Cybersecurity

Microsoft Exchange Online Protection Explained for UK Businesses

Exchange Online Protection (EOP) is the built-in email security layer included with every Microsoft 365 subscription. It filters all inbound and outbound email for spam, malware, and basic phishing — automatically, without additional cost or configur...

Overview

Exchange Online Protection is included in all Microsoft 365 plans and provides baseline email filtering. It is effective against commodity spam and malware but has known gaps against targeted phishing and BEC. Microsoft 365 Business Premium adds Defender for Office 365 Plan 1 with Safe Links and Safe Attachments for improved protection.

Learn about email security

EOP is the floor, not the ceiling. Understanding exactly what it stops, and what it does not, is the difference between assuming your Microsoft 365 email is secure and knowing it is. This page sits under AMVIA's managed cybersecurity pillar and our wider email security service, where we harden Microsoft 365 against the threats EOP was never built to catch.

What is Exchange Online Protection?

Exchange Online Protection is Microsoft's cloud-based email filtering service. Every message sent to or from a Microsoft 365 mailbox passes through EOP, which inspects it for threats before delivery. It ships with all Microsoft 365 plans, from Business Basic to Enterprise E5, and needs no add-on to run.

EOP is the baseline layer Microsoft applies across every Exchange Online mailbox. It processes billions of emails daily, and that scale feeds its threat intelligence. Administrators manage it through the Microsoft Defender portal, with policy controls, quarantine, and reporting. Microsoft documents the full architecture in its Exchange Online Protection overview.

What does Exchange Online Protection actually do?

EOP applies four protective functions to your mail flow: anti-spam filtering, anti-malware scanning, email authentication enforcement, and outbound filtering. Each runs automatically the moment a mailbox goes live, with no configuration required to switch on baseline protection.

  • Anti-spam filtering — connection filtering blocks known malicious IPs before the message arrives; content filtering uses machine-learning models trained on Microsoft's global mail data; sender reputation analysis scores domains against live databases. Mail is classed as spam, high-confidence spam, or bulk, then routed to Junk or quarantine.
  • Anti-malware scanning — multiple engines scan attachments for known malware: executables, malicious Office macros, and malware-laden PDFs are quarantined before delivery. Detection is signature-based with heuristics, so it is strong on known variants and weak on novel payloads.
  • Email authentication — EOP enforces SPF, DKIM, and DMARC on inbound mail and applies the sender's published DMARC policy. AMVIA strongly recommends publishing a DMARC record for your own domain and progressively enforcing a reject policy; our DMARC guide walks through it.
  • Outbound filtering — EOP monitors mail leaving your mailboxes, catching a compromised account before it spams your contacts and protecting your domain's sending reputation. An outbound-spam alert is often the first sign an account is breached.

Where does Exchange Online Protection fall short?

EOP is a solid baseline, but it is not built to stop sophisticated, targeted attacks. The gaps that matter most for UK SMEs are advanced phishing, zero-day attachments, time-of-click URL abuse, and business email compromise — all of which routinely reach the inbox.

  • Advanced and spear phishing — a well-crafted email using a real contact's display name from a fresh lookalike domain often passes EOP. Impersonation and behavioural detection require Microsoft Defender for Office 365.
  • Zero-day attachments — signature-based scanning misses novel malware. Sandboxing (Safe Attachments) is needed to detonate and inspect unknown files.
  • Time-of-click URLs — EOP scans links at delivery. A link that is clean on arrival and weaponised afterwards gets through; Safe Links re-scans at the moment of click.
  • Business email compromise — BEC carries no malware or obvious payload, so EOP has limited ability to spot it. Our business email compromise service covers the controls that do.

> "Research shows a 47% rise in phishing attacks evading Microsoft's native defences in 2025 (KnowBe4). Targeted attacks routinely bypass EOP."

The NCSC's guidance on phishing attacks confirms that impersonation and credential-harvesting campaigns are now the dominant threat to UK organisations — exactly the category EOP handles least well.

EOP vs Microsoft Defender for Office 365: what each licence gives you

EOP covers spam, malware, and authentication on every plan. The jump to Microsoft Defender for Office 365 — included with Microsoft 365 Business Premium — adds Safe Attachments, Safe Links, and advanced impersonation protection. For most UK SMEs, Business Premium is the right balance of capability and cost.

CapabilityEOP (All M365 Plans)Defender for Office 365 Plan 1 (Business Premium)Defender for Office 365 Plan 2 (E5)
Anti-spam filtering
Anti-malware scanning
SPF/DKIM/DMARC enforcement
Safe Attachments (sandboxing)
Safe Links (time-of-click)
Anti-phishing impersonation detectionBasicAdvancedAdvanced
Attack simulation training
Automated investigation and response
Threat Explorer (hunting)

Businesses on Business Basic or Business Standard have EOP only, which leaves the targeted-attack gaps above wide open. For deeper protection beyond Defender, see our advanced email threat protection service.

How much does Exchange Online Protection cost?

EOP itself costs nothing extra — it is bundled into every Microsoft 365 licence. The real cost question is the upgrade path to Defender for Office 365, which arrives with Microsoft 365 Business Premium. The licence tier you choose decides how much email security you actually get.

Microsoft 365 planPrice (per user/mo, ex VAT, annual)Email security included
Business Basic£4.60EOP only
Business Standard£9.60EOP only
Business Premium£16.90EOP + Defender for Office 365 Plan 1

Prices are Microsoft list prices, published on microsoft.com/en-gb. AMVIA reviews and optimises EOP and Defender policies as part of our Microsoft 365 security audit — default settings are rarely tuned for maximum protection.

Configuring EOP correctly

EOP runs out of the box, but its defaults are not optimal. Tightening anti-spam thresholds, configuring the anti-phishing policy, pruning the connection-filter allow list, and setting outbound-spam alerts all measurably reduce risk. These changes take an administrator who knows the Defender portal, not a one-time tick-box.

  • Anti-phishing policy configured — impersonation protection enabled for key executives
  • Safe Links and Safe Attachments policies active where Business Premium is licensed
  • DMARC, DKIM, and SPF configured and enforced on your domain — see our email filtering service
  • Outbound spam filter configured to flag compromised-account behaviour
  • Quarantine alerts reviewed — never relying on end users to check junk folders

Key Points

What UK businesses need to know about Exchange Online Protection.

Standard in Every M365 Plan

EOP processes all email for Microsoft 365 mailboxes automatically — no configuration required to activate basic filtering.

Layered Filtering

EOP applies connection filtering, malware scanning, spam filtering, and basic anti-phishing in sequence to inbound email.

Known Gaps Against Targeted Attacks

Research shows a 47% rise in phishing attacks evading Microsoft's native defences in 2025 (KnowBe4). Targeted attacks routinely bypass EOP.

Defender for Office 365 Enhances EOP

Business Premium adds Defender for Office 365 Plan 1, including Safe Links and Safe Attachments for improved protection.

EOP Configuration Checklist

Anti-phishing policy configured — impersonation protection enabled for key executives

Safe Links policy active — URL scanning at click time for all users

Safe Attachments policy active — attachments sandboxed before delivery

DMARC, DKIM, and SPF configured on your domain

Outbound spam filter configured to detect compromised account behaviour

Quarantine alerts reviewed — not relying on end users to check junk folders

Frequently Asked Questions

Strengthen Your Email Security

AMVIA configures Microsoft 365 email security policies and, where needed, adds a dedicated gateway layer — providing comprehensive protection against phishing, malware, and business email compromise.