Browse all topics
All guidesGlossary

Exchange Online anti-spam and anti-phishing

The layered defences Exchange Online uses against spam, malware, and phishing — and how to tune them.

Exchange Online Protection (EOP) provides the baseline anti-spam, anti-malware, and anti-phishing defence for every Microsoft 365 mailbox. Defender for Office 365, on higher tiers, adds advanced detections. Together they're a layered filter that catches the vast majority of unwanted mail before users see it.

What EOP does (included with every tenant)

  • Anti-spam policies — bulk and spam confidence scoring (SCL/BCL), with actions: quarantine, move to junk, redirect.
  • Anti-malware policies — file-type blocking and signature scanning on attachments.
  • Anti-phishing baseline — spoof intelligence, mailbox intelligence, and impersonation protection of internal senders.
  • Connection filtering — IP allow/block lists.
  • Outbound spam filtering — limits on outbound rate and content, so compromised users can't blast spam from your domain.

What Defender for Office 365 adds

  • Safe Links — URLs in emails are rewritten and detonated at click time, so even links that go bad post-delivery are caught.
  • Safe Attachments — unknown attachments are detonated in a sandbox before delivery (or Dynamic Delivery sends a preview while the scan completes).
  • Advanced anti-phishing — impersonation protection of users and domains, mailbox-intelligence-based phish detection.
  • Attack Simulation Training — controlled phishing simulations and embedded training.
  • Automated Investigation and Response (AIR) — automated playbooks for confirmed phishing incidents.
  • Threat Explorer — investigation surface for analysts.

Plan 1 covers protection; Plan 2 adds AIR, attack simulation, and Threat Explorer.

Quarantine

Both EOP and Defender route detections to quarantine. End users see a daily digest and can self-release low-risk messages; admins see the full quarantine in the Defender portal. Permissions for self-release vary by detection type — high-confidence phish stays admin-only.

Tuning

A few high-leverage tuning steps:

  • Configure anti-phishing policies with the right list of protected users (executives, finance).
  • Add trusted ARC senders for partners that legitimately re-route mail through gateways.
  • Use Tenant Allow/Block Lists rather than transport rules for ad-hoc blocks — they're easier to audit.
  • Turn on DKIM signing for every accepted domain.
  • Publish a strict DMARC policy (p=reject or quarantine) once you've verified legitimate sources.

Resist the gateway temptation

A traditional pattern is to keep a third-party email security gateway in front of Microsoft 365. Many organisations have moved away from this — Defender for Office 365 catches as much or more, and integrates directly with Defender XDR. If you've got a third-party gateway, evaluate whether it's still earning its place.