More and more Customers are going to use Exchange online or other Microsoft Cloud services. One of them, which is connected to Messaging, is Exchange Online Protection (EOP).

EOP is a cloud-hosted email filtering service designed to protect customers from spam and malware and to implement custom policy rules.

EOP is licensed on a per-user basis. Currently, these costs per user amount to approximately 0.90 € (depends on the payment interval). This quotation is a snapshot and no guarantee for the future.

Due to this licensing model, the size of a company does not matter to make a decision for or against EOP. The EOP

network provides sufficient capacity and scalability to grow an organization.

EOP is configured as a server-friendly service. That means, that the service can be used with any SMTP agent and is not tied to specific Exchange versions or Exchange Online.


EOP is implemented in a worldwide data center network designed for optimal availability. When a datacenter fails, emails are automatically forwarded to another datacenter without any service interruption.

With this highly available network, Microsoft can ensure that emails are delivered quickly to your organization.



EOP offers comprehensive protection according to world-leading standards. Microsoft relies on a so-called multi-engine antivirus solution. That means that messages goes through several different antivirus checks before these messages are delivered.

Furthermore, the anti-spam protection from Microsoft is continuously being developed and improved.

Microsoft invests more than $ 1 billion annually in security topics. This is not just EOP, but this service is not an insignificant part.

Other functions of EOP include queue function (Queue) so that no messages are lost. Because Microsoft also travels in the enterprise segment, the EOP service is distributed via geographically load-balanced data centers.


In summary, EOP offers the following functions:

  • content filtering (content)
  • Transport rules administration and policy filtering
  • Anti-mailware filtering
  • Connection filtering (Connection)



The EOP architecture is defined by a workflow. Four different processes are worked through in serial order. Since EOP is provided as a Microsoft service, there is no deeper configuration work from the user’s point of view. The maintenance and updating of individual elements are performed globally by Microsoft.



A deeper look at the message filtering shows, how the individual work processes (workflows) are structured:

First step, the connection filtering (Connection Filtering) takes place. The first step is to check whether the IP address of the sender is listed on a black list.

Second and third step in connection filtering is to check if there are directory based violations.

After these checks, the message is forwarded to the Antivirus section. Here the message is checked for malware by three independent anti-virus engines. Should this result be positive, the malware will be removed and the message will be forwarded to the policy enforcement.

At this point, user-defined rules can be defined as to what should happen to the message. For example, it can be defined that messages with the malware detected and removed are deleted, quarantined, or forwarded to the next instance.

In the fourth step, the message is checked in various ways, whether it is SPAM. EOP checks whether it is a secure sender and receiver, a machine message content check, the SPF and sender ID filters are checked, as well as other topics such as mass e-mail filters, International SPAM and whether it is an advanced SPAM acts.

If the mail does not pass the exams, it will be forwarded to the quarantine and the specific recipient will receive a message. If everything is ok with the message, it will be delivered to the company network and thus to the recipient.

At this point, however, the process is not over yet. Even in the case of complex and intensive tests, SPAM mail may occasionally slip through, and the recipient has the option of reporting back his experience with this mail to EOP with one click, so that in the future SPAM will no longer deliver it.


General Note: If we are running Exchange Online with at least Exchange Online Plan 1, EOP is included in the license.


EOP  with Office 365 ATP

EOP can be expand with Office 365 ATP (Exchange Online ATP). Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps to protect our organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard our organization from harmful links in real time. ATP has rich reporting and URL trace capabilities that give administrators insight into the kind of attacks happening in your organization.

For more information about ATP, I can recommend you the Microsoft Technet article HERE.