Every Microsoft 365 subscriber has Exchange Online Protection running in their environment. But understanding what EOP actually defends against—and where it falls short—separates security teams that get breached from those that don't. The gap between perceived protection and actual protection creates dangerous blind spots that attackers exploit daily.

This article draws insights from Abnormal's ThreatStream webinar on Microsoft 365 Direct Send abuse. Watch the full recording to see real attack examples and detection strategies.

• EOP provides solid baseline filtering for spam, known malware, and bulk email but lacks advanced threat detection capabilities

• Organizations using third-party secure email gateways often disable EOP protections, creating unmonitored attack vectors

• Direct Send abuse allows attackers to bypass both SEG and EOP inspection entirely

• Behavioral AI at the mailbox layer detects sophisticated threats that signature-based tools miss

Exchange Online Protection is the built-in email security filtering service included with all Microsoft 365 subscriptions that use Exchange Online mailboxes. It serves as the baseline defense layer, handling anti-spam filtering, anti-malware scanning, mail flow rules, and basic threat protection for cloud email environments.

EOP operates as your first line of defense, automatically processing every inbound and outbound message through connection filtering, content analysis, and sender reputation checks. It enforces email authentication protocols including SPF, DKIM, and DMARC validation, helping verify sender legitimacy.

However, EOP is explicitly the baseline—not advanced threat protection. Many organizations assume their M365 subscription includes comprehensive security, but EOP's capabilities stop well short of detecting sophisticated phishing attacks, business email compromise (BEC), or zero-day threats. Understanding this distinction prevents both dangerous over-reliance and unnecessary redundant purchases.

EOP matters because it's already running and included in your subscription. For commodity threats—spam, known malware signatures, bulk email—it provides effective filtering without additional cost or configuration. This baseline protection blocks the majority of low-sophistication attacks automatically.

The challenge lies in the remaining threats. Over 90% of successful cyberattacks begin with a phishing email, making email security foundational to organizational defense. While third-party SEG architecture effectively blocks ninety-eight to ninety-nine percent of email threats, the remaining one to two percent poses the greatest risk. In 2024, BEC losses totaled $2.77 billion across 21,442 reported incidents, accounting for more than 17% of the $16.6 billion in total financial damages reported to the FBI IC3.

Understanding EOP's scope serves two purposes: preventing dangerous assumptions about protection levels and avoiding redundant security purchases. EOP handles authentication enforcement effectively, but organizations must recognize where its signature-based detection ends and where behavioral analysis becomes necessary.

EOP processes messages through multiple filtering stages. Connection filtering evaluates IP reputation and checks block lists before accepting messages. Anti-malware scanning uses signature-based detection to identify known threats. Anti-spam policies analyze content and sender reputation to filter unwanted messages.

Mail flow rules and transport rules enable custom handling based on organizational requirements. These rules can route, modify, or reject messages meeting specific criteria. However, this pipeline relies heavily on known indicators—it struggles with novel attack techniques.

EOP validates SPF, DKIM, and DMARC records for incoming messages. The platform can detect when these authentication checks fail, flagging emails with unusual authentication statuses. Failed checks indicate potential spoofing attempts.

The critical gap: authentication failures don't automatically block delivery. Default configurations often allow messages through despite failed checks, leaving the decision to downstream policies that may be misconfigured or overly permissive.

Flagged messages route to quarantine for review. Administrators control quarantine policies, while end-users can access certain quarantined messages depending on configuration. Message trace capabilities help investigate delivery issues and threat handling.

Organizations using third-party secure email gateways frequently disable or bypass EOP's protective features. SEG manufacturers often recommend disabling IP reputation, spam filtering, and advanced threat protection features to prevent conflicts. This creates environments where neither the SEG nor EOP fully inspects certain traffic.

The Direct Send feature allows sending emails directly to mailboxes via the company's smart host without authentication. While designed for MFPs, scanners, and legacy applications, attackers exploit this trusted pathway. As Jesus Garcia, Solutions Architect at Abnormal, explained in the webinar: "Direct send traffic, it never does (get inspected). The Microsoft tenant is configured to accept emails via this smart host."

The attack surface is remarkably accessible. Attackers only need a target's email address to derive the predictable smart host format, then weaponize it using simple PowerShell or Python scripts. This low barrier to entry makes Direct Send exploitation increasingly common against organizations that haven't locked down this pathway.

Even when EOP detects failing SPF or DMARC checks, default configurations may still deliver messages. Attackers know this and craft campaigns that exploit the gap between detection and enforcement.

EOP struggles with zero-day credential phishing and BEC attacks. These attacks use clean domains, legitimate-looking content, and social engineering rather than malware signatures. Static scanning cannot evaluate context, intent, or behavioral anomalies that distinguish malicious requests from legitimate business communications.

The limitation becomes clear in real-world incidents. In a case study discussed during the webinar, attackers targeted a SLED (state, local, and education) organization by abusing Direct Send to impersonate internal government domains. The attack combined multiple EOP gaps simultaneously: Direct Send bypass allowed the messages to reach inboxes without SEG inspection, HTML attachments contained AES-encrypted payloads that evaded static analysis, and authentication failures went unenforced. This multi-layered evasion demonstrates why signature-based tools consistently miss sophisticated campaigns.

QR code phishing attacks bypass traditional content analysis entirely. The malicious payload exists within an image that users scan with their phones, circumventing email-based URL analysis. Static signature detection cannot decode and evaluate QR code destinations, leaving users to determine legitimacy on their own.

Attackers increasingly favor this technique because it shifts the attack surface from the email client to the user's personal device, where corporate security controls often don't apply. The email itself contains no malicious links or attachments that EOP can flag, making these campaigns nearly invisible to traditional filtering.

Attackers use CAPTCHAs to selectively hide payloads from non-human traffic. Traditional URL analysis tools cannot interact with CAPTCHA challenges like humans can. Users pass the test and proceed to credential harvesting pages that security tools never evaluated.

Encrypted payloads present an equally significant challenge. As Garcia posed during the webinar: "How effective are those sandboxing and static signature-based scanning tools when the payload is encrypted?" The answer is clear—sandboxing and static signature-based scanning tools lose effectiveness when payloads arrive encrypted. Attackers understand these limitations and design campaigns specifically to exploit them, knowing that the security stack cannot inspect what it cannot decrypt.

Direct Send traffic bypasses MX records entirely, flowing directly to Exchange Online without SEG inspection. Organizations expecting comprehensive coverage discover significant blind spots in their architecture. The SLED attack case study illustrates this gap: attackers sent messages that appeared to originate from internal government domains, yet those messages never touched the organization's security infrastructure before reaching user inboxes.

EOP provides baseline protection included with all M365 subscriptions. Microsoft Defender for Office 365 Plan 1 adds Safe Attachments, Safe Links, and enhanced anti-phishing policies. Plan 2 includes automated investigation, Threat Explorer, and attack simulation training.

The decision to upgrade depends on threat exposure and risk tolerance. Organizations facing targeted attacks or operating in high-risk industries often need Defender's advanced capabilities. However, even Defender has limitations—it still relies on Microsoft's detection infrastructure and cannot see threats that bypass its inspection points.

The critical consideration: many organizations using third-party SEGs bypass EOP entirely, then lack protection against Direct Send abuse and internal threats. This architectural decision requires careful evaluation of all mail flow paths.

Before assuming EOP provides coverage, verify which protections are actually enabled. Organizations using SEGs often discover that recommendations to bypass EOP have left significant gaps. Review connector configurations and mail flow rules for unintended bypasses.

Confirm that SPF, DKIM, and DMARC policies enforce rejection rather than just detection. Many environments detect authentication failures but still deliver messages to user inboxes.

Transport rules created for legitimate purposes sometimes create security bypasses. Audit rules regularly to ensure they don't inadvertently allow malicious traffic through unexamined.

Test whether your controls detect current attack techniques, not just historical ones. Attack methodologies evolve faster than signature databases update.

EOP provides necessary but insufficient protection against BEC attacks, QR code phishing, CAPTCHA-protected payloads, and Direct Send exploitation. Defense-in-depth requires additional layers that address EOP's architectural limitations.

Behavioral AI at the mailbox layer provides visibility into all emails regardless of delivery path. Abnormal analyzes 43,000 behavioral signals per email and performs social graphing to understand whether two parties typically communicate at specific times about specific topics. As Ryan Schwartz, Senior Manager of Product Marketing at Abnormal, noted during the webinar: "We're taking all of these different signals into account and making a determination whether this deviation from that normal behavior that we've baselined for this company is truly indicative of an attack."

API-based architecture ensures complete visibility regardless of whether emails flow through third-party SEGs or Direct Send smart hosts. This approach detects the sophisticated one to two percent of threats that signature-based tools miss.

Exchange Online Protection provides solid baseline defense that every M365 organization should understand and properly configure. However, treating EOP as comprehensive protection creates dangerous blind spots that sophisticated attackers readily exploit.

Security teams must map their complete mail flow architecture, identify paths that bypass inspection, and implement layered defenses that address EOP's documented limitations. The gap between perceived and actual protection is where breaches happen.

Discover the specific attack techniques that bypass Exchange Online Protection. Watch the on-demand webinar to see real examples of EOP gaps and how behavioral AI detects what signature-based tools miss.