Microsoft Solutions Partner — Modern Work · 11,000+ engagements

Exchange Online + EOP + Defender for Office 365 (2026)

The canonical Microsoft mail-protection stack — Exchange Online Plan 1 and Plan 2, Exchange Online Protection, Defender for Office 365 P1 and P2 — engineered by a senior-architect-led 29-year Microsoft Solutions Partner across 216+ M&A tenant migrations and 1.83 million mailboxes.

Book an Exchange Online briefing Call 888-381-9725

What is the Microsoft Exchange Online + EOP + Defender for Office 365 mail-protection stack and how do enterprises deploy it? Exchange Online is the Microsoft 365 hosted-mailbox plane (Plan 1 — 50 GB mailbox; Plan 2 — 100 GB mailbox plus auto-expanding archive, Litigation Hold, and DLP). Exchange Online Protection (EOP) is the bundled edge mail-protection layer covering anti-spam, anti-malware, connection filtering, and mail-flow (transport) rules. Microsoft Defender for Office 365 (MDO) is the threat-protection upgrade on top of EOP — P1 ships Safe Links time-of-click URL detonation, Safe Attachments sandbox detonation, and anti-phish impersonation protection; P2 adds Threat Explorer, Automated Investigation and Response (AIR), Attack Simulation Training, Campaign View, and the Defender XDR cross-domain correlation surface. Enterprises deploy the stack through a five-phase Assess, Foundation, Migrate, Protect, Operate program that licenses through Microsoft 365 E3 (Exchange Plan 2 + EOP) or E5 (adds MDO P2), stages SPF/DKIM/DMARC enforcement progression, runs hybrid or cross-tenant mailbox migration, and tunes AIR plus quarantine policies for low false-positive operation.

Exchange Online + EOP + Defender for Office 365 is the canonical Microsoft mail-protection stack. EOP ships with every Exchange Online mailbox covering anti-spam, anti-malware, and transport rules. MDO P1 adds Safe Links, Safe Attachments, and anti-phish impersonation protection. MDO P2 adds Threat Explorer, AIR, Attack Simulation Training, and the Defender XDR cross-domain correlation. For Microsoft 365 E5 customers, the bundled value plus the integrated XDR investigation surface delivers a measurable consolidation gain over Proofpoint, Mimecast, and standalone SEG vendors. EPC Group delivers the full stack under a fixed-fee five-phase accelerator between $150K and $800K.

Key Facts

Exchange Online Plan 1 — 50 GB mailbox, EOP bundled, approximately $4.00 per user per month list
Exchange Online Plan 2 — 100 GB mailbox, auto-expanding archive to 1.5 TB, Litigation Hold, DLP, approximately $8.00 per user per month list
Exchange Online Protection (EOP) — connection filtering, anti-spam, anti-malware, transport rules, Tenant Allow/Block List — included with every Exchange Online mailbox
Defender for Office 365 P1 — Safe Links time-of-click URL detonation, Safe Attachments sandbox detonation, anti-phish impersonation protection — approximately $2.00 per user per month list
Defender for Office 365 P2 — Threat Explorer, AIR, Attack Simulation Training, Campaign View, advanced hunting EmailEvents/UrlClickEvents tables — approximately $5.00 per user per month list, bundled in M365 E5 and M365 E5 Security
SPF + DKIM (dual selector) + DMARC staged progression (p=none → p=quarantine → p=reject) shipped over six to nine months
Cross-tenant mailbox migration (general availability 2022) is the canonical M&A consolidation path
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations, 1.83 million mailboxes migrated
EPC Group five-phase Exchange Online Migration Accelerator delivers full activation in 14 to 26 weeks, fixed-fee $150K to $800K

The five-tier stack — Exchange Online P1, P2, EOP, MDO P1, MDO P2

The mail-protection stack is five purchasable tiers — two Exchange Online plans, one bundled EOP layer, and two Defender for Office 365 plans. Understanding the tier boundaries is the first step toward a defensible Microsoft 365 license decision.

EXO P1

Exchange Online Plan 1

Covers: The base hosted-mailbox SKU — a 50 GB primary mailbox, full Outlook desktop and Outlook on the web (OWA) entitlement, web-scale anti-spam through Exchange Online Protection, and the standard Exchange Web Services and Microsoft Graph API surface for line-of-business integration.

50 GB primary mailbox with full Outlook desktop, OWA, and Outlook mobile entitlement
Exchange Online Protection (EOP) bundled — anti-spam, anti-malware, connection filtering, mail-flow rules
Microsoft Graph mail, calendar, contacts, and online meeting endpoints for line-of-business automation
Hybrid Exchange topology with Azure AD Connect or Entra Connect Sync — the canonical coexistence pattern
Resource mailboxes, shared mailboxes (50 GB free of license), distribution groups, and dynamic distribution groups
Up to 100 GB archive mailbox with the Exchange Online Archiving add-on or bundled in Plan 2

License: Approximately $4.00 per user per month list. Bundled inside Microsoft 365 Business Basic, Business Standard, M365 F1/F3, and the productivity floor of every E1/E3/E5 plan.

EXO P2

Exchange Online Plan 2

Covers: The compliance-ready upgrade — a 100 GB primary mailbox, unlimited archive (auto-expanding to 1.5 TB in 100 GB increments), the Hosted Voicemail/Cloud Voicemail entitlement, the In-Place Hold and Litigation Hold preservation surface, and Data Loss Prevention policy enforcement at the mailbox layer.

100 GB primary mailbox with auto-expanding archive up to 1.5 TB
Litigation Hold (mailbox-wide preservation) and In-Place Hold (query-scoped preservation)
Cloud Voicemail integration with Microsoft Teams Phone for voicemail-to-mailbox routing
Data Loss Prevention (DLP) policy enforcement scoped to mailbox content and outbound mail flow
Hosted Journaling — every inbound and outbound message captured to a designated journaling mailbox (or third-party archive)
Bundled inside Microsoft 365 E3, E5, A3, A5, G3, G5 — the path of least resistance for any compliance-bearing enterprise

License: Approximately $8.00 per user per month list as standalone. Bundled inside Microsoft 365 E3, E5, A3, A5, G3, and G5 — and is the EPC Group recommended floor for any enterprise above 250 seats with regulatory exposure.

EOP

Exchange Online Protection

Covers: The free-with-Exchange-Online edge mail-protection plane — connection filtering, IP allow/block lists, anti-spam, anti-malware, mail-flow (transport) rules, the standard quarantine surface, and the transport-layer compliance gates the rest of the Microsoft 365 mail stack assumes are running.

Connection filtering — IP allow list, IP block list, safe-list, and the Microsoft cloud reputation feed
Anti-spam policies — bulk complaint level (BCL) scoring, spam confidence level (SCL) scoring, end-user quarantine notifications
Anti-malware policies — common attachment filter, malware zero-hour auto purge (ZAP), and the Microsoft cloud-delivered signature engine
Mail-flow (transport) rules — the policy engine for routing, encryption, header manipulation, and conditional disclaimer insertion
Connectors — the inbound and outbound mail-flow plumbing for hybrid Exchange, third-party gateways, and partner-domain TLS enforcement
Tenant Allow/Block List — admin overrides for sender, domain, URL, and file-hash decisions

License: Included with every Exchange Online mailbox. Standalone EOP exists for on-premises-only Exchange estates at approximately $1.00 per user per month list — used during long-tail hybrid migration windows.

MDO P1

Microsoft Defender for Office 365 Plan 1

Covers: The pre-delivery threat-protection layer that sits on top of EOP. Safe Attachments detonates attachments in a Microsoft cloud sandbox before delivery. Safe Links wraps every URL with time-of-click detonation across email, Teams, Office desktop, and Office on the web. Anti-phish impersonation protection adds mailbox intelligence and user/domain spoof detection.

Safe Attachments detonation in Microsoft cloud sandboxes — block, replace, dynamic delivery, or monitor modes
Safe Links time-of-click URL detonation across Outlook, Teams external chat, Office desktop, and Office on the web
Anti-phish impersonation protection — protected users, protected domains, and mailbox intelligence
Tenant Allow/Block List integration plus Configuration Analyzer for preset security policy drift detection
Quarantine policies — granular control over end-user release permissions, admin review queues, and notification cadence
Real-time detections (limited) — the lighter analytic surface compared to MDO P2 Threat Explorer

License: Approximately $2.00 per user per month list. Bundled inside Microsoft 365 Business Premium. Add-on path for E3 customers who do not need the full investigation surface.

MDO P2

Microsoft Defender for Office 365 Plan 2

Covers: The full investigation, hunting, and training plane on top of MDO P1. Adds Threat Explorer (the full historical investigation surface), Automated Investigation and Response (AIR), Attack Simulation Training, Threat Trackers, Campaign View, and the advanced hunting EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents, and UrlClickEvents tables.

Threat Explorer — historical email and URL investigation surface for the full retention window
Automated Investigation and Response (AIR) — playbook-driven scoped remediation across email-borne incidents
Attack Simulation Training — phishing-simulation campaigns with built-in user training modules
Campaign View — clusters related phishing into a single investigatable incident across thousands of mailboxes
Advanced hunting — EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents, UrlClickEvents tables in KQL
Defender XDR cross-domain correlation — every MDO incident fuses with MDE endpoint, MDCA SaaS, MDI identity, and MDVM vulnerability signal

License: Approximately $5.00 per user per month list. Bundled inside Microsoft 365 E5, M365 E5 Security, A5, G5. The pragmatic floor for any enterprise above 2,000 seats with material BEC, phishing, or supply-chain exposure.

Six enterprise Exchange Online + MDO patterns we ship

The product is general-purpose. The deployment patterns are what convert the stack into measurable outcomes. These six are the enterprise patterns EPC Group ships across the F500 customer base — each grounded in a specific business scenario and a specific EPC Group delivery outcome.

Full Exchange on-premises to Exchange Online cutover migration

Scenario: A 12,000-seat enterprise runs Exchange Server 2016 across three datacenters with a public-folder estate, a 9 TB shared-mailbox footprint, mailbox auto-expanding archives, and three custom transport agents tied to a legacy ERP. The board mandates retirement of the on-premises Exchange estate inside 18 months. The migration path is a full cutover to Exchange Online with hybrid coexistence during the transition window — not a cloud-only big-bang.

EPC Group outcome: EPC Group ships the canonical Hybrid Configuration Wizard (HCW) cutover sequence: stand up Hybrid Exchange with Entra Connect Sync, run an SMTP coexistence with the on-premises Exchange as the primary mail-routing endpoint until 25 percent of mailboxes are migrated, flip the MX record to Exchange Online Protection, decommission the on-premises hybrid endpoint after the final mailbox move, retire the on-premises Exchange organization. The legacy ERP transport agent is rewritten as an Exchange Online transport rule plus a Microsoft Graph webhook. EPC Group has executed this pattern across 216+ M&A tenant migrations and more than 1.83 million mailboxes since 2014.

Hybrid Exchange topology with Entra Connect Sync and shared SMTP namespace

Scenario: A regulated-industry enterprise holds five mailbox classes on-premises for legacy regulatory reasons (board mailboxes, M&A war-room mailboxes, executive PA mailboxes, legal hold mailboxes, retained archive mailboxes) while the operational user base moves to Exchange Online. The customer needs a shared SMTP namespace (@contoso.com for everyone), free/busy calendar sharing across cloud and on-premises, cross-premises mailbox moves, and a single global address list that surfaces both populations.

EPC Group outcome: EPC Group ships the long-tail hybrid topology with Entra Connect Sync as the identity bridge, the Hybrid Configuration Wizard as the trust and connector bootstrapper, organization relationships for free/busy federation, and Exchange Online unified messaging policies tuned for the cross-premises population. EOP becomes the inbound mail-flow plane for both classes — on-premises Exchange receives @contoso.com mail through the EOP inbound connector. The pattern remains supported by Microsoft as the long-tail hybrid topology and EPC Group operates it for several Fortune 500 customers running multi-year regulatory holdouts.

M&A tenant-to-tenant mailbox migration with shared SMTP namespace

Scenario: A Fortune 500 acquirer closes on a Fortune 1000 target carrying a separate Microsoft 365 tenant with 14,000 mailboxes, a separate Exchange Online Protection tenant policy stack, and a separate Defender for Office 365 P2 deployment. The integration mandate is a single tenant by close+18 months with a shared @acquirer.com SMTP namespace, preserved mailbox content (including soft-deleted items and litigation hold data), preserved mailbox aliases, and preserved Outlook profile signatures and rules.

EPC Group outcome: EPC Group ships the Microsoft cross-tenant mailbox migration pattern (general availability 2022) with cross-tenant identity sync, cross-tenant access policies in Entra, shared SMTP namespace co-existence, MailNickname coexistence, and the Migration Manager pull-migration cutover. Litigation holds replicate to the target tenant; soft-deleted items retain through the migration window. EPC Group is the dominant U.S. practice for Microsoft-anchored M&A tenant consolidations — 216+ tenant migrations and 1.83 million users migrated across the engagement portfolio.

Business Email Compromise (BEC) and phishing defense — MDO P2 + EOP + transport rules

Scenario: A mid-market enterprise sees three credential-harvest phishing waves per quarter, two of which result in mailbox compromise, attacker-set forwarding rules, and downstream wire-fraud attempts. The customer has Exchange Online Protection plus MDO P1 but has not deployed Safe Links impersonation protection, has not tuned anti-phish protected-users or protected-domains policies, and has no Tenant Allow/Block List discipline. The end-user reporting culture is weak — only 4 percent of phishing reaches the security team.

EPC Group outcome: EPC Group ships the MDO P2 BEC defense baseline: protected-users policy covering every C-suite, finance, and legal mailbox; protected-domains policy covering @customer.com plus every partner-domain inbound; Safe Links with the strict-preset configuration; Safe Attachments in block mode (not dynamic-delivery) for high-risk file types; impersonation-domain banner on every external sender; auto-forwarding rule policy that blocks outbound mailbox forwarding to external domains by default. AIR runs the standard BEC playbook — auto-quarantine the originating email, revoke active sessions, disable the forwarding rule, and isolate the endpoint via Defender for Endpoint. End-user phishing-report rate climbs to 32 percent inside 90 days through Attack Simulation Training.

Regulated-industry journaling, retention, and eDiscovery

Scenario: A FINRA-regulated broker-dealer must capture every inbound and outbound email for every registered representative to a tamper-resistant journaling archive, retain for seven years, and produce eDiscovery output for SEC Rule 17a-4 audit requests inside 72 hours. The current state captures email to a legacy SMTP journaling appliance in a customer datacenter that is end-of-life inside 12 months.

EPC Group outcome: EPC Group ships hosted journaling rules at the Exchange Online transport layer with a third-party SEC 17a-4 archive (Smarsh, Global Relay, or Microsoft Purview Communication Compliance with the SEC 17a-4 archive add-on) as the destination. Retention is configured through Microsoft Purview retention policies scoped to the registered-representative population with seven-year retention plus litigation hold preservation. Microsoft Purview eDiscovery (Premium) is configured for the legal team with custodian targeting, hold management, and review-set workflows for the SEC examination response window. The journaling archive replaces the legacy SMTP appliance and runs as a fully Microsoft-cloud-anchored pattern.

Financial services Communication Compliance and supervisory review

Scenario: A global financial services firm runs supervisory review on every email and Teams chat of every registered representative, every research analyst, and every front-office trader. The current pattern is sample-based human review supplemented by a third-party lexicon-based detection product that produces a high false-positive rate. The compliance team wants to consolidate onto Microsoft Purview Communication Compliance with built-in classifier libraries for harassment, regulatory disclosure leakage, market manipulation language, and customer-complaint signal.

EPC Group outcome: EPC Group ships the Microsoft Purview Communication Compliance baseline tuned for FFIEC and SEC supervisory review patterns: built-in classifier policies for harassment, regulatory collusion, customer complaints, gifts and entertainment, and money laundering language; custom dictionaries for firm-specific compliance terms; scoped policies per business unit; pseudonymized reviewer assignments; and the Microsoft Purview Activity Explorer audit log for evidence preservation. EPC Group integrates the Exchange Online + Teams + Yammer signal into a single Purview workspace and trains the supervisory review team on the Purview reviewer dashboard. The pattern eliminates the third-party lexicon product and ships as auditor-ready evidence for FINRA, SEC, FFIEC, and equivalent global regulators.

MDO threat-protection deep dive — Safe Links, Safe Attachments, anti-phish, quarantine

The four Defender for Office 365 protection planes are how the product earns its consolidation case against Proofpoint and Mimecast. Each plane has tunable policy levers EPC Group ships in production configuration during Phase 4 of the accelerator.

Safe Links — time-of-click URL detonation

Safe Links wraps every URL in inbound email, Teams external chat, Office desktop, and Office on the web with a time-of-click detonation. Click-time, the URL is fetched server-side inside a Microsoft cloud sandbox, evaluated for malware payload and phishing behavior, and either passed through, blocked, or rewritten with a warning. The wrapping uses the safelinks.protection.outlook.com indirection domain. Tenant-level policy controls the click-tracking, the user-warning notification, and the override-with-justification flow. EPC Group ships Safe Links in strict-preset configuration for high-risk populations (executive, finance, legal) and standard-preset for the general user base.

Safe Attachments — pre-delivery sandbox detonation

Safe Attachments holds every attachment in a Microsoft cloud sandbox before delivery. The sandbox detonates the attachment under instrumented evaluation looking for payload behavior — process spawning, network beacon, registry modification, and the Microsoft cloud-delivered threat intelligence graph match. Four delivery modes are available: block (the attachment is removed and the recipient gets a notification), monitor (the attachment is delivered but flagged), replace (the attachment is replaced with a benign notification placeholder), and dynamic delivery (the email is delivered immediately and the attachment is appended after sandbox clearance). EPC Group recommends block mode for high-risk file types (executable extensions, macro-enabled Office) and dynamic delivery for general PDF and Office content.

Anti-phish impersonation protection — protected users and protected domains

The anti-phish policy plane adds mailbox intelligence (user-behavior baseline learning), user impersonation protection (a configured list of high-value mailboxes — executives, finance, legal — that get strict spoof detection), domain impersonation protection (the customer domain plus partner-domain inbound), and the trusted-senders allow list. Inbound mail flagged as impersonation can be quarantined, redirected, sent to junk, or stamped with an external-sender banner. EPC Group ships the protected-users list as every C-suite, every finance approver, every legal approver, every M&A war-room mailbox, plus the on-call security team. Protected domains include @customer.com plus the top 20 partner domains by mail volume.

Quarantine and the end-user release flow

Quarantine is the holding plane for every blocked message — spam, malware, phishing, bulk, high-confidence-phish, and the MDO-detected categories. Quarantine policies control who can see the quarantine, who can release a message back to the inbox, and the notification cadence. Per-user quarantine notification emails go out on a configured schedule (daily at 9 AM is the EPC Group recommendation). End users can release with justification, request release with admin approval, or report misclassification back to Microsoft for tenant-level model improvement. Admin-only quarantine policies cover high-confidence-phish and malware — never end-user-releasable. EPC Group tunes the policy stack so the false-positive release rate stays under 1 percent of total quarantine volume.

Mail-flow plumbing

Mail transport rules and connectors — the EOP control surface

Mail-flow rules (transport rules) are the EOP policy engine — every routing decision, every disclaimer, every encryption trigger, every header manipulation runs as a transport rule. The Exchange Admin Center (EAC) ships a graphical rule editor; the rules themselves export as XML for source control and tenant-to-tenant promotion. Inbound and outbound connectors are the mail-flow plumbing — they define partner-domain TLS enforcement, certificate-based authentication, and the third-party gateway handoff.

Sample transport rule XML — external sender banner

<TransportRule xmlns="http://schemas.microsoft.com/exchange/services/2006/messages">
  <Name>Append External Sender Banner</Name>
  <Priority>0</Priority>
  <State>Enabled</State>
  <Mode>Enforce</Mode>
  <Conditions>
    <FromScope>NotInOrganization</FromScope>
  </Conditions>
  <Actions>
    <PrependSubject>[EXTERNAL] </PrependSubject>
    <ApplyHtmlDisclaimer>
      <Text>This message originated outside @contoso.com. Treat links and attachments with caution.</Text>
      <Location>Prepend</Location>
      <FallbackAction>Wrap</FallbackAction>
    </ApplyHtmlDisclaimer>
  </Actions>
</TransportRule>

Exchange Admin Center (EAC) editor

The EAC is the canonical graphical editor for transport rules. Rule conditions cover sender, recipient, subject, header, attachment type, attachment size, message classification, and the full Microsoft Purview sensitive-information-type library. Rule actions cover prepend subject, append disclaimer, apply encryption, reroute to connector, BCC compliance mailbox, modify recipients, and reject with NDR.

Connectors — inbound, outbound, partner-domain TLS

Connectors define the mail-flow plumbing — the inbound connector for hybrid Exchange (on-premises Exchange as the trusted source), the outbound connector for a third-party gateway (for example a regulated archive that needs every outbound message), and the partner-domain TLS connector that enforces certificate-based or partner-domain-name TLS for sensitive partner correspondence. Connectors are source-controlled through PowerShell export.

DNS hardening

DNS records — the SPF + DKIM + DMARC hardening floor

Email authentication is the floor of inbound and outbound mail-flow trust. Microsoft 365 tenants ship with the EOP MX endpoint and a tenant DKIM key pair available immediately after domain verification. The hardening work is publishing the records correctly across every accepted domain and staging the DMARC enforcement progression from p=none through p=reject. EPC Group ships the staged progression as a Phase 2 Foundation deliverable.

Type	Host	Value	EPC Group note
MX	@	contoso-com.mail.protection.outlook.com	Point MX to Exchange Online Protection. Priority 0. TTL 3600.
TXT (SPF)	@	v=spf1 include:spf.protection.outlook.com -all	Hard fail (-all) once every legitimate sender has been catalogued. Stage with ~all (soft fail) during inventory.
CNAME (DKIM)	selector1._domainkey	selector1-contoso-com._domainkey.contoso.onmicrosoft.com	Microsoft 365 DKIM selector 1. Rotate keys every 12 months. Selector 2 follows the same pattern.
CNAME (DKIM)	selector2._domainkey	selector2-contoso-com._domainkey.contoso.onmicrosoft.com	Microsoft 365 DKIM selector 2 — required for the dual-selector rotation pattern.
TXT (DMARC)	_dmarc	v=DMARC1; p=reject; rua=mailto:dmarc@contoso.com; ruf=mailto:dmarc@contoso.com; fo=1; adkim=s; aspf=s;	Stage p=none, then p=quarantine, then p=reject in three-month increments after RUA aggregate review.

EPC Group ships the staged DMARC enforcement progression — 60 to 90 days at p=none with RUA aggregate review, 60 days at p=quarantine ramping pct=25 to pct=100, then steady-state p=reject. The full progression runs six to nine months for a Fortune 500 with a complex marketing automation footprint. See our Exchange consulting practice for the steady-state operations model.

License economics

License model — bundle Exchange Online + MDO through M365 E3 or E5

Exchange Online and MDO are licensed per user. The three practical paths are M365 E3 (Exchange Plan 2 + EOP — add MDO P1 or P2 separately), M365 E5 (Exchange Plan 2 + EOP + MDO P2 + Microsoft 365 Defender + Microsoft Purview), and standalone per-tier SKUs. License choice drives 25 to 45 percent of year-one total cost of ownership.

M365 E3 + MDO P1 add-on

Approximately $36 per user per month list for E3 plus $2 for MDO P1. Bundles Exchange Plan 2 plus EOP plus the Microsoft 365 productivity floor. Defensible for organizations under 2,000 seats without material BEC exposure and without dedicated security operations investigation capability.

M365 E5 (recommended floor)

Approximately $57 per user per month list. Bundles Exchange Plan 2, EOP, MDO P2, Microsoft 365 Defender (MDE P2, MDCA, MDI, MDVM), Microsoft Purview (DLP, retention, Communication Compliance, eDiscovery Premium), Power BI Pro, Phone, Audio Conferencing. The pragmatic floor for any enterprise above 2,000 seats with regulatory exposure.

M365 E5 Security add-on

Approximately $12 per user per month list as add-on to E3. Includes MDO P2 plus the rest of the Microsoft 365 Defender stack. The pragmatic path for E3 customers who want the full XDR investigation surface without the Purview Compliance E5 bundle.

All prices are list and subject to Microsoft commercial change. Enterprise Agreement and Cloud Solution Provider discounts typically reduce list by 10 to 25 percent. EPC Group includes Microsoft license optimization inside every assessment phase rather than as a paid add-on. See our Microsoft 365 consulting practice for the underlying E3-to-E5 license uplift patterns.

Governance and compliance — mail-protection controls mapped to your regulatory reality

Exchange Online, EOP, and Defender for Office 365 are FedRAMP-authorized inside the GCC High Microsoft 365 cloud, making the stack the practical mail-protection path for defense contractors, federal civilian agencies, and the broader CMMC Level 2 base. HIPAA HITRUST, PCI-DSS 4.0, FFIEC, FINRA, SOC 2, ISO 27001, NIST CSF 2.0, and GxP control families all map cleanly to the mail-flow rule plus journaling plus retention plus Communication Compliance pattern. EPC Group is FedRAMP-aligned and translates the EOP + MDO signal into auditor-ready control evidence linked to the customer governance, risk, and compliance documentation. See our standards alignment library for the full mapping.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

Healthcare — HIPAA HITRUST

Microsoft Purview DLP at the Exchange Online transport layer for PHI prevention; journaling to a HIPAA-aligned archive; Litigation Hold for OCR investigations.

Financial — FFIEC + FINRA + SEC 17a-4

Hosted journaling to Smarsh or Global Relay; Microsoft Purview Communication Compliance for supervisory review; 7-year retention with adaptive policy scopes.

Federal — FedRAMP + CMMC Level 2

GCC High tenant; certificate-based partner-domain TLS for CUI handling; FedRAMP- aligned control evidence packs from EPC Group.

The EPC Group Exchange Online Migration Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Foundation, Migrate, Protect, Operate. Fixed-scope between $150,000 and $800,000 depending on mailbox count, mail-flow complexity, MDO scope, journaling and Communication Compliance footprint, and managed- service tail. Senior-architect led, no offshore handoff.

Phase 1 — Assess

Mailbox inventory, mail-flow topology, and license uplift in three weeks

Phase one is a fixed-fee assessment that inventories every mailbox class (user, shared, resource, distribution, dynamic distribution, mail-enabled public folder), the inbound and outbound mail-flow topology (every connector, every third-party gateway, every partner-domain TLS enforcement), the current EOP and MDO policy stack, and the SPF, DKIM, and DMARC posture across every accepted domain. EPC Group ships the costed license uplift quote — Exchange Online Plan 1 vs Plan 2, MDO P1 vs P2, M365 E3 vs E5 — and the BEC and phishing exposure baseline.

Mailbox class inventory across user, shared, resource, distribution, dynamic distribution, and mail-enabled public folder
Inbound and outbound mail-flow topology — every connector, gateway, partner-domain TLS, and certificate inventory
Current EOP and MDO policy stack baseline including preset security policy comparison
SPF, DKIM, DMARC posture audit across every accepted domain with the staged DMARC enforcement roadmap
BEC and phishing exposure baseline with a costed Exchange Online + MDO license uplift recommendation

Phase 2 — Foundation

Hybrid Exchange, Entra Connect Sync, EOP baseline, DNS hardening

Phase two stands up the production foundation — the Hybrid Configuration Wizard for Exchange hybrid, Entra Connect Sync for identity, the EOP preset security policy baseline (Standard or Strict), the MDO P1 or P2 preset, the SPF/DKIM/DMARC DNS hardening across every accepted domain, the Tenant Allow/Block List discipline, and the connector inventory for inbound and outbound mail flow.

Hybrid Configuration Wizard execution with the canonical free/busy and cross-premises mailbox move topology
Entra Connect Sync deployment with the recommended attribute filtering and password hash sync configuration
EOP and MDO preset security policy activation (Standard or Strict) with the configuration analyzer baseline
SPF, DKIM, DMARC DNS records deployed across every accepted domain with the staged DMARC enforcement plan
Inbound and outbound connector inventory with partner-domain TLS enforcement (certificate-based or partner-domain)

Phase 3 — Migrate

Mailbox cutover, cross-tenant migration, transport rule rewrites

Phase three runs the mailbox migration — full cutover, hybrid mailbox-by-mailbox moves, or cross-tenant migration depending on the scenario. EPC Group rewrites the legacy on-premises transport agents as Exchange Online transport rules plus Microsoft Graph webhooks, ports the journaling rules, and lands the public-folder estate as Exchange Online modern public folders or as a Microsoft 365 Group conversion.

Mailbox migration — cutover, hybrid mailbox-move, or cross-tenant Migration Manager flow
Transport-agent-to-transport-rule rewrites plus Microsoft Graph webhook integration for legacy ERP and CRM tie-ins
Journaling rule porting to Exchange Online with the destination archive (Microsoft Purview, Smarsh, Global Relay)
Public-folder estate migration to Exchange Online modern public folders or Microsoft 365 Group conversion
Mailbox alias preservation, signature preservation, and Outlook profile rebuild automation

Phase 4 — Protect

MDO P2 activation, AIR tuning, attack simulation training

Phase four activates the full MDO P2 plane — Safe Links strict-preset, Safe Attachments block mode for high-risk file types, anti-phish protected-users and protected-domains policies, Tenant Allow/Block List discipline, AIR action-approval threshold tuning, and Attack Simulation Training campaigns scoped to the customer business calendar. EPC Group ships the cross-domain Defender XDR correlation that fuses MDO with MDE endpoint, MDCA SaaS, MDI identity, and MDVM vulnerability signal.

MDO P2 Safe Links strict-preset configuration with the user-warning notification and override-with-justification workflow
Safe Attachments block mode for executable extensions and macro-enabled Office; dynamic delivery for general content
Anti-phish protected-users policy covering every C-suite, finance, legal, and on-call security mailbox
Anti-phish protected-domains policy covering @customer.com plus the top 20 partner domains by mail volume
AIR action-approval threshold tuning for auto-quarantine, session-revocation, and forwarding-rule remediation
Attack Simulation Training quarterly campaigns with the built-in user-training assignment workflow

Phase 5 — Operate

24/7 managed mail protection with senior-architect escalation

Phase five is steady-state operation. EPC Group provides managed Exchange Online and MDO services — 24-by-seven incident triage on the MDO queue, AIR exception adjudication, hunting query library expansion across EmailEvents and UrlClickEvents, quarantine release SLA monitoring, DMARC RUA aggregate review and enforcement-level staging, and the quarterly attack simulation campaign cadence. Senior-architect escalation is the differentiator — tier-one analysts triage, but every customer has named senior architects on call for the incidents and exception decisions that matter.

24/7 SOC monitoring of the Defender XDR incident queue with the MDO + MDE + MDCA fusion view
Monthly quarantine release SLA review and false-positive false-negative tuning sprint
Quarterly Attack Simulation Training campaigns with the customer business-calendar-aware schedule
DMARC RUA aggregate review and the staged p=none → p=quarantine → p=reject enforcement progression
Hunting query library expansion across EmailEvents, EmailAttachmentInfo, EmailUrlInfo, and UrlClickEvents

Why EPC Group leads enterprise Exchange Online + MDO deployments

Years Microsoft consulting

70+

Fortune 500 clients

216+

M&A tenant consolidations

1.83 million

Mailboxes migrated

Microsoft Solutions Partner — six designations

Microsoft Solutions Partner with the Modern Work designation plus Security, Infrastructure, Data & AI, Digital & App Innovation, and Business Applications. Senior architects average two decades of Microsoft platform delivery experience.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations.

Fixed-fee Exchange Online accelerators

Every Exchange Online migration is fixed-fee with a costed roadmap and named senior architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-analyst-led production cutover.

Compliance-native

EPC Group is compliance-native across HIPAA, SOC 2, FedRAMP-aligned, FINRA, CMMC, and GxP. Exchange Online migrations ship with auditor-ready control matrices, not generic Microsoft 365 screenshots.

Frequently asked questions — Exchange Online + EOP + Defender for Office 365

How does Microsoft Exchange Online + EOP + Defender for Office 365 compare to Google Workspace Gmail Enterprise?

Google Workspace Gmail Enterprise ships strong inbound spam and phishing analytics through the Google ML pipeline, native data loss prevention, and the Vault eDiscovery surface. Strengths against Microsoft are the simplicity of a single-product collaboration suite and the Google Search-anchored inbox classification. Weaknesses against the Microsoft mail-protection stack for the F500 cohort are (1) the lighter native integration with the Microsoft endpoint, identity, and CASB planes — Defender XDR fuses email, endpoint, identity, SaaS, and vulnerability signal into one incident graph that Gmail Enterprise cannot match for Microsoft-anchored estates; (2) the absence of a regulated-industry journaling archive ecosystem at the Smarsh and Global Relay maturity Microsoft mail enjoys for SEC 17a-4, FINRA, and FFIEC supervisory review; (3) the lighter line-of-business integration surface — Microsoft Graph mail/calendar/contacts is the canonical enterprise API surface and the SaaS ecosystem (Power Automate, Power Apps, Dataverse) assumes Exchange Online identity. Gmail Enterprise wins for Google-anchored estates and digital-native organizations under 5,000 seats. Exchange Online + EOP + MDO wins for the Microsoft 365 E3/E5 customer base.

How does Defender for Office 365 compare to Proofpoint Email Protection + Targeted Attack Protection (TAP)?

Proofpoint is the dominant pure-play secure email gateway (SEG). Strengths include the threat-intelligence depth of the Proofpoint cloud, the maturity of the impersonation detection model, and the Targeted Attack Protection investigation surface. Weaknesses against MDO P2 for Microsoft-anchored enterprises are (1) the cost stack — Proofpoint Email Protection plus TAP plus Email Fraud Defense plus Archive runs $20 to $40 per user per year above the M365 E5 Security bundle that already includes MDO P2; (2) the absence of integrated CASB, ITDR, and endpoint correlation — every Proofpoint alert exists in a separate analyst surface from the customer endpoint, identity, and SaaS plane; (3) the M&A consolidation friction — the EPC Group M&A integration playbook routinely retires Proofpoint inside the close+18 month window. Proofpoint wins for non-Microsoft-anchored estates or for very-high-volume regulated industries where the dual-stack overlap is mandated. MDO P2 wins for the Microsoft 365 E5 customer base on consolidation economics and on the cross-domain XDR investigation surface.

How does Defender for Office 365 compare to Mimecast?

Mimecast is the dominant SEG in the UK and ANZ markets with a strong U.S. mid-market presence. Strengths include the URL-protection maturity, the Targeted Threat Protection module, the Brand Protection module for outbound DMARC enforcement and lookalike domain monitoring, and the archive depth for regulated industries. Weaknesses against MDO P2 for Microsoft-anchored enterprises are (1) the SEG-in-front-of-EOP architectural friction — Mimecast becomes the primary inbound MX endpoint with EOP downstream, complicating the Microsoft Defender XDR fusion of email + endpoint + identity + SaaS signal; (2) the duplicate-license cost stack against M365 E5 Security; (3) the EPC Group M&A integration pattern routinely retires Mimecast inside the consolidation window for the same reasons it retires Proofpoint. Mimecast remains defensible for UK and ANZ regulated estates and for customers where the Brand Protection lookalike-domain monitoring is the load-bearing capability. MDO P2 wins for the Microsoft 365 E5 customer base on consolidation economics and on the cross-domain XDR investigation surface.

When does MDO Plan 1 suffice and when is MDO Plan 2 required?

MDO P1 ships the pre-delivery protection plane — Safe Attachments sandbox detonation, Safe Links time-of-click URL detonation, and anti-phish impersonation protection. P1 suffices for organizations under approximately 2,000 seats where the security operations function does not run dedicated email-borne incident investigation, where the AIR playbook engine is not load-bearing, and where the absence of Threat Explorer historical investigation is acceptable. MDO P2 adds the investigation, hunting, and training plane — Threat Explorer, AIR, Attack Simulation Training, Campaign View, the advanced hunting EmailEvents/UrlClickEvents/EmailAttachmentInfo tables, and the Defender XDR cross-domain correlation. P2 is the pragmatic floor for any enterprise above 2,000 seats with material BEC, phishing, or supply-chain exposure, for any regulated industry running supervisory review, and for any customer who has standardized on Microsoft 365 E5 or M365 E5 Security. EPC Group recommends the MDO P2 plane through the M365 E5 Security bundle for every enterprise above 2,000 seats.

What are the Exchange Online mailbox size limits, archive limits, and message limits?

Mailbox size — Plan 1 ships a 50 GB primary mailbox, Plan 2 ships a 100 GB primary mailbox plus auto-expanding archive up to 1.5 TB in 100 GB increments. Shared mailboxes — 50 GB free of license; assign a Plan 2 license for the 100 GB ceiling. Resource mailboxes (room and equipment) — 50 GB without separate license. Message limits — 150 MB attachment limit (recipient and sender), 500 recipients per message envelope, 1,000 messages per minute per mailbox SMTP submission limit, 10,000 recipients per day per mailbox external send limit (the anti-spoof and anti-spam threshold). Public-folder limits — 1 TB per tenant total, 1 GB per public folder by default with override available, 250,000 public folders per tenant. The auto-expanding archive grows in 100 GB increments only when the user has been mail-active for at least 30 days, which is the canonical archive growth gotcha for M&A migrations.

What is the difference between Litigation Hold, In-Place Hold, and Microsoft Purview Retention Policies?

Litigation Hold is the mailbox-wide preservation surface — once enabled, every item in the mailbox (including soft-deleted items and items modified after the hold is placed) is preserved indefinitely or until the hold is removed. Litigation Hold requires Exchange Online Plan 2 and is the simplest preservation pattern for legal-hold scenarios. In-Place Hold is the query-scoped preservation surface — preserves only items matching a specified KQL query (sender, recipient, date range, keyword, attachment type). In-Place Hold is being deprecated in favor of Microsoft Purview eDiscovery hold and Microsoft Purview retention policies. Microsoft Purview Retention Policies are the unified retention surface across Exchange Online, SharePoint Online, OneDrive, Teams chat, Teams channel, and Yammer — scoped through retention labels and adaptive policy scopes (department, location, role). Retention policies are the canonical retention pattern post-2024; In-Place Hold is for legacy preservation only. EPC Group ships Litigation Hold for active legal-hold cases plus Microsoft Purview retention policies for the steady-state retention floor; the two preservation models coexist without conflict.

How does EPC Group sequence the SPF, DKIM, DMARC deployment and DMARC enforcement progression?

EPC Group ships the canonical three-stage DMARC enforcement progression. Stage one — p=none with RUA aggregate reporting enabled (rua=mailto:dmarc@customer.com). Stage one runs for 60 to 90 days to inventory every legitimate sender across the customer estate, fix SPF includes for every legitimate Marketing Cloud, transactional email service, and partner-domain sender, deploy the dual-selector DKIM rotation (selector1 and selector2), and triage every unauthenticated source surfaced in the RUA reports. Stage two — p=quarantine with pct=25 ramping to pct=100 over 60 days. Stage two triages quarantine-routed legitimate mail and tunes SPF and DKIM until the legitimate fail rate is under 1 percent. Stage three — p=reject. Stage three runs steady-state with the RUA aggregate review as the ongoing change-detection plane. The full progression runs six to nine months for a Fortune 500 with a complex marketing automation footprint. EPC Group ships the staged progression as a fixed-fee deliverable inside the Phase 2 Foundation work.

How does Exchange Online + EOP + MDO integrate with Microsoft Sentinel, Microsoft Purview, and Microsoft Defender XDR?

MDO email signal feeds Microsoft Defender XDR through the native incident graph — every MDO incident appears in security.microsoft.com alongside MDE endpoint, MDCA SaaS, MDI on-prem AD, and MDVM vulnerability signal. The advanced hunting EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents, and UrlClickEvents tables are joinable in KQL against DeviceProcessEvents, IdentityLogonEvents, and CloudAppEvents — the cross-domain hunt is one query, not three. Microsoft Sentinel pulls the MDO incident stream through the native Defender XDR data connector for SIEM-native correlation with non-Microsoft logs and SOAR playbook orchestration. Microsoft Purview Communication Compliance pulls Exchange Online + Teams + Yammer signal for supervisory review. Microsoft Purview DLP enforces policy at the Exchange Online transport layer for outbound data loss prevention. The four-product integration loop (Exchange Online + Defender XDR + Sentinel + Purview) is the Microsoft 365 reference architecture for the F500 customer base and is the practical deployment pattern EPC Group ships across every managed Exchange Online engagement.

Continue exploring the EPC Group Microsoft 365 library

Exchange Online + EOP + MDO is the mail-protection plane inside the broader Microsoft Cloud orchestration story. These hubs cover adjacent and complementary territory.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which Exchange Online, Defender XDR, Purview, and Entra all sit.

Exchange consulting practice

The EPC Group Exchange platform engineering practice — hybrid topology design, mailbox migration, and steady-state operations.

Microsoft 365 consulting services

The broader Microsoft 365 platform engineering practice underneath the E3-to-E5 license uplift that funds MDO P2.

Microsoft 365 Admin Center Enterprise Guide (2026)

The unified admin surface for Exchange Online, SharePoint, Teams, Entra, and the Microsoft 365 lifecycle.

Microsoft Purview DLP + Insider Risk (2026)

Microsoft Purview DLP enforces policy at the Exchange Online transport layer; Insider Risk correlates user behavior with email-borne risk signal.

Microsoft Defender XDR (2026)

The unified XDR surface where MDO email signal fuses with MDE endpoint, MDCA SaaS, MDI identity, and MDVM vulnerability signal.

Standards alignment library

NIST CSF 2.0, ISO 27001, HIPAA, FedRAMP, FINRA, CMMC, and GxP control mappings for Microsoft platforms.

Consolidate Proofpoint and Mimecast onto MDO P2

Migrate your mail estate onto Exchange Online + EOP + Defender for Office 365

Book an Exchange Online briefing with an EPC Group senior architect. Two-hour working session — mailbox class inventory, mail-flow topology review, MDO license uplift recommendation, DMARC posture audit, accelerator scoping. Zero obligation, board-ready output.

Book the briefing Call 888-381-9725

HIPAA · SOC 2 · FedRAMP-aligned · FINRA · CMMC · GxP — auditor-ready control evidence ships standard.Senior-architect led from kickoff through go-live.

‌
‌
‌

‌
‌