Why Do You Need 365 Threat Monitor for Microsoft Office 365 – is Defender or EOP enough?

There are times when the built-in native tools do a good enough job and there are times when you need to look elsewhere – Exchange Online Protection in Office 365 is one of the latter. While it boasts an impressive 99% spam detection rate, one should wonder if 99% is high enough. At scale, the difference between 99% and 99.9% can be vast.


Also consider the fact that Exchange Online Protection’s detection percentage guarantee is only applicable to email containing primarily English text, and the fact that zero-day exploits are not covered by Microsoft’s money-backed SLA.

Spam Effectiveness Service Level
Virus Detection Service Level

So let’s have a look at:

Let’s start by looking at what you get with Threat Monitor.

Both of the above images are from Microsoft’s Online Services SLA document. These are just a few of the reasons why it may make sense to go to a third party for anti-spam services.

If you’re still on the fence, what if there were a way to find out how effective EOP is for your organization? We’re happy to announce that we created a solution for that with Threat Monitor. It’s a free new mobile app, that helps you see exactly what Microsoft’s built-in tools didn’t catch in inbound emails.

What Does Threat Monitor Offer?

In short, 365 Threat Monitor makes it easy to test the permeability of the M365 EOP malware filter. It does so by scanning incoming email and shows the harmful content that is circumventing Exchange Online Protection, making it all the way to end user mailboxes.

Additional features include:

  • Identification of targeted advanced threats in addition to spam and virus emails
  • Provides the user the ability to manually delete suspect emails from user mailboxes
  • No MX record change requirement

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

How to Setup Threat Monitor

OAuth Permission Request

Setting up 365 Threat Monitor is very easy to do, simply download the mobile app from either the Google Play Store or the Apple App Store, enter your company information, and connect to Microsoft 365 (it’s a service that uses OAuth permissions).

In case you missed it above, one important fact worth mentioning again, is that you do not need to change your Mail eXchanger (MX) DNS records to have inbound email go through an external service prior to reaching Exchange Online. At least in a medium to large organization altering MX records is a high-risk change that requires planning and risk management, whereas you can get Threat Monitor up and running in under a minute, with no changes to your existing environment.

Again, simply install the app, and authenticate to O365. It’s that easy.

Capabilities and Features

Threat Statistics

Everyone who has an Exchange Online mailbox in Microsoft 365 are protected by Exchange Online Protection (EOP) which blocks spam, advertising emails and malicious links and attachments. However, Threat Monitor goes a step further and shows you the malicious and unwanted emails that Exchange Online Protection missed.

Once set up for your tenant, you can access email live tracking right from the app to see which emails weren’t flagged by EOP, and are actively sitting in user mailboxes in your organization. Threat Monitor will classify each piece of mail as Spam, a Threat or an Advanced Threat, depending on the level of severity.


One utility that has a direct impact is the ability to delete emails out of user’s inboxes straight from the dashboard. This allows administrators to remove the threat from the affected mailbox without risk of the end-user interacting with the suspected piece of email.

Threat Monitor_Statistics View_Explanation

For large tenants, one very useful feature is the ability to search for particular emails or recipients. On top of that, you can also narrow down the time period displayed and get a tally of Spam, Threat, and Advanced Threat emails for the selected time period.

Threat Monitor_Top Targets View

Email Threat Statistics summarized in the three categories above paired with a list of the top targeted users (shown below) and how many unwanted emails they have received provides a high degree of information to administrators to help protect end-users. You’ll find, particularly for advanced threats that are specifically aimed at certain users, that a spike in volume indicates a targeted attack and should be investigated.

How Threat Monitor Compares to Similar Microsoft Services

VS Exchange Online Protection (EOP)

EOP provides a baseline of protection, relying on IP address, sending email server reputation, three different signature based anti-virus scanners, and machine learning (ML) to analyze delivery patterns and other signals within each email. However, it does not catch everything and there was no straightforward way of finding out what EOP missed in your user’s mailboxes. Threat Monitor comes in to show you what EOP missed, and helps you act on potential threats.

VS Defender for Office 365

Microsoft does offer Defender for Office 365 (formerly Office 365 Advanced Threat Protection, ATP) which enhances EOPs protection by detonating never before seen email attachments in a VM sandbox and rewriting URLs to ensure safety at time-of-click. However, Defender for Office 365 is included only in the Office 365 E5, Microsoft 365 E5 Security, and Microsoft 365 E5 SKUs, or as a separate add-on at an extra cost. This means that most businesses have to rely on EOP only.

Upgrade Paths to Additional Services

If you need more features, there is a seamless upgrade path from Threat Monitor to 365 Total Protection, if you need more features. 365 Total Protection Enterprise (at $4 per user per month) is a full-fledged email security and hygiene service. On top of the Email Live Tracking features above but you’ll have granular control over email categories and content so that you can block unwanted emails at the edge, rather than having to delete them out of user’s mailboxes after the fact. You can set email signatures with company disclaimers and use both PGP and S/MIME for email encryption, with certificate handling built in.

On top of that 365 Total Protection Enterprise boasts email archiving / journaling with up to 10 years retention, eDiscovery and sandbox analysis of attachments, URL rewriting and scanning (both in emails and in attachments) and interestingly – Contingency Covering with a failover environment for email when Microsoft 365 is down.



Getting actual statistics rather than anecdotal evidence on what EOP lets slip by in a given tenant is useful when you’re trying to keep everyone safe. Threat Monitor was designed as a free app that catches the slips for you. It allows you, the busy Office 365 administrator to give it a test run for a few weeks to see if it will keep unsavory threats out of your user’s mailboxes and thus lighten your incident response load. Give Threat Monitor a try and let us know in the comments what you think about it.