Advanced Threat Protection (ATP) is Microsoft’s cloud-based filter service for combing through in/out bound emails for any potentially malicious activity within. This includes but is not limited to phishing, malware, and viruses. ATP is an excellent solution to protect any organization from a potentially catastrophic intrusion or destruction of sensitive data.
ATP is not limited to Microsoft based email solutions. It’s a very agile and robust filtering tool that can protect,
- O365 cloud-based email environments.
- O365 on-prem Exchange Server 2013 or legacy Exchange Server versions.
- Any other on-prem SMTP email solution.
- Hybrid mail set-ups that have a mix of on-prem and cloud-based mailboxes using Exchange Online Protection for inbound email filtering.
The main features of ATP can be broken down to,
- Safe Links
- Safe Attachments
- Spoof Intelligence
- Advanced anti-phishing capabilities
We will touch on each of these features more in depth later on in this documentation.
ATP is typically a separately licensed product by Microsoft unless you have either,
- Office 365 Enterprise E5
- Office 365 Education
- Microsoft 365 Business
The above-mentioned licenses have ATP already included. If you do not have one of the licenses already do not worry, this service can also be added to,
- Exchange Online Plan 1
- Exchange Online Plan 2
- Exchange Online Kiosk
- Exchange Online Protection
- Office 365 Business Essentials
- Office 365 Business Premium
- Office 365 Enterprise E1
- Office 365 Enterprise E3
- Office 365 Enterprise F1
- Office 365 A1
- Office 365 A3
This feature is one of the most noticed, and important, features of ATP. It provides “time-of-click” verification of all URL’s that are hyperlinked inside of emails being sent to or within an organization’s email environment. The way this works is when an email is received by a user in an ATP enabled environment several filters are applied. It will go through Exchange Online Protection and will check for malware, spam, and suspicious IPs. After it will have a Safe Link URL appended to the link, this can be viewed by hovering over the link in an ATP environment.
It is not done there though, after the user opens the email and selects the link ATP will then checks the URL again to make sure that there is nothing potentially malicious on the other side. A link will be defined as either blocked, malicious, or safe.
ATP is also customizable by the end user organization. This is done by defining custom policies for Safe Links through the Exchange Admin center. This offers a plethora of options for an admin to customize such as tracking of links, turn safe link on or off for completely internal emails, allowing users to click through to the original URL and much more.
Much like Safe Links above, Safe Attachments stages an email that contains an attachment in a “quarantine” zone. ATP will then take advantage machine learning to check the message for any malicious intent. If no suspicious activity or malicious intent is detected than the message is released for delivery.
Policies are also available for Safe Attachments. Some examples of Safe Attachment policy manipulation is the ability to turn attachment scanning on or off, follow detected malware throughout your environment, replace attachments with a notification that the message contained potentially harmful materials.
This feature allows for an origination to monitor the spoofing of all domains going into or out of an email environment. For any domains that are a part of the organization that has ATP set up it will look at the senders who are spoofing the organization’s domain and depending on the policies that are in place, either allow the email to pass and monitor it or block it entirely.
For any external senders spoofing domains that are flowing into the organization ATP will check the sender, record the data, and depending on the policies that are in place either allow or block the email. Much like the previously mentioned parts of ATP policies can be made for Spoof Intelligence to directly react to spoofing however the end user sees fit for their environment.
The quarantine zone, found inside of the Security & Compliance section of O365, extends the protection of EOP (exchange online protection). All emails that have been classified as malware by existing policies will end up here. An exchange/email admin can then view the emails and decide rather to release them from quarantine or delete them without ever letting the potentially malicious message reach the end user. If an admin can “Preview” any message inside the quarantine zone without exposing themselves to damage. This allows for a more thorough evaluation of malicious messages to determine if they should be removed or not.
Advanced Anti-Phishing Capabilities
Inside the Security & Compliance center of O365 an administrator can set up anti-phishing polices for ATP. All of this is found under the Threat management blade. Examples of these policies include,
- Adding email addresses to protect, these can be either internal or external addresses (up to 60 different addresses).
- Defining protected domains, this will help fight against impersonation by spam and phishing attackers.
- Enabling mailbox intelligence, only available to cloud-based accounts, this allows for a more in-depth assessment of activity by each individual email user to better determine when an email going into or out of an account could potentially be spam.
On top of ATP, Phish Hunter can be applied to an environment to double down and dive even more in-depth into the organizations email environment to find and stop threats. More information on Phish Hunter can be found at https://fit-prod-web01.azurewebsites.net/phish-hunter/.