Office 365’s Advanced Threat Protection helps protect your organization from malicious attacks. This tool can be used to harden your 365 environment and decrease the likelihood of spam and phishing attacks. In this article, I am going to cover the main features and then give you a step-by-step guide on configuration.
Main Features
- When an ATP Safe Attachments policy is in place and someone covered by that policy views their email in Office 365, their email attachments are checked and appropriate actions are taken, based on your ATP Safe Attachments policies.
- Depending on how your policies are defined, people can continue working without ever knowing they were sent malicious files
- Beginning in March 2018, ATP protection is being extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams.
- When an ATP Safe Attachments policy is in place and someone covered by that policy views their email in Office 365, their email attachments are checked and appropriate actions are taken, based on your ATP Safe Attachments policies.
- Depending on how your policies are defined, people can continue working without ever knowing they were sent malicious files
- Beginning in March 2018, ATP protection is being extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams.
- Review all senders who are spoofing either domains that are part of your organization, or spoofing external domains.
- Each spoofed user is displayed in a separate row so that you can choose whether to allow or block the sender from spoofing each user individually.
- Mailbox intelligence analyzes your cloud-based users’ mail flow patterns to determine which contacts they communicate with most often. This helps us more easily identify when an email message might be from an attacker who’s impersonating one of those contacts.
Advanced Reporting
The Security and Compliance Center comes with reports on Mailware, Phishing, Spam and much more that you can analyze to see how your policies are functioning
Licencing Requirements
Here are the subscriptions that include this plan
- Office 365 Enterprise E5 $35 MSRP
- Office 365 Enterprise E5 Government $35 MSRP
- ATP Add-On $2 MSRP
- Microsoft 365 Business $20 MSRP
Implementation Steps
In this section, I am going to be going over how to implement Safe Attachments and Safe Links as they aren’t turned on by default
Safe Attachments
Go to Policies
In the Security and Compliance Center, go to Threat Management>Policy
Click ATP Safe Attachments
Click on the ATP Safe Attachments Icon
Turn on for Apps
Checkmark the box next to “Turn on ATP for SharePoint, OneDrive, and Microsoft Teams”
New Policy
Click the + icon to set up a new policy
Adjust Settings
YOu have the option to select what action to take when malware is detected. The options to choose from are Off, Monitor, Block, Replace, and Dynamic Delivery. All of these options will slow mail flow except for Dynamic Delivery. The Dynamic Delivery option sends the mail immediately and replaces the attachment with a placeholder file until the scan is complete. For a more detailed explanation of these options, please follow this support article.
Redirect
You can also choose to redirect the attachment to another email such as an admin or quarantine mailbox. Lastly, you will notice above, you can specify this policy to specific groups or domains.
Safe Links
Policy
In the Security and Compliance Center, go to Threat Management>Policy
Safe Attachments
Click on the ATP Safe Attachments Icon
Default
Here you can click on the Default Policy to see its settings. You will notice that by default, nothing is turned on:
Add
The first things we can do here is add an asterisk as a wildcard so that URLs start getting scanned for malicious content
Checkmark
We can also checkmark the box for using Safe Links in Office 365 ProPlus and Office for IOS/Andriod
New Policy
The other option is to scroll down and create a new safe link policy
Customize
Here we can give a new name to the policy and I recommend checkmarking all of the fields but you can customize to fit your organizational needs:
Whitelist
Additionally, you can whitelist certain URLs and define certain domain/groups/users to apply this policy to
Summary
After you click save, you can see a summary on the right hand side
Live
After the policy is in place, the ATP Safe Links feature immediately checks the URL a user clicks on before opening the website. The URL is identified as blocked, malicious, or safe.
Functionality
If the URL is to a website that is included in the whitelisted URLs list for a policy that applies to the user, the website opens If the URL is to a website that is included in the organization's custom blocked URLs list or a URL is to a website determined to be malicious, a warning page opens.
Functionality
If the URL goes to a downloadable file and your organization's ATP Safe Links policies are configured to scan such content, the downloadable file is checked If the URL is determined to be safe, the website opens.
