EOP updates

Author: chrisda

defender-office-365/TOC.yml

@@ -171,7 +171,7 @@
              href: anti-spam-protection-faq.yml
            - name: Zero-hour auto purge (ZAP)
              href: zero-hour-auto-purge.md
-           - name: Configure Microsoft 365 to deliver spam to Junk Email folders in on-premises Exchange
+           - name: Deliver cloud-detected spam to the Junk Email folder in on-premises mailboxes
              href: /exchange/standalone-eop/configure-eop-spam-protection-hybrid
          - name: Anti-phishing for all cloud mailboxes and Defender for Office 365
            items:

defender-office-365/advanced-delivery-policy-configure.md

@@ -233,7 +233,7 @@ Back on the **Phishing simulation** tab, the non-Microsoft phishing simulation e
 
 In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios where you might need to bypass filtering for messages:
 
-- **Non-Microsoft filters**: If your domain's MX record _doesn't_ point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) _isn't available_. If you'd like to add protection, you need to enable Enhanced Filtering for Connectors (also known as _skip listing_). For more information, see [Manage mail flow using a non-Microsoft cloud service with Exchange Online](/exchange/mail-flow-best-practices/manage-mail-flow-using-non-Microsoft-cloud). If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that the non-Microsoft filtering service already evaluated. For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).
+- **Non-Microsoft filters**: If your domain's MX record _doesn't_ point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) _isn't available_. If you'd like to add protection, you need to enable Enhanced Filtering for Connectors (also known as _skip listing_). For more information, see [Manage mail flow using a non-Microsoft cloud service with Exchange Online](/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud). If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that the non-Microsoft filtering service already evaluated. For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).
 - **False positives under review**: You might want to _temporarily_ allow good messages incorrectly identified as bad (false positives) that you reported via [admin submissions](submissions-admin.md) to Microsoft, and those messages are sill being analyzed. As with all overrides, we _**highly recommended**_ that these allowances are temporary.
 
 ## PowerShell procedures for SecOps mailboxes in the advanced delivery policy

defender-office-365/anti-spam-protection-faq.yml

@@ -52,7 +52,7 @@ sections:
             For more information, see [Configure anti-spam policies](anti-spam-policies-configure.md) and [Recommended anti-spam policy settings](recommended-settings-for-eop-and-office365.md#anti-spam-policy-settings).
 
             > [!IMPORTANT]
-            > In hybrid environments where Microsoft 365 protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the Microsoft 365 spam headers added to messages. For details, see [Configure Microsoft 365 to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
+            > In hybrid environments where Microsoft 365 protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the Microsoft 365 spam headers added to messages. For details, see [Deliver cloud-detected spam to the Junk Email folder in on-premises mailboxes](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
             >
             > After you manually create the rule in Microsoft 365 to match the rule in on-premises Exchange, the rule replicates in hybrid environments.
 

defender-office-365/configure-junk-email-settings-on-exo-mailboxes.md

@@ -50,7 +50,7 @@ Admins can use Exchange Online PowerShell to configure entries in the safelist c
 
 - You need to be assigned permissions in Exchange Online before you can do the procedures in this article. Specifically, you need the **Mail Recipients** role (which is assigned to the **Organization Management**, **Recipient Management**, and **Custom Mail Recipients** role groups by default) or the **User Options** role (which is assigned to the **Organization Management** and **Help Desk** role groups by default). To add users to role groups in Exchange Online, see [Modify role groups in Exchange Online](/Exchange/permissions-exo/role-groups#modify-role-groups). Users with default permissions can do these same procedures on their own mailboxes, as long as they have [access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell).
 
-- In hybrid environments where Microsoft 365 protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the Microsoft 365 spam headers added to messages. For details, see [Configure Microsoft 365 to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
+- In hybrid environments where Microsoft 365 protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the Microsoft 365 spam headers added to messages. For details, see [Deliver cloud-detected spam to the Junk Email folder in on-premises mailboxes](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
 
   After you manually create the rule in Microsoft 365 to match the rule in on-premises Exchange, the rule replicates in hybrid environments.
 

defender-office-365/eop-about.md

@@ -5,7 +5,7 @@ f1.keywords:
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 06/30/2025
+ms.date: 07/21/2025
 audience: ITPro
 ms.topic: overview
 ms.collection: 
@@ -28,9 +28,9 @@ appliesto:
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-The default email protections for cloud mailboxes protect your Microsoft 365 organization from spam, malware, phishing and other email threats. These protections are included in all organizations with cloud mailboxes.
+The default email protections in Microsoft 365 protect your organization from spam, malware, phishing and other email threats. These protections are included in all organizations with cloud mailboxes.
 
-The default email protections for cloud mailboxes are on by default via the default threat policies for:
+These protections are on by default via the default threat policies for:
 
 - [Anti-malware protection](anti-malware-protection-about.md)
 - [Anti-spam protection](anti-spam-protection-about.md)
@@ -42,6 +42,9 @@ You can customize the security settings in the default threat policies, create c
 
 The rest of this article explains how the default email protections for cloud mailboxes work and the features they contain.
 
+> [!TIP]
+> The default email protections for cloud mailboxes are also available as a separate subscription to protect on-premises email environments (not just Microsoft Exchange). For more information, see [Exchange Online Protection for on-premises organizations](/exchange/standalone-eop/standalone-eop).
+
 ## How the default email protections for cloud mailboxes work
 
 The following diagram shows how the default email protections for cloud mailboxes work.

defender-office-365/mail-flow-about.md

@@ -44,7 +44,7 @@ Microsoft 365 offers flexibility in how your messages are routed. The following
 
 - [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) describes how to configure connectors if your internet mail is routed to a service or device before delivery to Microsoft 365.
 
-- In hybrid environments where Microsoft 365 protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the Microsoft 365 spam headers added to messages. For details, see [Configure Microsoft 365 to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
+- In hybrid environments where Microsoft 365 protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the Microsoft 365 spam headers added to messages. For details, see [Deliver cloud-detected spam to the Junk Email folder in on-premises mailboxes](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
 
   After you manually create the rule in Microsoft 365 to match the rule in on-premises Exchange, the rule replicates in hybrid environments.