Robust email security is a critical concern for businesses aiming to protect sensitive data from cyber-attacks. A striking example of the scale of these threats is the staggering $2.7 billion in adjusted losses reported in 2022 due to Business Email Compromise (BEC) scams, as noted by the FBI's IC3 Report. This showcases the immense financial impact and potential erosion of trust that can result from email security breaches, emphasizing the importance of robust cybersecurity measures.
Incidents like these underscore why companies are increasingly investing in advanced cybersecurity solutions. To support this critical need, Microsoft has developed Microsoft Exchange Online Protection (EOP) and Defender for Office 365 (MDO), which are its flagship solutions for email security. EOP offers essential protection against spam and malware, making it suitable for organizations needing fundamental email security. Defender for Office 365 provides more comprehensive coverage, extending its reach with additional features. In this article, we explore the capabilities and features of EOP and MDO, their best practices, and how they compare to each other.
The table below summarizes the features covered by EOP and Defender for Office 365 and how the two products compare in each area.
| Exchange Online Protection | Defender for Office 365 | |
|---|---|---|
|
Threat intelligence |
Basic spam and malware detection |
Advanced threat intelligence and analysis |
| Behavioral analysis | Limited behavioral analysis features | Sophisticated behavior analysis based on user patterns |
| Safe Attachments | Basic attachment scanning | Dynamic analysis of attachments in a sandbox environment |
| Safe Links | URL filtering based on known threats | Real-time URL scanning and AI-based analysis |
| Identity protection | Standard identity protection measures | Enhanced identity protection with integration into Microsoft 365 security |
| Integration with Microsoft 365 | Basic integration with the Microsoft 365 suite | Deep integration, offering cohesive security across Microsoft 365 apps |
| Reporting and analytics | Standard reporting tools | Advanced analytics and detailed threat reports |
EOP is a cloud-based filtering service that protects organizations against email threats, including malware, spam, and malicious links. Each incoming email goes through a series of checks, including sender IP address, malware scanning, policy filtering, and spam detection. Additionally, EOP also includes advanced analytics and detailed threat reports.
EOP workflow (source)
Microsoft renamed Office 365 Advanced Threat Protection (ATP) to Microsoft Defender for Endpoint (MDE) in September 2020. While MDE contains many tools, one of the most important services is Microsoft Defender for Office (MDO), which manages email security and incident response. In MDO, incoming emails go through four phases before reaching the recipient’s mailbox:
First phase of Defender for Office 365 protection (source)
Second phase of Defender for Office 365 protection (source)
Third phase of Defender for Office 365 protection (source)
Fourth phase of Defender for Office 365 protection (source)
Although EOP and Defender for Office 365 are two different Microsoft services, they are closely connected. A Defender for Office 365 subscription provides all the features of EOP, and depending on the subscription plan, additional security features can be added. In the rest of this section, we will look into seven important email security features that these two services provide and how they compare.
EOP focuses on known threats using signature-based detection for spam and malware. In contrast, MDO is a cloud-based email filtering service that protects your organization’s email and collaboration tools against threats like phishing, business email compromise (BEC), and malware attacks. MDO also provides investigation, threat hunting, and remediation capabilities to help security teams efficiently identify, prioritize, investigate, and respond to threats.
IRONSCALES is another solution on the market that differentiates itself from Microsoft Defender 365 through its unique collaboration with over 20,000 global security experts who provide real-time insights to enrich their Adaptive AI machine learning models. This network enables the real-time sharing of insights on emerging threats, creating a more diverse and rapidly adaptable cybersecurity response. Unlike Microsoft’s centralized approach, the collective intelligence provided by IRONSCALES ensures quicker detection and neutralization of threats, providing a dynamic defense mechanism that’s constantly updated with global expertise. This approach results in a more comprehensive and prompt response to cyber threats, offering significant added value over traditional, single-sourced threat intelligence systems.
IRONSCALES with real-time threat intelligence protects against advanced zero-day attacks (source)
EOP’s behavioral analysis is only rule-based. However, traditional security solutions are not sufficient for detecting sophisticated attacks, so additional capabilities, such as artificial intelligence (AI) and machine learning (ML), which are included in Defender XDR (where MDO resides), are needed.
Behavioral blocking and containment capabilities work with multiple components and features of MDE to stop attacks immediately:
EOP offers multi-layered malware protection designed to catch all known malware both inside and outside your organization. EOP provides the following options for anti-malware protection:
In Defender for Office 365, email attachments undergo initial scanning by the anti-malware protection in EOP. After passing the first scan, two additional steps are conducted: the detonation process and Safe Attachments policies. Defender for Office 365 uses a virtual environment in a cloud sandbox in the detonation process to perform a secondary inspection of email attachments, ensuring their security before reaching the intended recipients. Depending on the results of the previous scan, a series of rules and policies follow.
EOP uses vast URL block lists that detect known malicious links within messages and a large list of domains known to send spam. Defender for Office 365 advances this with additional checks.
First, all emails go through EOP, where IP address, envelope, signature-based malware protection, anti-spam, and anti-malware filters are applied before the message is delivered to the recipient’s mailbox.
Second, when the user opens the mailbox’s message and clicks on a URL, Safe Links immediately checks the URL before opening the website:
EOP (Exchange Online Protection) offers basic identity protection by cross-referencing the Active Directory user list with the sender's email address. However, this method encounters challenges in detecting email address spoofing attacks, where EOP's effectiveness is limited. To enhance prevention, it is crucial to establish multiple check rules that bolster the system's ability to identify and mitigate such threats.
MDO offers a more in-depth approach by integrating features like Azure Active Directory for advanced strategies and group policies with Microsoft 365 security. It provides robust anti-spoofing protection features, including email authentication, which uses SPF, DKIM, and DMARC records in DNS for email validation. This allows destination email systems to check the validity of messages claiming to be from senders in your domains.
Another feature is spoof intelligence insight, which allows you to review detected spoofed messages from senders in internal and external domains during the last seven days. You can also allow or block spoofed senders in the tenant allow/block list.
Last but not least, EOP and Microsoft Defender for Office 365 have anti-phishing policies with anti-spoofing settings. These settings allow you to turn on/off spoof intelligence and unauthenticated sender indicators in Outlook and to specify the action for blocked spoofed senders. All of these features work together to provide comprehensive protection against spoofing, a common technique used in phishing attacks.
Both services integrate with Microsoft 365, although EOP integration focuses on mail systems like on-premises, Hybrid Exchange, or even Microsoft 365 mailboxes. MDO has deeper integration, creating a more cohesive security environment with other Microsoft 365 tools. Here are some details:
EOP offers standard reporting tools for basic analytics, while MDO provides advanced analytics tools, including:
For security practitioners looking for more granular and actionable insights than what is included with MDO, IRONSCALES provides more advanced email incident reporting that includes analytic views of header values (e.g., DKIM-Signature, SPF, and X-MS-Exchange-Organization-SCL). Additionally, virus search engines scan links and attachments, and the results are then provided in a detailed report to identify in case of a false positive report or even for further investigation.
IRONSCALES Incident Reporting UI (source)
While M365 Defender provides a nice one-fits-all solution for email security, its capabilities can be enhanced further with some advanced custom solutions in the market:
Additionally, IRONSCALES Themis CoPilot, seamlessly integrated with Outlook, serves as a real-time educational tool for users. This AI-powered “Security Guide” not only assists employees in understanding and identifying phishing emails but also educates them on the nuances of spotting such threats. This interactive feature significantly reduces the volume of reports and false positives that the IT Security team needs to review. It simplifies the process for users to report genuine suspicions, empowering them with the knowledge to discern potential threats and only escalate genuine concerns, thereby streamlining the overall security process.
IRONSCALES Themis CoPilot Phishing Button
IRONSCALES training platform offers a variety of training awareness modules
IRONSCALES Phishing Simulation UI (source)
In this article, we compared Microsoft’s EOP and MDO, which offer valuable features to combat email security threats, with EOP serving as a fundamental solution and Defender offering an additional set of features and a more comprehensive approach.
Which of those tools is the right fit depends on different factors, such as budget, scalability, and compliance requirements. To complement the email security that M365 provides, we highly recommend you embrace the interactive IRONSCALES approach to add an extra layer of protection. You can also further explore the large variety of customizable and ready-to-use training programs, phishing simulations, reporting, integration with M365, etc., ensuring that you and your staff are appropriately trained and prepared for any cyber challenge coming their way.