Microsoft Exchange Online Protection Explained
Exchange Online Protection (EOP) is the email filtering service built into every Microsoft 365 subscription. It filters spam, malware, and phishing — but has limitations that make a dedicated email security gateway necessary for businesses facing targeted attacks.
Overview
Exchange Online Protection is included in all Microsoft 365 plans and provides baseline email filtering. It is effective against commodity spam and malware but has known gaps against targeted phishing and BEC. Microsoft 365 Business Premium adds Defender for Office 365 Plan 1 with Safe Links and Safe Attachments for improved protection.
Learn about email securityWhat Is Exchange Online Protection?
Exchange Online Protection (EOP) is the email filtering infrastructure that Microsoft uses to process all email for Microsoft 365 mailboxes. Every Microsoft 365 plan — from Business Basic through to Enterprise E5 — includes EOP as a standard component. Email flows through EOP before reaching user inboxes, with EOP applying filtering rules at each stage.
EOP applies filtering in a defined sequence: connection filtering (checking the sending IP against blocklists), anti-malware scanning (checking attachments for known malware), anti-spam (scoring emails for spam characteristics), and basic anti-phishing (checking for domain spoofing and impersonation). Messages that pass all checks are delivered to the inbox; those that fail are quarantined or moved to junk.
What EOP Detects Well
EOP is effective at filtering high-volume commodity threats — spam campaigns, known malware distributed in bulk, emails from known malicious IP addresses, and straightforward domain spoofing where the sending domain is clearly not the claimed domain. For most Microsoft 365 tenants, EOP handles a substantial volume of unwanted email without requiring additional configuration.
Microsoft 365 Business Premium adds Defender for Office 365 Plan 1 on top of EOP, providing Safe Links (which rewrites and scans URLs in emails at click time) and Safe Attachments (which detonates attachments in a sandbox before delivery). These capabilities add meaningful protection against malicious links and zero-day malware in attachments.
Where EOP Falls Short
EOP is not designed to defeat sophisticated, targeted attacks. Business email compromise (BEC) attacks — where an attacker impersonates an executive or supplier to authorise a fraudulent payment — often evade EOP because the emails contain no malware or malicious links. The threat is purely social engineering, which signature-based filtering cannot detect.
Phishing emails from newly registered domains, compromised legitimate accounts, and carefully crafted targeted attacks routinely evade EOP detection. Research from KnowBe4 in 2025 found a 47% rise in phishing attacks successfully bypassing Microsoft's native defences and secure email gateways. This is not a criticism of EOP's quality — it is a reflection of how attackers adapt specifically to evade known filtering systems.
Supplementing EOP with a Dedicated Gateway
For businesses that need stronger protection against targeted phishing and BEC, a dedicated email security gateway — deployed in front of Microsoft 365 — provides an additional layer of filtering with different detection techniques. AMVIA deploys Barracuda Email Security Gateway for clients requiring enhanced email protection.
A dedicated gateway complements EOP rather than replacing it: EOP handles volume filtering whilst the gateway focuses on targeted threats and adds additional capabilities such as impersonation detection, link sandboxing, and outbound content inspection. The two layers catching different attack types provides more complete protection than either alone.
Key Considerations for UK SMEs
- EOP is a baseline — sufficient for many businesses, but not designed for targeted attacks
- Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which adds Safe Links and Safe Attachments — configure these correctly before assessing whether additional gateway protection is needed
- Configure anti-phishing policies in EOP to enable impersonation protection for key executives and domains
- Enable DMARC, DKIM, and SPF on your domain to strengthen EOP's ability to reject spoofed email
- Consider a dedicated email gateway if your business receives targeted communications or operates in a high-risk sector
How AMVIA Can Help
AMVIA configures EOP and Defender for Office 365 policies as part of its Microsoft 365 managed security service — ensuring anti-phishing, safe links, and safe attachments are correctly configured rather than left at default settings. For businesses requiring enhanced email protection, AMVIA deploys Barracuda Email Security Gateway as a front-end layer on top of EOP. DMARC, DKIM, and SPF configuration is included in AMVIA's email security service. Contact AMVIA on 0333 733 8050 to discuss your email security requirements.
Key Points
What UK businesses need to know about Exchange Online Protection.
Standard in Every M365 Plan
EOP processes all email for Microsoft 365 mailboxes automatically — no configuration required to activate basic filtering.
Layered Filtering
EOP applies connection filtering, malware scanning, spam filtering, and basic anti-phishing in sequence to inbound email.
Known Gaps Against Targeted Attacks
Research shows a 47% rise in phishing attacks evading Microsoft's native defences in 2025 (KnowBe4). Targeted attacks routinely bypass EOP.
Defender for Office 365 Enhances EOP
Business Premium adds Defender for Office 365 Plan 1, including Safe Links and Safe Attachments for improved protection.
EOP Configuration Checklist
Anti-phishing policy configured — impersonation protection enabled for key executives
Safe Links policy active — URL scanning at click time for all users
Safe Attachments policy active — attachments sandboxed before delivery
DMARC, DKIM, and SPF configured on your domain
Outbound spam filter configured to detect compromised account behaviour
Quarantine alerts reviewed — not relying on end users to check junk folders
Frequently Asked Questions
It depends on your risk profile. EOP with Defender for Office 365 Plan 1 (included in Business Premium) provides reasonable protection for most businesses. Those in higher-risk sectors, those that regularly receive targeted phishing, or those that have experienced email-related incidents should consider a dedicated gateway. AMVIA can assess your current email security configuration and advise on whether additional protection is warranted.
EOP is the baseline email filtering service included in all Microsoft 365 plans, covering spam, malware, and basic phishing. Defender for Office 365 (MDO) is an add-on that provides advanced protection including Safe Links (URL scanning at click time), Safe Attachments (attachment sandboxing), and enhanced anti-phishing. MDO Plan 1 is included in Business Premium; Plan 2 (which adds threat hunting and automated investigation) requires an Enterprise licence.
EOP policies are managed through the Microsoft 365 Defender portal (security.microsoft.com). Key areas to review include anti-phishing policies, anti-spam policies, safe links policies, and safe attachments policies. Default policies exist but may not be optimally configured — AMVIA's security audit reviews M365 email security configuration and identifies settings that should be adjusted to improve protection.
Strengthen Your Email Security
AMVIA configures Microsoft 365 email security policies and, where needed, adds a dedicated gateway layer — providing comprehensive protection against phishing, malware, and business email compromise.
Related Resources
What Is Email Security?
The complete email security stack for UK businesses — beyond Exchange Online Protection.
DMARC, DKIM, and SPF Setup
How to configure email authentication to strengthen EOP's phishing detection.
Microsoft 365 Security Guide
A complete guide to securing your Microsoft 365 environment beyond default settings.