Anti-spam and anti-malware protection
The built-in security features as an add-on for organizations running their mailboxes on-premises delivers cloud-based spam and malware filtering that safeguards inbound and outbound email. These protections are enabled by default, so administrators don’t need to deploy or maintain on-premises filtering engines but they can still tailor filtering policies to meet their organization’s needs.
Looking for information about all built-in security features? See Built-in security features for cloud mailboxes service description.
Anti-malware protection
Our built-in security features utilize multiple anti-malware engines to deliver comprehensive, multilayered protection against all known forms of malware. Messages transported through the service are thoroughly scanned for viruses and spyware, any message found to be infected is immediately deleted. In addition, notifications may be issued to senders or administrators when an infected message is removed and not delivered. Administrators also have the option to replace infected attachments with either default or custom notification messages alerting recipients to the presence of malware.
Note
Anti-malware scanning can't be disabled.
As an add-on for on-premises mailboxes, the service only scans inbound and outbound messages that are routed by the service and does not scan messages sent from a sender in your organization to a recipient in your organization. However, for another layer of defense, you can pair the service with the built-in anti-malware protection capabilities of Exchange Server, which scans internal messages for malware.
For Exchange Online customers and built-in security features that's included in Exchange Enterprise CAL with Services for on-premises Exchange customers, it scans inbound and outbound messages that are routed by the service, as well as internal messages sent from a sender in your organization to a recipient in your organization.
For more information, see Anti-malware protection for email in Microsoft 365 and Anti-malware protection FAQ.
Customize anti-malware policies
You can configure the default policy for company-wide settings. For greater granularity, you can also create custom anti-malware policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see Configure anti-malware policies for email.
Anti-spam protection
The built-in security feature uses proprietary anti-spam technology to help achieve high accuracy rates. It provides strong connection filtering and spam filtering on all inbound messages. Outbound spam filtering is also always enabled if you use the service for sending outbound email, helping to protect organizations using the service and their intended recipients.
For more information, see Anti-spam protection and Anti-spam protection FAQ.
Customize anti-spam policies
Spam filtering is automatically enabled for all inbound and outbound email messages that are processed by the built-in security features for cloud mailboxes. You can't completely disable spam filtering, but you can modify specific company-wide settings in your default anti-spam policy. For greater granularity, you can also create custom anti-spam policies and apply them to specific users, groups, or domains in your organization. By default, custom policies take precedence over the default policy, but you can change the priority (running order) of your custom policies as needed.
For more information, see the following topics:
Anti-spoofing protection
The anti-spoofing technology in baseline security features specifically examines forgery of the From header in the message body (used to display the message sender in email clients). When there is high confidence that the From header is forged, the message is identified as spoofed.
For more information, see Anti-spoofing protection.
Quarantine
By default, built-in security features sends phishing messages and messages that contain malware directly to quarantine. Spam and bulk mail is sent to the user's Junk Email folder, unless an admin configures an anti-spam policy to send these messages to quarantine instead. Depending on why the message was quarantined, admins and end users can view and manage messages in quarantine.
For more information, see Quarantined email messages.
Report messages to Microsoft for analysis
The submission feature allows admins and end users to easily report items that they believe were incorrectly classified as junk (false positives) or missed by the filters (false negatives). Depending on the results of the analysis, we can then adjust the filtering stack to help reduce the number and impact of junk email messages filtered or allowed by the service.
For more information, see Report messages and files to Microsoft.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see Built in security features for cloud mailboxes service description.
Additional resources
Documentation
Training modules
Mail flow in built-in security features
For most organizations that use Microsoft, we host your mailboxes and take care of mail flow. It's the simplest configuration and means that Microsoft manages all mailboxes and filtering. However, some organizations have a business need to keep all their mailboxes on premises. Our built-in security features let you do that and provides antivirus and anti-spam mail processing in the cloud. For more information and to purchase built-in security for cloud mailboxes, go to Email security.
Looking for information about domain management or Directory Based Edge Blocking (DBEB)? See Recipient, domain, and company management. To learn more about all built-in security features, see the Built-in security features for cloud mailboxes service description.
Routing email between Microsoft and your own email servers
You can configure a connector to enable mail flow between Microsoft (including Exchange Online or built-in security features) and an SMTP-based email server such as Exchange. For details about this, see Do I need a connector? And Set up connectors to route mail between Microsoft and your own email servers.
Secure messaging with a trusted partner
As a customer using built-in security features, you can set up secure mail flow with a trusted partner by using Microsoft connectors. Microsoft supports secure communication through Transport Layer Security (TLS), and you can create a connector to enforce TLS-based encryption. TLS is a cryptographic protocol that provides security for communications over the internet. By using connectors, you can configure both forced incoming and outgoing TLS using self-signed or certification authority (CA)-validated certificates. You can also apply other security restrictions, such as specifying domain names or IP address ranges from which your partner organization sends mail.
For more information, see Set up connectors for secure mail flow with a partner organization.
Safe listing a partner's IP address
You can add a trusted partner's IP address to a safe list to ensure that messages they send to you are not subject to spam filtering. To do this, you can use the connection filter's IP Allow list. For more information, see Configure the connection filter policy.
Conditional mail routing
You can configure a connector with a Transport rule that routes mail to a specific site, based on conditions. For more information, see Scenario: Conditional email routing.
Hybrid mail routing
Hybrid means that you host a portion of your mailboxes on premises, and a portion in the cloud (Exchange Online). You can move from a standalone (on-premises) deployment to a hybrid deployment.
If you have a hybrid deployment, you can protect your cloud and on-premises mailboxes with our built-in security features. Standalone licenses are required for on-premises mailboxes, when they are protected by these built-in security features. For more information about mail routing in a hybrid deployment, refer to the hybrid mail flow guidance, see Transport routing in Exchange hybrid deployments.
The Microsoft Exchange Server Deployment Assistant also provides detailed hybrid deployment provisioning and hybrid message transport guidance.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see the Built-in security features for cloud mailboxes service description.
Administration and management for built-in security features for cloud mailboxes
This article describes management interfaces that are available to administrators of the built-in security features for cloud mailboxes.
Looking for information about all built-in security features? See the Built-in security features for cloud mailboxes service description.
Access to the Microsoft 365 admin center
The Microsoft 365 admin center is the web portal where each organization’s service administrator manages user accounts and settings for their subscribed Microsoft services. From within the Microsoft 365 admin center, administrators can follow links to the Exchange admin center (EAC), where they can manage settings specific to the built-in security features.
Access to the Exchange admin center
The Exchange admin center (EAC) is a unified management console designed for ease of use and optimized for all types of deployments. The updated EAC replaces the legacy Forefront Online Protection for Exchange Administration Center. It provides tighter integration with Microsoft 365 and a consistent, seamless UI across Exchange products, including Microsoft Exchange Online and Microsoft Exchange Server 2013.
For more information about the EAC, see Exchange Admin Center in built-in security add-on for on-premises mailboxes.
Remote Windows PowerShell access
Administrators can use Remote Windows PowerShell to perform management tasks from the command line. For more information about how to use Windows PowerShell, including information about creating a remote Shell session and documentation about each cmdlet, see Exchange Online PowerShell.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see Built-in security features for cloud mailboxes service description.
Additional resources
Documentation
Messaging policy and compliance
The built-in security features provide messaging policy and compliance features that can help you manage your email data.
Looking for information about all built-in security feature capabilities? See the Built-in security features for cloud mailboxes service description.
Mail flow rules
Mail flow rules (also known as transport rules) provide you with the flexibility to apply your own company-specific policies to email. Mail flow rules are made up of flexible criteria, which allow you to define conditions, exceptions, and actions to take based on the criteria. For more information, see Mail flow rules (transport rules) in Exchange Online.
Audit logging
Audit logging lets you track specific changes made by administrators to your organization. These reports help you meet regulatory, compliance, and litigation requirements. For more information, see Auditing reports in the Built-in security add-on for on-premises mailboxes.
Microsoft Purview data loss prevention
Not available to customers using built-in security features. Data loss prevention (DLP) helps you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems because business-critical email includes sensitive data that needs to be protected. The DLP feature lets you protect sensitive data without affecting worker productivity.
You can configure DLP policies in the EAC, which allows you to:
Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
Use the full power of existing mail flow rule criteria and actions and add new mail flow rules.
Test the effectiveness of your DLP policies before fully enforcing them.
Incorporate your own custom DLP policy templates and sensitive information types.
Detect sensitive information in message attachments, body text, or subject lines and adjust the confidence level at which the service takes action.
Detect sensitive form data by using Document Fingerprinting. Document Fingerprinting helps you easily create custom sensitive information types based on text-based forms that you can use to define mail flow rules and DLP policies.
Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook 2013, Outlook on the web, and OWA for Devices users and can also improve the effectiveness of your policies by allowing false-positive reporting.
Review incident data in DLP reports or add your own specific reports by using a generate incident report action.
Note
DLP policies are applied only to mail that passes in or out of the organization. Intra-organizational (internal) mail does not have DLP policies applied unless you run Exchange Server 2013 with DLP on-premises. This also applies to DLP policy tips, which inform users about potential policy violations before sensitive data is mistakenly sent to unauthorized recipients.
To learn more about DLP, see Data loss prevention (DLP) in Exchange Online.
Microsoft Purview Message Encryption
Microsoft Purview Message Encryption, a part of Azure Information Protection, is an online service that allows email users to send encrypted email messages to anyone. On-premises customers can access Microsoft Purview Message Encryption by purchasing Azure Information Protection and using built-in security features to set up mail flow through Exchange Online. To learn more about Microsoft Purview Message Encryption in Exchange Online, see Microsoft Purview Message Encryption in the Exchange Online service description.
Messaging policy and compliance features across EOP options
| Feature |
Built-in security for on-premises mailboxes add-on |
Built-in security features for cloud mailboxes |
Exchange Enterprise
CAL with Services |
| Mail flow rules |
Yes1 |
Yes1 |
Yes1, 3 |
| Audit logging |
Yes2 |
Yes |
Yes |
| Data loss prevention (DLP) |
No |
Yes |
Yes3 |
| Microsoft Purview Message Encryption |
Yes4 |
Yes |
Yes4 |
Note
1 The available mail flow rule conditions, exceptions, and actions differ slightly between the built-in security features for on-premises mailboxes and Exchange Online. These differences are noted in Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule actions in Exchange Online.
2 Auditing reports provided by the built-in security features are a subset of Exchange Online auditing reports and exclude mailbox-level information.
3 DLP policy tips are not available for customers with Exchange Enterprise CAL with Services.
4 These capabilities are supported for on-premises customers who purchase the Azure Information Protection add-on and use the built-in security features to route email through Exchange Online. For the desktop experience, customers also need Microsoft 365 Apps for Enterprise in addition to the Azure Information Protection add-on.
Reporting and message trace in built-in security features
The built-in security features offer a range of reports that help you assess the status and overall health of your organization’s email environment. Some reports are available in the Microsoft 365 admin center, while others can be accessed through the Exchange admin center (EAC)
Looking for information about all built-in feature capabilities? See the Built-in security features for cloud mailboxes service description.
Microsoft 365 admin center reports
The Reports page within the Microsoft 365 admin center delivers comprehensive insights into message traffic, spam and malware detection, as well as messages impacted by mail flow rules (also known as transport rules) or Microsoft Purview Data Loss Prevention (DLP) policies. Enhanced reports for protection, rules, and DLP provide administrators with interactive reporting experience to effectively manage built-in security features. These reports include both summary analytics and options to examine detailed information pertaining to individual messages.
For more detailed information about these reports, see Use mail protection reports to view data about malware, spam, and rule detections.
Reporting using web services
Note
Many of the REST-based reporting features and related cmdlets were deprecated in January, 2018. For information about the available replacement Microsoft Graph reports in Office 365, see the subtopics of Working with usage reports in Microsoft Graph.
Not available to customers using built-in security features. You can use the REST/OData Tenant Reporting web service to programmatically collect summary and detailed reports about messaging data, and you can display the data on a web page in a custom web management portal.
Message trace
The message trace feature in the EAC lets you, as an administrator, follow email messages as they pass through the built-in security features. It helps you determine whether a targeted email message was received, rejected, deferred, or delivered by the service. It also shows what actions have occurred to the message before reaching its final status. Obtaining detailed information about a specific message lets you efficiently answer your user's questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance. For more information, see Run a message trace and view the results in the Exchange admin center.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see the Built-in security features for cloud mailboxes service description.
Additional resources
Documentation
Recipient, domain, and company management in built-in security features
The built-in security features for cloud mailboxes offers several ways to manage your recipient, domain, and company information. As an administrator, you can perform certain management tasks within the Exchange admin center (EAC) and verify other management tasks performed in the Microsoft 365 admin center.
Looking for information about all built-in security feature capabilities? See the Built-in security features for cloud mailboxes service description.
Mail recipients
Mail recipients are categorized as mail users or groups and can be managed through directory synchronization, directly in the EAC, or via remote Windows PowerShell. If you're managing your recipients on premises, you must run directory synchronization in order for your mail recipients to be reflected in the EAC. Users managed solely in the Microsoft 365 admin center aren't viewable in the EAC, but they can be added to or removed from membership in an administrator role group in the EAC. For more information about built-in security features recipients, see Manage recipients in the Built-in security add-on for on-premises mailboxes.
Admin role group permissions
In the built-in security features, you can configure administrative roles only. Users can be added and removed from default admin role groups directly in the EAC. No RBAC customization is available. For more information, see Permissions in Exchange Online.
Domain management
Managed domains are domains that are protected by the built-in security features. Managed domains can be viewed and domain types can be edited in the EAC. Domain provisioning and management occurs in the Microsoft 365 admin center and changes are reflected in the EAC. For more information, see Default email protections for cloud mailboxes.
Match subdomains
With built-in security features, you can enable mail flow to subdomains of a managed domain. For more information, see Mail flow in cloud organizations.
Directory Based Edge Blocking (DBEB)
The Directory Based Edge Blocking feature lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Microsoft and block all messages sent to email addresses that aren't present in Microsoft. If a message is sent to a valid email address present in Microsoft, the message continues through the rest of the service filtering layers (anti-malware, anti-spam, transport rules). If the address is not present, the service blocks the message before filtering even occurs, and a non-delivery report (NDR) is sent to the sender informing them that their message was not delivered.
Enabling DBEB requires some user and domain configuration. For more information, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.
Feature availability
To view feature availability across plans, standalone options, and on-premises solutions, see the Built-in security features for cloud mailboxes service description.
Additional resources
Documentation