Evolving Exchange Online Protection (EOP) to protect against tomorrow’s threats

Share on Facebook Share on Twitter Share on Linkedin Share via OneNote Share via Email Print

Shobhit Sahay (@ShobhitSahay88), Levon Esibov and Terry Zink are on the Exchange Online Protection team.

Ten million spam messages blocked every minute. That’s the average number of spam messages that are blocked by Microsoft every minute. However, every day attackers around the world find new techniques to attack your email. The threats take different forms, such as an unidentified spam campaign, an unknown malware, or a completely new virus. The ever-expanding world of such attacks keeps changing and, to better protect your email against these malicious threats, we keep changing Exchange Online Protection, too. 

The world of spam is constantly changing

Spam has evolved over the years in a variety of ways and companies around the world are worried about different types of spam, because it impacts productivity. Spamming techniques have evolved in order to penetrate several filtering programs designed to stop the attacks. As soon as new blockers and filters are developed, spammers quickly search for a way around them and create new ways to send spam messages. Two of the most prevalent types of spam today are:

  1. Phishing campaigns, which are looking to compromise the credentials of the company employees and take control of the resources of a company. A popular type of phishing campaign is spear phishing, which targets the most valuable contacts within an organization.
  1. Bulk mail (also referred to as graymail), which could be the advertising mails that you may have accidently subscribed to, but do not want to receive.

Because spamming techniques are constantly changing, the spam you see in your mailbox today is different from the spam you received yesterday. Your spam messages may look similar, but they’re not the same; they’re slightly (or greatly) different, with a different signature and are designed to evade filters. Spam campaigns vary in duration from a few minutes to many hours. We’ve tracked campaigns that send thousands, hundreds of thousands, or even millions of spam messages in a few minutes.

EOP’s defenses are adjusted as soon as the system detects unusual patterns and/or users start to submit samples of undetected spam. During the time-window when the defense mechanisms in EOP are being tuned to protect against this new attack, a spammer may get a few spam messages to go through EOP’s filtered defenses and into a user’s inbox. However, once EOP’s filters quickly catch up, EOP blocks the rest of the campaign as spam, using its anti-spam technologies. EOP’s prompt detection ensures that spam is blocked in a very early stage. Users who received spam understandably perceive that EOP did not catch the spam, but a dominant majority of users never see the spam campaign, since EOP’s defenses are adjusted in near real time.

EOP provides protection in depth and leverages a layered filtering approach. Connection filtering is the first layer of defense blocking: it blocks emails from IP addresses with a low reputation. The second layer involves filtering based on sender reputation, which we develop in-house and also procure from third-party feeds: it blocks emails based on the sending user or domain. Finally, EOP uses numerous filtering techniques to catch the leftover spam that you see in spam campaigns that involve more complex investigation. It block messages based on: the content, header, language of the message; URLs referenced in the message; attachments; and other criteria. In addition, EOP provides different controls for spam filtering, such as bulk mail controls and international spam, to further fine-tune your protection. It also provides comprehensive malware and virus filtering, using three different industry-leading anti-virus (AV) engines.

Evolving EOP against tomorrow’s threats

Exchange Online Protection (EOP) follows the Office 365 release cycle, which means new features are rolled out on a continuous basis. We’ve released plenty of new features since we launched the service 18 months ago. In the process, we’ve also transitioned all of our Forefront Online Protection for Exchange (FOPE) customers to EOP. But this is only the beginning of EOP’s service. We’re also making the largest investments ever in advancing threat protection in Exchange Online Protection. EOP is the Microsoft long-term solution to protect not only mailboxes in Office 365, but also tens of millions of mailboxes on the on-premises mail servers of our customers.


New features get rolled out for EOP on a continuous basis with many new upcoming planned features.

We have an exciting list of features and new defense techniques lined up over the next six to twelve months, with an unprecedented number of engineering resources to support these.

Here are some of the key areas of investments we’re making with EOP over the next six to twelve months:

  • Advanced threat protection, such as “Time of Click” and “Zero-day” protection.
  • Strengthened coverage against malicious URLs.
  • Implementation of key sender authentication technologies, such as DKIM and DMARC.
  • Improved protection against bulk mail.
  • Detailed reporting and message-tracking enhancements.
  • Message Quarantine enhancements.
  • Continued expansion of EOP datacenters across different regions, further substantiating our promise of processing mail in the region of our customers.

You can track most of these features closer to their availability through the Office 365 for business roadmap.

What can you do to improve your experience?

You can further fine-tune your EOP protection by doing the following:

  • Report spam to Microsoft. You can submit spam reports using email attachments or the Junk Email Reporting Add-in for Outlook, or by simply using the “mark as junk” and “mark as not junk” commands in Outlook/Outlook Web App (OWA). Your submissions initiate direct communication with our spam analyst team requesting fine-tuning of the system to block similar messages in the future.
  • Enable bulk mail filtering. Bulk email typically includes an advertisement or marketing message that’s not likely to get sent repeatedly. Some users want bulk email and deliberately sign up to receive these kinds of messages, while other users consider these types of messages to be spam. EOP enables administrators to reduce the amount of bulk mail allowed to be received in his organization. With aggressive suppression of bulk mail, administrators can further drastically reduce users complaints about bulk perceived as spam.
  • Educate your users. While technology is one major component of your email defense, your users need to be aware of the risks too. There are several free and paid resources— such as gov’s Antiphishing page, The Anti-Phishing Working Group, PhishMe, and PhishGuru—you can use to help educate and advise your users so they can avoid phishing scams. You also need to teach your users how to manage spam in EOP, such as using the safe/block list, end-user quarantine and other features.
  • Help your users protect themselves from being a target of spam.  Here are some of the ways your users can protect themselves.
    • When subscribing to newsletters or product updates, always read the innocent-looking text at the end of the form. It often asks for your consent to pass your email address to third parties. Furthermore, read carefully to make sure to take the correct actions, since providers use rotating behavior to lure you to opt in.
    • When installing free apps, always choose the custom option. Providers sometime bundle plug-ins and other applications in the installation. The custom installation option typically presents an intermediate step to opt out from such installations and still serves your purpose. These plug-in providers often scout out your Internet activity and information, including your email address, and sell that information to spammers.
    • Be very careful about sharing your personal information. Avoid putting your email address on a public-facing webpage. Spammers crawl the Internet looking for valid email addresses. By having your email address on a website, you increase the chance that it will be added to a list and sold to spammers.

For additional ways you can improve your EOP experience, check out best practices for configuring EOP. We look forward to releasing these new and exciting features for EOP. The list is only a sample, as many more exciting features will follow. In the meantime, if you have not already, start your 90-day free EOP trial now!

—Shobhit Sahay (@ShobhitSahay88), Levon Esibov and Terry Zink on behalf of the EOP team.