of using a cloud-based Exchange Online protection solution compared with configuring protection for your physical email server from scratch. In most cases, all you need to do is fine-tune the settings of Exchange Online Protection.

Spam confidence level

When an email message goes through a spam filter in Exchange Online Protection, the message is given a spam score. This score is called a “spam confidence level” (SCL) and can be recorded to an X-header of the email message. The higher the SCL is, the higher the probability that the email message is a spam message.

Spam confidence level:

  • -1           This is a non-spam message from trusted sources on whitelists (based on an IP address, sender name, domain name, and so on). The message is delivered to a recipient’s Inbox folder.
  • 0 – 1       These values are assigned to email messages that are not spam. The message is delivered to the recipients’ Inbox.
  • 5, 6        Emails are determined as Spam and are moved to the Junk Email folder.
  • 7, 8, 9    Emails are determined as high confidence spam and are moved to recipients’ Junk Email folder.

The complete list of actions that can be performed after an email message has been marked as spam:

  • Move the email message to the Junk Email folder. This option is used by default.
  • Add the X-header to proceed handling the email message by using the transport rules.
  • Add the warning message in the beginning of the subject name. You can use this option to notify users that a message is suspicious if the message was marked as spam and moved to the Junk Email folder.
  • Move to quarantine. This option is good for saving good messages that have been mistakenly identified as spam (also known as false positives).
  • Redirect the message to a custom email address. You can use this option if you want to check what messages are marked as spam. It may be useful when you want to perform some additional tuning for spam filtering.
  • Delete the email message. Use this option if you are 100% sure that your email filter is configured properly.

Bulk email

Bulk email is usually not spam but may be annoying and undesired in your organization. Bulk email consists of letters, such as marketing materials and newsletters, sent to a large number of users. Reading bulk emails can distract users and they may use work email accounts to register  on third-party websites, which may be not recommended according to your security policy. Exchange Online Protection allows you to set recognizing bulk emails as spam by configuring the bulk compliance level to prevent users from receiving this type of unsolicited correspondence. You can set the Bulk Complaint Level (BCL) the same way as you would the spam confidence level (using numbers from 1 to 9). Set the threshold value to 7 or higher and forget about bulk emails. Users can click “This is spam” in an email client to register a spam compliant against the sender. Bulk email services that achieve a high number of complaints get a bad reputation. This is detected by spam filtering systems, including Exchange Online Protection.

Read also how to configure Office 365 SMTP settings for your email client.


A false-positive is an event when an email message is classified as spam but this message is not actually spam. A false-negative is an event when a spam or malicious email has passed filters and delivered to a recipient. No one system is immune to such events. You can report to Microsoft about false-positive and false-negative triggering of spam filters. Microsoft will try to improve the anti-spam and antivirus protection. In case of a false-positive, administrators can find messages in quarantine if they didn’t configure to delete messages that are determined as spam immediately and permanently.


Quarantine is the place where email messages classified as spam or infected messages are stored. The messages are stored in quarantine until they are reviewed by the administrator or deleted when the time of storing in quarantine has expired. Undesired messages can be stored in quarantine instead of the Junk Email folder from which users can restore and open a suspicious email. If that email is infected, it constitutes a threat for a user and organization. That’s why administrators prefer to store emails with a high spam confidence level in quarantine accessed only by administrators instead of the Junk Email folder.

Messages moved to quarantine by a spam filtering rule are stored for 15 days by default. A system administrator can configure this time period.

Messages that are moved to quarantine as a result of a transport (network filtering) rule are stored for 7 days in quarantine and administrators cannot edit this time period.

Administrators can manage quarantine and quarantined messages of all users. Users can only see messages in their quarantine if the appropriate settings are applied (it is possible to configure quarantine settings to allow each user to manage quarantine for their own account).

Spam filtering options

You can outline the Exchange protection plan and select which policies and rules are crucial for protecting your users and company.

Whitelists are “allow” lists or safe sender lists. If you trust a company or a business partner, you can add IP addresses and domain names used by that company to whitelists in your rules to make sure that important emails from them can always be delivered to you.

Blacklists are block lists. If you notice that a lot of spam messages are sent from an IP address or domain, add these sender parameters to a blacklist.

Filtering by IP addresses. You can add IP addresses of spam senders to a blacklist for blocking emails. Add IP addresses of trusted resources to a whitelist.

Filtering by languages (international spam filters) allows you to reject emails written in other languages that are not used in your company and reduce the flow of incoming spam. For example, your company uses English, German and French while your partners use English and Spanish – you shouldn’t block these languages. You can block emails written in another language if you notice a high number of received spam in that language. Exchange Online Protection also allows you to block email servers hosted in a certain country (region) of the world.

Configuration of Exchange Online Protection

Now that I’ve covered the main options and functionality, let’s look at how to access Exchange Online Protection settings. Read this section to learn the answer to: How do I set up Exchange Online Protection? You can configure Exchange Online Protection in a web interface. Go to Exchange Admin Center and sign is as administrator of your company account:



Click protection in the left pane of the Exchange admin center. On the top of the web page, you can see malware filter, connection filter, spam filter, outbound spam, quarantine, action center, and DKIM options. The Protection section is responsible for anti-spam and anti-malware protection.

Malware filter. In this subsection you can manage anti-malware policies. You can add, edit, enable, disable, and delete policies, and change their priority. The policies with a higher priority are applied first.

The malware filter of Exchange Online Protection

Click the + button to add a new anti-malware policy. A long list of settings will be displayed in a new window.

Name: Enter a name for the new policy.

Description: Enter a description if needed.

Malware Detection Response. Select one of the “Yes” options if you want recipients at your organization to be notified about quarantined messages with malware attachments. You can enter a custom notification text.

Common Attachment Types Filter (On/Off). Turn on this option and select file types that may be harmful. You can select .EXE, .BAT, .CMD and other file extensions and if these file types are detected in email attachments, the email message will be rejected.

Malware Zero-hour Auto Purge. This is the feature that detects and neutralizes spam, phishing, and malware messages if messages have been already delivered to users’ mailboxes. Microsoft usually updates Exchange Online Protection filters and improves their algorithms. If a malicious email was delivered before filters were able to detect that malware, the issue can be fixed by Zero-hour Auto Purge after updating malware and spam signatures. It is recommended to turn on this feature. You can tune notification options for users and administrators.

The anti-malware policy can be applied to users, groups or domains.

Connection filter. The connection filter can block emails based on the IP address of the source side (a mail server used by an email sender). Connection filtering is usually used after detecting malware or spam attacks and source IP addresses used to send malicious emails. You can add allowed IP addresses of trusted senders.

The management elements of the connection filter allow you to add allowed and blocked IP addresses to the default policy.

Connection filtering for Exchange Online Protection

You can select the Enable safe list checkbox to use Microsoft’s safe list of trusted IP addresses. Microsoft subscribes to third-party lists of companies aimed to continuously update whitelists and blacklists of email senders worldwide. If you don’t trust third-party lists, you can ignore this option and not select this checkbox.

Spam filter. Exchange Online Protection detects spam emails based on the email content after analyzing them. Spam filter options allow you to fine-tune the spam filter for Exchange Online Protection and customize the settings. Click the Edit (pencil) icon to open a new window with settings.

Name: Enter the spam filter policy name.

Description: Enter a description (optional).

Spam and bulk actions. You can select the action to take for incoming spam and bulk email. Select the Mark bulk email as spam checkbox to disable delivering marketing emails, newsletters and other unwanted messages that are not required for the working process of users in your organization. Select the threshold in the drop-down menu to tune recognizing bulk emails as spam. Spam confidence level uses threshold values that are 1-9 and 7 is the default value.

Quarantine options:

  • Retain for (days): 15 by default
  • Add this X-header text
  • Redirect to this email address

A spam filter policy for Exchange Online Protection

You can also edit block lists and allow lists for sender email addresses and domain names.

Outbound spam. Some configuration pages were updated by Microsoft and reallocated to other addresses. You can configure spam policies, including outbound spam policies on the page:


On this page you can enable default policies and set their priority. In order to configure an outbound spam policy, click Create an outbound policy. In the window that opens, enter the policy name, description and configure notification settings, recipient limits (shown on the screenshot) and conditions applied to the needed objects.

Outbound spam filtering settings in Exchange Online Protection

Quarantine. Quarantine settings are available here:


If there are filtered messages marked as spam or malware, you can see them in the list. The appropriate policies (such as spam filter policies) must be applied to store suspicious messages in the quarantine.

Quarantine for Exchange Online Protection

Action Center. You can access the Action Center by using the address:


You can see a list of restricted users, actions, services and other action details on this configuration page of Exchange Online Protection.

The Action Center of Exchange Online Protection

DKIM. DKIM (Domain Keys Identified Email) is an additional method of spam fighting that is based on adding a cryptographic signature (DKIM record) to outgoing emails. The DKIM signature is a header added to an email message and is secured by encryption. On the other side, a destination mail server can determine that an email message was sent by an authorized mailing system. The end user (recipient) doesn’t see the signature. You can find DKIM settings for your domains in the corresponding subsection of Exchange Online Protection settings.

DKIM options for Exchange Online Protection

Mail flow

This section allows you to manage the mail flow by using transport rules and conditional mail routing. Mail flow rules (mail transport rules) are used to take actions on messages before they are delivered to the mailboxes of recipients. You can configure a set of conditions, such as attachment size, subject name, and so on, with a comparison operator to set the filtering system to make a decision. For example, if a message subject is “For sale” or “Discount”, this message must be deleted. You can also modify and forward messages. A rule in the top of the list has the highest priority and a rule at the end of the list has the lowest priority. High priority rules are applied first when handling emails in the mail flow.

Mail flow options for Exchange Online Protection Office 365


Exchange Online Protection is more than anti-spam protection because this solution can protect each user and the entire organization against spam, viruses, malware, ransomware and spyware. Exchange Online Protection is a part of Microsoft 365. If you use a Microsoft 365 subscription for organizations and Microsoft Exchange Online, you can configure Exchange Online Protection for your company. Microsoft provides mail filtering services enabled by default, but you can fine-tune settings according to your requirements. Protecting email users against spam and malware reduces the risk of losing important data.

In addition to anti-spam and anti-virus protection, you can protect your data by performing regular backups. Use NAKIVO Backup & Replication and create your Microsoft Office 365 backup for email accounts.

1 Year of Free Data Protection: NAKIVO Backup & Replication

1 Year of Free Data Protection: NAKIVO Backup & Replication

Deploy in 2 minutes and protect virtual, cloud, physical and SaaS data. Backup, replication, instant recovery options.

People also read