Demystifying the antimalware pipeline in Office 365

Exchange Online Protection (EOP) is a cloud-based email filtering service that protects organizations in Office 365 and on-premises from a variety of threats such as spam and malware. For tenants that also have Office 365 Advanced Threat Protection (ATP) enabled, EOP and ATP are integrated to ensure further protection against advanced threats including zero-day malware, advanced phishing campaigns, and targeted threats. But how exactly do EOP and ATP work together to provide this multi-layered defense against threats in email? For many it’s a black box. In this blog post, we’ll peel back the layers of the anti-malware pipeline in Office 365 to help you understand Microsoft’s depth-in-defense approach to email security.

Note: If you need an introduction to ATP for some context, check out Office 365 Advanced Threat Protection and Office 365 Advanced Threat Protection Service Description.

Diagram showing the funnel metaphor for the Office 365 security pipeline: reject early, catch malware, catch spam, catch phish, react quickly - and deliver.

Reject early at the edge

While Office 365 processes billions of email messages each day, less than half of that volume is actually related to users’ core business. Given this flood of junk mail, it’s desirable to reject as much as possible before it even enters the Office 365 network. Microsoft uses multiple technologies to accomplish this, including IP and domain reputation (made possible by leveraging third-party lists), as well as delivery heuristics, or patterns, that are analyzed over time. This protection is further enhanced by machine learning (ML) which analyzes the source IP addresses to identify and learn from suspicious behavior.

Catch malware

Once mail passes through the network edge, EOP scans it for known, signature-based malware using multiple anti-virus engines. This step alone catches the vast majority of commodity malware coming into the Office 365 network.

After scanning, the service blocks even more malware through heuristic clustering and detonation. During this phase, EOP is able to identify suspicious email simply by analyzing delivery patterns. When mail with an attachment is determined to be potentially malicious, EOP sends a sample from a cluster to a sandbox environment where the attachment is opened and analyzed. This analysis checks for things like:

  • Changes in memory, the registry, or encryption of the hard drive
  • Changes in network traffic, such as connections to a hacker’s command and control servers
  • Obfuscation or evasion techniques that are indicative of malicious intent

EOP collects these signals and runs the results through a ML model and a set of static rules to determine whether the file is truly malicious or simply suspicious. If found to be malicious, EOP consumes and propagates the reputation so that tenants across the entire Office 365 network can be protected from that attack.

Office 365 Advanced Threat Protection extends the core protection provided by EOP. When enabled in a tenant, ATP safe attachments conducts sandboxed detonation of email attachments to protect organizations from zero-day attacks, or malware without a known AV signature. Attachments are detonated in the same environment and analyzed for the same behavioral changes mentioned above.

While tenants without ATP are more vulnerable to advanced targeted threats such as zero-day attacks, they still indirectly benefit from integration between ATP and EOP, as EOP learns from the detonations that ATP performs. That is, EOP is able to block malware by checking for specific files – or pieces of files – that were previously identified as malicious by ATP scans performed in other tenants throughout Office 365. This integration is called reputation block. Likewise, if an admin has enabled ATP in their tenant and safe attachments subsequently detects a new malware campaign, then those results are automatically replicated to datacenters across the globe, where they are consumed by EOP to protect all of the other tenants.

Catch leaked spam

The next stage of the Office 365 anti-malware pipeline is to filter spam that made it through the first lines of defense. EOP has a default anti-spam policy automatically enabled for each tenant. Admins can modify the default policy or create custom policies to apply different levels of filtering aggressiveness to best meet the needs of their organization. Additional techniques used to block spam include content filtering, machine learning to identify suspicious behavior of source IP addresses, and message body fingerprint clustering. Body fingerprint clustering is a technique in which you take a “fingerprint” of a large spam campaign and use that signature to reject mail that matches the fingerprint across all EOP tenants.

Catch phish and spoofed mail

Next, phish and spoof filters check the actual body of the message, including body text, embedded URLs, and message headers.

Office 365 has built-in anti-spoofing protection designed to detect legitimate cases of spoofing (for example) while shielding your organization from the illegitimate ones. However, sometimes the service doesn’t have enough intelligence, or history, to make that determination. To enhance this protection, Office 365 also leverages sender authentication techniques such as SPF, DKIM, and DMARC. These capabilities are enabled by default for all EOP customers.

If ATP is enabled in the tenant, ATP’s safe links feature provides time-of-click protection against malicious URLs in the message body – including those used in phishing campaigns. And like malware caught by safe attachments, detection of malicious links expands EOP’s URL reputation detection, benefiting millions of other tenants across the global Office 365 network.

The spoof intelligence feature in the Office 365 Security & Compliance Center gives insight on senders who are spoofing your domain. Details provided include the names of the users who were spoofed, the number of spoofed messages, the number of end user complaints, and the option to allow or block the sender from spoofing.

React quickly

Microsoft employs a team of security analysts, or cyber hunters, to assist in identifying new malware and phish campaigns. As new campaigns emerge, Microsoft can use their insights to quickly implement transport rules to protect the Office 365 ecosystem from attack.

Post-delivery protection

While Office 365 updates its AS/AV signatures daily, users may still get malicious messages in their inboxes. This can occur if the daily scan doesn’t detect a new spam or malware campaign. Zero-hour auto purge (ZAP) is a feature of EOP that detects messages with spam or malware that have already been delivered to users’ inboxes, and then moves them to the Junk mail folder (provided that the messages are unread).


I hope that this blog has helped to clarify how Exchange Online Protection and Office 365 Advanced Threat Protection work together to provide a multi-layered security solution, protecting organizations against garden-variety commodity attacks as well as more advanced, targeted email attacks. If you’d like to learn more, feel free to contact us at [email protected].