Hey Checkyourlogs fans,

This week I have been tasked by a customer to deploy Office 365 Advanced threat protection across their Office 365 Email User base. The reason for them decided to go with this is the fact that there are gaps in the security of Office 365 where a user can by default:

  • Receive an Email with a Malicious link in it and have the ability to execute the payload by clicking on the link
  • Receive an Email with a legit attachment without malware but having links to malicious sites where by they click and are infected
  • Receive such emails on their Phones and open these attachments up giving attackers access to their devices
  • Etc

Our posture with Security is that you can never be careful enough. So, when Microsoft introduced Advanced Threat Protection for Office 365 it looked to be exactly what we needed. Understand, that this is the first week of our deployment and we are still piloting with some test users. So, far it appears we have some issues with our tenant account which Microsoft is actively working to fix. Basically, even with ATP enabled for the test accounts bad stuff is still getting in.

I will re-post an update once we have it all working.

Here is a view on the Security and Compliance Center Https://protection.office.com

Showing off the items that ATP is starting to step in front of already with my test account.

Emails like this is one of the attack vectors we are hoping to stop dead in their tracks.

If someone clicks that link it is bad news.

Here is what it looks like when ATP steps in front of the general Mail Queues and Message Categorizers with Office 365.

Once ATP is enabled for the tenant account which appears to take a little while like 24-48 hours for us. You can start configuring your policies

The General cost for ATP is free if you are on Office 365 E5 Licenses or +2.40 CDN if you are on a lesser subscription.

Below is some more general information on ATP from the Microsoft Website for you.

Here is some more information on ATP for you.

Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard your organization from harmful links in real time. ATP has rich reporting and URL trace capabilities that give administrators insight into the kind of attacks happening in your organization.

The following are the primary ways you can use ATP for messaging protection:

  • In an Office 365 ATP filtering-only scenario, ATP provides cloud-based email protection for your on-premises Exchange Server 2013 environment, legacy Exchange Server versions, or any other on-premises SMTP email solution.
  • Office 365 ATP can be enabled to protect Exchange Online cloud-hosted mailboxes. To learn more about Exchange Online, see the Exchange Online Service Description.
  • In a hybrid deployment, ATP can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes with Exchange Online Protection for inbound email filtering.

    Office 365 Advanced Threat Protection (ATP) availability

    ATP is included in Office 365 Enterprise E5 and Office 365 Education A5. You can add ATP to the following Exchange and Office 365 subscription plans:

  • Exchange Online Plan 1
  • Exchange Online Plan 2
  • Exchange Online Kiosk
  • Exchange Online Protection
  • Office 365 Business Essentials
  • Office 365 Business Premium
  • Office 365 Enterprise E1
  • Office 365 Enterprise E3
  • Office 365 Enterprise F1
  • Office 365 Education A1
  • Office 365 Education A3

    To buy Office 365 Advanced Threat Protection, see Office 365 Advanced Threat Protection.

    To compare features across plans, see Compare Office 365 for Business plans.

    What’s new in Office 365 Advanced Threat Protection (ATP)

    For information about new features in ATP, see ATP safe links in Office 365.

    Requirements for Office 365 Advanced Threat Protection (ATP)

    ATP can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server 2013. For information about the operating systems, web browsers, and languages that are supported by ATP, see the “Supported browsers” and “Supported languages” sections in Exchange Admin Center in Exchange Online Protection.

    Feature availability across Advanced Threat Protection (ATP) plans

    Each feature is listed below. When Exchange Online is mentioned, it typically refers to the Office 365 Enterprise service family.

    Feature ATP standalone Exchange Online Protection
    Safe Links Yes No
    Safe Attachments Yes No
    Spoof intelligence Yes No
    Quarantine Yes Yes
    Advanced anti-phishing capabilities Yes No

    Advanced Threat Protection (ATP) Capabilities

    Safe Links

    The ATP Safe Links feature proactively protects your users from malicious hyperlinks in a message. The protection remains every time they click the link, as malicious links are dynamically blocked while good links can be accessed.

    Safe Attachments

    Safe Attachments protects against unknown malware and viruses, and provides zero-day protection to safeguard your messaging system. All messages and attachments that don’t have a known virus/malware signature are routed to a special environment where ATP uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.

    Spoof intelligence

    Spoof intelligence detects when a sender appears to be sending mail on behalf of one or more user accounts within one of your organization’s domains. It enables you to review all senders who are spoofing your domain, and then choose to allow the sender to continue or block the sender. Spoof intelligence is available in the Security & Compliance Center on the Anti-spam settings page.


    Messages identified by the Office 365 service as spam, bulk mail, phishing mail, containing malware, or because they matched a mail flow rule can be sent to quarantine. By default, Office 365 sends phishing messages and messages containing malware directly to quarantine. Authorized users can review, delete, or manage email messages sent to quarantine.

    Advanced anti-phishing capabilities

    This feature uses machine learning models to detect phishing messages.

    Thanks and Happy Learning,