Exchange Online Protection
Published 10 July 2021
Exchange Online protection is included in Exchange Online and in its default state works on a multi-layer approach where emails are screened against multiple filtering rules one after each other.
1. Connection Filtering – Screens the email against a Microsoft maintained list of spam sending IP addresses.
2. Anti-Malware – Scans the email and attachments for malicious code and sends suspected malware to a quarantine for the administrator to approve or deny the message.
3. Filtering Rules – The email is evaluated against mail flow rules set by the administrator.
4. Content Scanning – The content of the email is scanned for Spam, Spoofing and Phishing characteristics and is dealt with depending on the confidence of the detection. By default -
Spam (any confidence) - Send email to junk folder
Spoofing – Send email to junk folder
Impersonation – No action
Breaches of the content scanning thresholds can be changed to quarantine messages instead of sending them to junk.
The message quarantine can be accessed by end-users however only certain emails can be released without administrator action –
Bulk Emails – View, Release and delete from quarantine.
Spam - View, Release and delete from quarantine.
Phishing - View and delete from quarantine.
By default, email notification of quarantined emails is turned off.
There are many more features and rules not enabled by default which can increase security further with more restrictions which could not simply be described simply in this short document.