Microsoft Advanced Threat Protection (ATP)

As malicious attacks continue to rise with no end in sight, the same can be said about email attacks also known as Phishing.


These attacks are most commonly launched against businesses. Phishing attempts are meant to deceive employees by impersonating legitimate companies in a attempt to steal the employee’s log in credentials or personal information. Bogus URL’s which include what appear to be legitimate PayPal requests for money are just one form of Phishing.

Phishing Attempts

SPAM filters no longer provide the means to protect an organization against this sort of malicious behavior. Additional safe guards have been created by SPAM providers against email threats. Educating the employees in your company through Phishing scenarios is one method to combat this. One such is method is using PhishMe tool developed by Cofense.

Now this brings us to Microsoft’s Advanced Threat Protection (ATP).

ATP provides an additional level of security. It protects your email, files and Office 365 applications against unknown and sophisticated attacks in real time. This includes your email, files (local and OneDrive for Business) and applications such as Word, Excel, PowerPoint, Visio and SharePoint Online.

With protection against unsafe attachments and\or malicious links, ATP provides a real-time behavioral malware analysis that uses machine learning techniques to properly evaluate any content that may be considered suspicious. Unsafe attachments are kept in a sandbox to ensure they’re safe before being sent to the intended recipient. By doing so, we’re protected from malware and provided a cleaner inbox with better protection.  

The figure below provides a description from start to finish how the process works:


The figure below provides a description if a file is blocked at OneDrive for Business:


Potential malicious links are scanned, and ATP provides protection because the URL’s are examined in real time at the time when the user clicks on the link. If the links are determined to be unsafe, the user is warned not to visit the site or is informed that the site has been blocked.

Email attachments will require a scan before they appear in your Inbox (see below):


URL’s will require a scan before they appear properly in your Inbox (see below):


Once the scan has been completed, it will show all clean attachments as they were sent.  Unsafe attachments will be blocked.

Additional methods to product your Exchange environment can include blocking senders and domain in the EAC (Exchange Admin Center).

Safe attachment policies must be configured in the EAC (Exchange Admin Center) and in order to do so, the following steps must be followed:

  1. Log into the O365 Admin Portal
  2. Browse to the Exchange Admin Center (found under Admin Centers)
  3. Click on Advanced Threats page on the left hand menu
  4. Create a Safe Attachment and Safe Links policy
  5. Select the appropriate settings for your environment for each policy

Statistics can also be provided for ATP using the reporting feature found in the Security & Compliance Center found in your O365 Admin Portal.

ATP is a licensed subscription on a per-user basis ($2/month). The subscriptions can be assigned using Office 365 licensing (via Cloud Provider or using the O365 Admin Portal). The Office 365 E5 suite includes ATP protection but the license subscription is available to any Office 365 license as an add-on.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

Up ↑

%d bloggers like this: