Exchange Online Protection Quick Reference Guide

Microsoft Office 365 comes with an enterprise-class, cloud-based mail hygiene solution called Microsoft Exchange Online Protection (EOP). Mail sent to your organization is directed by your DNS MX records to the EOP service, where it is scrubbed of spam, malware, unsolicited backscatter, phishing attempts and more; only then does it go to the Exchange servers that make up the Exchange Online offering. Thus, EOP automatically protects all mailboxes hosted in Microsoft Exchange Online against spam and malware.

Configuring Exchange Online Protection

Exchange Online Protection setup is an easy task for most organizations. However, if you have a large organization with multiple domains, custom compliance rules or hybrid mail flow, setup can be more of a challenge.

You can configure EOP from the Exchange Admin Center at https://outlook.office365.com/ecp/. From the left menu, click Protection, and you’ll see the various options and areas that EOP lets you customize:

Exchange Online Protection Configuring Options in the Exchange Admin Center

Figure 1. Configuring EOP options in the Exchange admin center

Each of the sections — malware filter, connection filter, spam filter, outbound spam, quarantine, action center and dkim — has a default policy for your tenant.  You can either modify that policy or add new policies, some for a given set of recipients and others for other groups of recipients. Here are the key settings you should consider adjusting.

Malware Filter Notifications

The EOP service uses several different antivirus engines to scan each message to ensure that your inbound mail stream is as free of viruses as is practically possible. You likely don’t want to turn this off, but you might want to adjust how notifications are provided to users when malware is detected. To adjust the settings, double-click the malware policy and go to the Settings tab of the pop-up window.

Connection Filters

If you have trusted systems sending email to your Office 365 tenant, you can add their IP addresses to the list of trusted IP hosts so that mail coming from those systems won’t be subject to filtering. You might also be subject to real-time spam attacks on rare occasions, and sometimes you can configure filters on certain keys in those attack’s message headers until the EOP system learns of the attack and is able to respond intelligently.

Spam Quarantine

The spam filter is probably where you will spend the most time configuring EOP. When EOP decides a message is spam, the default action is for it to send that spam to the user’s Junk Email folder in Outlook. However, some organizations prefer a spam quarantine, where likely spam messages are held for a period of time for manual inspection until they expire and are deleted. If you prefer the quarantine approach, then it’s a good idea to configure quarantine notifications for your users — the service will send daily emails to users listing all the messages it held back because the service considered them spam, and users can release any false positives and ignore the rest.

To set this up, take the following steps:

  1. Double-click the default spam filter policy, choose spam and bulk actions from the left side of the pop-up menu, and then choose the Quarantine message option for the first two items:

Exchange Online Protection Configuring Quarantine Mode for EOP Spam Filtering

Figure 2. Configuring quarantine mode for EOP spam filtering

  1. Return to the Exchange Admin Center page. In the right pane, select Configure end-user spam notifications.
  2. In the pop-up window that appears, check the Enable box, select how often to send quarantine notifications (I recommend 1 so users will get them every day), and then click OK.

Outbound Spam

EOP detects and blocks outbound spam, which is spam that is sent by users in your own organization. Outbound protection is necessary to ensure your organization’s email system doesn’t end up on blacklists, which would reduce the deliverability of outgoing emails.

If a user happens to send email identified as outbound spam, it does not necessarily mean it was done intentionally. The account might have been compromised or the worker might be sending bulk emails.

If one of your Office 365 users continues sending outbound emails that are identified as spam, your organization will be blocked from sending messages altogether and your email administrator will be informed of the situation.

International Spam Filters

Spam in foreign character sets is a notorious problem, and while there is obviously nothing wrong with receiving mail in another language per se, if none of your staff speaks a given language, it doesn’t do you much good to receive email in that language. The International Spam section of the spam filter dialog box lets you configure which languages to receive. Filtering email by country or region is less effective because there’s always a risk that a local customer is just using an email server hosted abroad.

Bypass Exchange Online Protection in Office 365

You might want to bypass EOP and whitelist a domain name so email from that domain is never marked as spam or sent to quarantine. Follow these steps:

  1. Log in to https://portal.office.com.
  2. Go to Admin Centers and then choose Exchange.
  3. Under Mailflow, select Rules.
  4. Click the +. Then add a new rule and select Bypass Spam Filtering from the menu.
  5. Under Apply this rule if… choose The sender’s domain is and enter the domain name.
  6. Click ok.
  7. Check Stop processing more rules.
  8. Click Save to add the rule.