Anti-Malware
Configure Exchange Online Protection (EOP) anti-malware policies to detect and block malicious attachments, viruses, and other malware in email messages. Multi-engine scanning provides comprehensive protection against email-borne threats.
Note: Anti-malware protection is included with all Exchange Online plans. Microsoft Defender for Office 365 provides additional advanced threat protection capabilities.
How It Works
- Message Received — Email arrives at Exchange Online Protection.
- Multi-Engine Scan — Multiple anti-malware engines scan message body and attachments.
- Signature Detection — Known malware identified via signature matching.
- Heuristic Analysis — Behavioral analysis detects unknown threats.
- Action Applied — Malware blocked, quarantined, or attachment stripped based on policy.
Anti-Malware Policies
| Policy | Scope | Priority |
|---|---|---|
| Default Policy | All users (fallback) | Lowest |
| Standard Preset | Microsoft recommended | Medium |
| Strict Preset | Maximum protection | Higher |
| Custom Policies | Specific users/groups | Configurable |
Policy Settings
Detection Response
What happens when malware is detected:
- Delete message — Entire message is deleted (default)
- Replace attachments — Replace with text file explaining removal
- Quarantine — Message held for admin review
Common Attachment Types Filter
Block file types commonly used for malware delivery:
.exe, .bat, .cmd, .vbs, .js, .ps1, .msi, .scr, .dll, .iso
Zero-Hour Auto Purge (ZAP)
Retroactively removes malware from mailboxes after delivery if new threat intelligence identifies the message as malicious. Works on messages delivered within the last 48 hours.
Notification Settings
Internal Sender Notifications
Notify internal senders when their outbound message contains malware. Helps identify compromised accounts or infected workstations.
External Sender Notifications
Notify external senders about blocked malware. Generally not recommended to avoid alerting attackers.
Admin Notifications
Alert administrators when malware is detected. Configure email addresses for internal and external malware alerts.
Custom Notification Text
Customize the notification message sent when attachments are replaced or messages are blocked.
Quarantine Management
Review and manage quarantined malware messages:
Review Quarantine
View quarantined messages in Security & Compliance Center. See sender, recipient, subject, and detection reason.
Release Messages
Administrators can release false positives to recipients. Report to Microsoft to improve detection.
Retention Period
Quarantined malware is retained for 15 days before automatic deletion.
Creating Custom Policy
- Policy Scope — Define which users, groups, or domains the policy applies to. Use conditions and exceptions to target specific recipients.
- Protection Settings — Configure detection response, file type filtering, and ZAP settings.
- Notifications — Set up sender and admin notifications for malware detections.
- Priority — Set policy priority. Lower numbers have higher priority. First matching policy is applied.
Best Practices
- Enable common attachment filter — Block executable file types commonly used in attacks.
- Enable Zero-Hour Auto Purge — Ensure ZAP is enabled to remove malware discovered after delivery.
- Use preset security policies — Standard or Strict presets provide Microsoft-recommended settings.
- Configure admin alerts — Set up notifications so admins are aware of malware attempts.
API Reference
GET /api/exchange/anti-malware-policies
List anti-malware policies
POST /api/exchange/anti-malware-policies
Create custom policy
GET /api/exchange/malware-detections
Get recent malware detections
GET /api/exchange/quarantine?type=malware
List quarantined malware
POST /api/exchange/quarantine/:id/release
Release from quarantine