Microsoft Exchange Online Protection Explained for UK Businesses

Exchange Online Protection (EOP) is the built-in email security layer included with every Microsoft 365 subscription. It filters all inbound and outbound email for spam, malware, and basic phishing — automatically, without additional cost or configuration. Understanding what EOP does and does not protect against is essential for UK businesses assessing whether their Microsoft 365 email security is adequate.

What Is Exchange Online Protection?

Exchange Online Protection is Microsoft's cloud-based email filtering service. Every email sent to or from a Microsoft 365 mailbox passes through EOP, which analyses it for threats before delivery or transmission.

EOP is not an optional add-on — it is the baseline security layer that Microsoft provides as part of all Exchange Online and Microsoft 365 subscriptions, from Business Basic through to Enterprise E5. It processes billions of emails daily across Microsoft's global customer base, which gives it significant threat intelligence derived from that scale.

EOP is managed through the Microsoft Defender portal (formerly the Security and Compliance Centre) and provides administrators with policy controls, quarantine management, and reporting.

What Exchange Online Protection Does

Anti-Spam Filtering

EOP applies multi-layered spam filtering to all inbound email. This includes:

• Connection filtering: Blocking email from known malicious IP addresses before the message is even received
• Content filtering: Analysing the email body, headers, and structure for spam characteristics using machine learning models trained on Microsoft's global email data
• Sender reputation analysis: Assessing the sending domain and IP against reputation databases updated in real time

EOP classifies inbound email as spam, high-confidence spam, or bulk email, and routes it to the Junk folder or quarantine according to policy. For the majority of commercial spam, EOP's filtering is highly effective.

Anti-Malware Scanning

EOP scans all email attachments for known malware using multiple anti-malware engines. Common malicious file types — executable files, malicious Office macros, malware-laden PDFs — are detected and quarantined before delivery.

EOP's anti-malware scanning is signature-based and augmented by heuristics. It is effective against known malware variants but has limited capability against novel, zero-day malware delivered in new or obfuscated formats.

Anti-Spoofing and Email Authentication

EOP enforces email authentication standards:

• SPF (Sender Policy Framework): Verifies that the sending mail server is authorised to send email for the domain in the "envelope from" field
• DKIM (DomainKeys Identified Mail): Verifies the digital signature applied to email by the sending domain, confirming the message has not been modified in transit
• DMARC (Domain-based Message Authentication, Reporting and Conformance): Checks alignment between the authenticated domain and the displayed sender address, and applies the domain's published DMARC policy (monitor, quarantine, or reject)

EOP applies these checks to inbound email and can be configured to reject or quarantine email that fails authentication from domains with strict DMARC policies. AMVIA strongly recommends publishing a DMARC record for your own domain and progressively enforcing a reject policy. See our DMARC guide for detail.

Outbound Filtering

EOP also filters outbound email — monitoring for spam and malware sent from Microsoft 365 mailboxes. This is important for two reasons: preventing a compromised mailbox from being used to send phishing to your contacts, and protecting your domain's sending reputation.

When EOP detects outbound spam from a mailbox, it alerts administrators and can restrict the mailbox's sending capability. This is often the first indicator that a Microsoft 365 account has been compromised.

Where Exchange Online Protection Falls Short

EOP is a strong baseline, but it is not designed to stop sophisticated, targeted attacks. The gaps that matter most for UK SMEs are:

Advanced Phishing and Spear Phishing

EOP's anti-phishing capabilities are basic compared to what is needed to stop targeted spear phishing. EOP can detect obvious phishing characteristics, but a well-crafted spear phishing email — using the real display name of a known contact, sent from a newly registered lookalike domain — will often pass EOP's filters and land in the inbox.

Advanced phishing analysis (impersonation detection, behavioural anomaly detection, sender intelligence) requires Microsoft Defender for Office 365, which is available in Microsoft 365 Business Premium and above.

Malicious Attachments (Zero-Day)

EOP's anti-malware scanning is signature-based. Novel malware — ransomware variants, new macro-based attacks — that has not yet been identified and added to signature databases will not be detected by EOP. Sandboxing of attachments (Safe Attachments in Defender for Office 365) is required to catch zero-day malicious attachments.

Time-of-Click URL Protection

EOP scans URLs in email at the point of delivery. If a link is clean at delivery time — which is common with phishing links that are only activated after delivery — EOP passes the email. Defender for Office 365's Safe Links provides time-of-click protection, re-scanning URLs at the moment of user click.

Business Email Compromise Detection

BEC fraud typically does not involve malware or obvious phishing indicators — it uses legitimate-looking email from compromised or lookalike accounts to request wire transfers or credential changes. EOP has limited capability to detect BEC compared to Defender for Office 365's impersonation protection and mailbox intelligence features.

EOP vs Microsoft Defender for Office 365: What You Get With Each Licence

Capability	EOP (All M365 Plans)	Defender for Office 365 Plan 1 (Business Premium)	Defender for Office 365 Plan 2 (E5)
Anti-spam filtering	✓	✓	✓
Anti-malware scanning	✓	✓	✓
SPF/DKIM/DMARC enforcement	✓	✓	✓
Safe Attachments (sandboxing)	✗	✓	✓
Safe Links (time-of-click)	✗	✓	✓
Anti-phishing impersonation detection	Basic	Advanced	Advanced
Attack simulation training	✗	✗	✓
Automated investigation and response	✗	✗	✓
Threat Explorer (hunting)	✗	✗	✓

For most UK SMEs, Microsoft 365 Business Premium (which includes Defender for Office 365 Plan 1) provides the right balance of email security capability and cost. Businesses on Business Basic or Business Standard have access to EOP only, which leaves meaningful gaps.

Configuring EOP Correctly

EOP works automatically, but its default configuration is not optimal for maximum security. Administrators should review and adjust:

• Anti-spam policies: Review bulk email and high-confidence spam thresholds; consider tightening quarantine settings
• Anti-phishing policies: Configure the basic anti-phishing policy — it is present by default but has limited settings that should be reviewed
• Connection filter: Add trusted senders to the allow list sparingly; review and remove any historic allow-list entries that are no longer needed
• Outbound spam policy: Configure alerts for outbound spam threshold exceedance

AMVIA reviews and optimises EOP configuration as part of its Microsoft 365 security audit service.