Exchange Online Protection (EOP): What It Does, How It Works, Key Features and Limitations

Spam messages are not only annoying and distracting but can also pose a real threat to individuals and organizations alike. According to Statista, spam messages accounted for 45.1% of email traffic in March 2021. The Verizon 2021 Data Breach Investigations Report found that 36% of breaches involved phishing — an 11% increase compared to 2020. The 2021 Tessian research found that employees receive an average of 14 malicious emails per year and more than 90% of cyberattacks infiltrate an organization through email.

These statistics indicate that email-based attacks are becoming more common and are among the biggest cybersecurity threats businesses face today. That’s where an email security solution, such as Microsoft Exchange Online Protection, comes in. In this blog, we will discuss what Exchange Online Protection (EOP) is, how it works, its key features and its limitations.

What is Exchange Online Protection (EOP)?

Exchange Online Protection is a cloud-based email security service from Microsoft. EOP filters your emails to protect your organization against spam, malware and other email-based threats.

FrontBridge Technologies Inc. was the company that created Microsoft Forefront Online Protection for Exchange, or what we know as Exchange Online Protection today. Microsoft acquired the company in 2005 and it became a subsidiary of Microsoft. On April 29, 2009, Microsoft rebranded the service as Forefront Online Security for Exchange (FOSE). On November 17, 2009, Microsoft renamed FOSE to Forefront Online Protection for Exchange (FOPE). On the same day, an updated version of FOPE was also released. The updated version of FOPE (version 10.1) was made available to end users on January 29, 2010. FOPE went through a series of transitions and upgrades and on March 1, 2013, Exchange Online Protection (EOP) was launched.

What does Exchange Online Protection do?

Exchange Online Protection helps keep your inboxes clean by filtering out spam messages or malicious emails such as phishing. EOP processes all incoming and outgoing emails and prevents emails containing potentially harmful attachments, malware or viruses from entering your inbox.

Does Microsoft 365 include Exchange Online Protection?

EOP is included in all Microsoft 365 plans with Exchange Online mailboxes. According to Microsoft, “EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes.” The EOP plans include EOP standalone, EOP features in Exchange Online and Exchange Enterprise CAL with Services.

What is the difference between EOP and ATP?

EOP is the security service that comes by default with Office 365. You can purchase Advanced Threat Protection (ATP) as an add-on service at an additional cost. ATP is included in Office 365 Enterprise E5 and Microsoft 365 Business Premium plans. ATP adds an extra layer of protection to EOP and works in tandem with EOP and Office 365 Threat Intelligence.

How does Exchange Online Protection work?

Let’s look at how EOP processes incoming emails to understand its working principle better.

Exchange Online Protection (EOP) process flow diagram.

Source: Microsoft

All emails (incoming and outgoing) processed by EOP go through four filtering stages:

Connection filtering

This first step checks the sender’s reputation. Based on the connection filtering rules set by your organization, the email is either accepted or rejected, depending on the senders’ IP addresses. Most unsolicited junk emails are filtered out at this stage.


The next step involves scanning emails for malware. If the message or attachment(s) contains malware, the email is quarantined. By default, only admins can access malware-quarantined emails; however, they can use quarantine policies to define what users can do with the quarantined messages.

Policy filtering and mail flow rules

In this step, the email goes through policy filtering. Here, the email is checked against any mail flow rules or transport rules that your organization has set. Your organization can create custom rules for incoming emails. For example, configuring EOP to automatically delete emails from a specific sender or warn users of potentially harmful content based on keywords.

Content filtering

This is the final step where the email is scanned against anti-spam and anti-spoofing policies. Messages that are deemed harmful are identified as spam, high confidence spam, phishing, high confidence phishing, bulk or spoofing. You can configure the settings to specify what actions should be taken based on the content filtering results, such as quarantine, send to the Junk Email folder, etc.

Key features of Exchange Online Protection

EOP includes several security features to tackle email-related threats effectively. Some of the key features are listed below:

Protection features

EOP helps protect against malware and other potential email threats that could compromise your organization’s security.

  • Malware filter: Helps keep your email messages safe with multilayered malware protection. EOP is designed to identify and stop viruses, spyware and ransomware.
  • Spam filter: EOP anti-spam technology protects you from junk emails and fraudulent email threats.
  • Connection filter: The EOP connection filter helps identify the source of email servers based on their IP addresses.
  • Anti-phishing: You can create and use customized anti-phishing policies to keep sophisticated threats away from your mailbox, including identifying user impersonation and spoofing.
  • Anti-spoofing: EOP uses anti-spoofing technology to analyze the “From” header in the email body to validate its authenticity. EOP blocks messages that standard email authentication methods and sender reputation techniques fail to validate.

Quarantine and submission features

The quarantine and submission features in EOP allow users to take specific actions on quarantined messages and submit email messages for analysis.

  • Quarantine: Quarantined messages can be potentially harmful. Admins can manage these messages and files, like releasing or deleting all quarantined messages. They can also use quarantine policies to specify what users can do to quarantined messages.
  • Submissions: Admins can use the Submissions portal to submit suspected emails, URLs and attachments to Microsoft for analysis.

Mail flow features

Mail flow rules, also known as transport rules in Exchange Online, help identify and take specific actions on emails that enter your organization’s mailbox.

  • Mail flow rules: These rules include conditions, exceptions and actions that give you greater flexibility in managing messages.
  • Accepted domains: Domains that are added to Microsoft 365 or Office 365 are called accepted domains. Accepted domain users can send and receive email messages.
  • Connectors: The Exchange Online Protection Overview documentation defines connectors as “A collection of instructions that customize the way your email flows to and from your Microsoft 365 or Office 365 organization.”

Monitoring features

EOP helps you monitor, report and trace messages.

  • Message trace: This feature lets you know if a message was received, rejected, deferred or delivered. Apart from showing what happened to the email, it also shows what actions were taken on the email.
  • Email and collaboration reports: Email security reports provide detailed information on how anti-spam, anti-malware and encryption features in Microsoft 365 help protect your organization.
  • Alert policies: You can create alert policies or use the default alert policies to keep a tab on activities like phishing attacks, unusual file deletion or external sharing. You can view the alerts caused when certain activities match the terms of an alert policy.

What are the limitations of Exchange Online Protection?

While EOP provides several email security features, it also has certain limitations around end-user control and addressing emerging threats. EOP helps in email hygiene by filtering spam and sending malicious messages to quarantine. However, users can still access these messages, which increases the risk of letting out potentially harmful messages that had earlier been blocked and quarantined.

Despite EOP email security service, the Egress’ Outbound Email: Microsoft 365’s Security Blind Spot report found that 85% of organizations using Microsoft 365 have experienced an email data breach in 2020. A report by Gartner noted that its clients have regularly expressed dissatisfaction with EOP and ATP, citing the need for third-party protection.

Superior Microsoft 365 data protection with Spanning

Microsoft 365 is the most popular target and vector for phishing attacks. About 90% of incidents that end in a data breach start with a phishing email. While building a strong defense against phishing and other email-related threats is critical, a security breach due to human mistakes or a configuration error could render data unrecoverable. That’s why, backing up your precious Microsoft 365 data is important to avoid costly downtime and data loss and to maintain business continuity.

Spanning Backup for Microsoft 365 safeguards all your data from Exchange Online, SharePoint Online, OneDrive and Microsoft Teams with cloud-to-cloud backup and recovery.

To learn more about Microsoft 365 data protection and best practices for Microsoft 365 business continuity, download our eBook.

Download the eBook