June 1, 2020
Microsoft Office 365 Advanced Threat Protection: Complete Overview
There are diverse software threats that can lead to data loss or corruption in the modern computer world. Viruses, malware, ransomware, spyware, phishing and other threats continue to grow in sophistication. Thus, it can be difficult to detect and defuse them in time before losing your valuable data. Many of us remember the dangerous ransomware attacks in 2017, when many users and companies lost large amounts of data. Protection against software threats is important for both on-premise and cloud environments. Microsoft 365 is a cloud platform and Microsoft provides special protection solutions with the Microsoft 365 suite that can be used to protect your data against threats. In this blog post, we will look at this solution from Microsoft known as Office 365 backup Advanced Threat Protection.
What Is Advanced Threat Protection?
Office 365 Advanced Threat Protection is a cloud-based filtering service to protect your company against viruses and other malware, including zero-day attacks (attacks performed with malware by using new found vulnerabilities that have not been fixed yet by patches or updates). Microsoft Office 365 Advanced Threat Protection can protect Exchange Online and other Microsoft 365 services in your organization against the newest viruses and unidentified complex threats that have not been studied yet and cannot be recognized by the latest virus signature databases of most antiviruses.
How Office 365 Advanced Threat Protection Works
Office 365 Advanced Threat Protection uses policies configured by a system administrator and filters data, suspicious behavior and other parameters at the level of the organization, domain, user, and recipient.
Office 365 Advanced Threat Protection (ATP) can work integrated with Exchange Online Protection and Office 365 Threat Intelligence. Using ATP in the cloud can offload your mail servers and protections systems on the mail servers including on-premises servers. It is not recommended that you turn off Office 365 Advanced Threat Protection.
Advanced Threat Protection can protect email attachments, links, files uploaded by users to OneDrive for Business, SharePoint Online, and Teams as well as detect links to phishing websites, sites with uploaded malware code, and presence of malicious code in downloaded/uploaded files. URL trace capabilities help system administrators to block potential sources of threats and understand their nature and where they are coming from.
Office 365 Advanced Threat Protection contains many useful features to protect your data when using Office 365 services. Let’s explore these features in detail.
Policies determine the protection level and the reaction to predefined threats that can be set on different levels. Policies provide flexible options that a system administrator who manages Microsoft 365 can configure. If you are a system administrator, you can set who is affected by policies and how strict these policies are.
Safe attachments are used to ensure that files attached to email messages are not malicious. Zero-day protection is provided to safeguard your email messaging system. Before a message is received to a user’s mailbox, the message is routed to a special environment, where attachment files are checked by using virus signatures, machine learning and advanced analysis techniques to detect viruses. If there are no viruses detected in the email attachment, the email message is forwarded to a mailbox. A feature responsible for safe attachments is called attachment sandboxing.
Safe Links use a working principle similar to safe attachments. This feature checks links in emails and other files that are uploaded/downloaded in the Microsoft 365 environment. If Microsoft 365 ATP detects that a link is not safe, a warning message is displayed (just like for downloadable files). You can configure the feature to redirect users to a warning page if a user tries to click a link detected as malicious. A system dynamically blocks malicious links. The Safe Links feature was updated and now doesn’t substitute an original link with a modified link to a web page in the Microsoft cloud.
ATP for SharePoint
ATP for SharePoint protects users who collaborate by using SharePoint Online sites and shared files inside your organization by detecting and blocking suspicious files in document libraries and team sites, including files stored on OneDrive. The identified malicious content is blocked. Users cannot open, copy, move, edit or share a blocked file that is classified as malicious. The malicious file can only be deleted. The ability to download the file depends on the configuration.
After defining anti-phishing policies, self-learning system models with complex algorithms are used to detect phishing attacks automatically and quickly. Mailbox intelligence analyzes email and communication habits of users and aggregates the learned data to help detect phishing attempts in future. These complex measures make any scamming attacks difficult to accomplish successfully.
Unwanted and potentially dangerous files can be moved to quarantine. The quarantined data can be manually restored or deleted by a system administrator. Data in the quarantine is deleted after the configured retention period expires. You may be familiar with the working principle of quarantine if you have used Microsoft 365 Exchange Online Protection.
Hackers can send emails on behalf of one or more accounts by substituting a sender name. If a user receives such “spoofed” email, it may appear safe if the sender uses a manager’s name in the sender field. But a spoofed email that contains a call to transfer money, send credentials or malicious scripts cannot be safe and constitutes a threat for users and the entire organization. Office 365 Advanced Threat Protection includes the Spoof Intelligence feature that can detect whether a sender is using a real name or a spoofed name. The administrator of your company can see the full list of users who use a certain company domain and review who is spoofing your domain or any external domains. Administrators can block the sender using a domain name or user name pretending to be an employee in your company.
Office 365 Advanced Threat Protection provides informative reports so you can see the protection status and analyze incoming threats. A report is a single view that combines information about detected threats including malicious email and other malicious content. Threats detected by Office 365 Advanced Treat Protection and Exchange Online Protection are shown in reports. Information for the previous 90 days (the maximum period that can be configured) is displayed in the reports. After analyzing the reports, administrators can make adjustments to the policies.
Threat Investigation and Response
In large companies, specialists can be overwhelmed with a large number of security alerts to deal with. Sorting a high number of emails based on the attributes is a time consuming task. Office 365 Threat Investigation and Response can help system administrators and security specialists of your company operate more efficiently. Administrators can view detected threats and configure automated actions to mitigate different types of threats. Administrators can compose playbooks with the appropriate actions for detected threats, and review and approve actions or recommendations suggested by Office 365 Advanced Threat Protection after automated investigation to remediate threats.
Unlike Exchange Online Protection that is available by default for Microsoft 365 users, Advanced Threat Protection is available for top subscription plans or can be bought separately.
Users often ask: "Does Microsoft 365 E3 include advanced threat protection?" Unfortunately, it doesn’t. Microsoft Office 365 Advanced Threat Protection is included in the following subscription plans:
- Microsoft 365 E5
- Microsoft 365 A5
- Microsoft 365 Business Premium
However, you can buy the Office 365 Advanced Threat Protection license on top of the following subscription plans:
- Exchange Online Plan 1
- Exchange Online Plan 2
- Exchange Online Kiosk
- Exchange Online Protection
- Microsoft 365 Business Basic
- Microsoft 365 Business Standard
- Microsoft 365 Enterprise E1
- Microsoft 365 Enterprise E3
- Microsoft 365 Enterprise F3
- Microsoft 365 A1
- Microsoft 365 A3
If Office 365 Advanced Threat Protection is not included in your subscription plan, you can pay for one of the standalone ATP subscription plans using a per user licensing model:
- Advanced Threat Protection Plan 1
- Advanced Threat Protection Plan 2
Let’s look at how Office 365 Advanced Threat Protection can be configured.
As an alternative, you can open a direct link to the Microsoft 365 Security & Compliance admin center:
In the left pane, click Threat manager and then click Dashboard.
The security dashboard, also referred to as the threat dashboard, displays the current threat protection status and links to configuration pages.
Click Policy in the left pane, or navigation pane, and the page where you can view, edit, and create policies appears. You can configure anti-phishing, anti-spam, and anti-malware policies. Let’s click Anti-malware and see how to create a new anti-malware policy.
The anti-malware page opens. Click the + icon to create a new anti-malware policy for Office 365 Advanced Threat Protection.
A new pop-up window opens.
Enter the policy name, description, and define other policy options such as:
- Malware detection response
- Common Attachment Types Filter
- Malware Zero-hour Auto Purge
Finally, specify for whom this policy is applied, and hit Save.
The policy is now created and displayed in the list of policies on the Malware page.
Anti-phishing policies are created slightly differently from anti-malware-policies.
First, go to Threat Management > Policy and hit Anti-phishing.
The Anti-phishing page is opened (see the screenshot below). If you open this page for the first time, the list of anti-phishing policies is empty.
Click the +Create button to create a new anti-phishing policy for Office 365 Advanced Threat Protection.
A new policy wizard opens as a pop-up window.
Name your policy. Enter a name for a new anti-phishing policy. You can also enter a description.
Applied to. Define recipients or domains in your organization this policy will apply to or exclude by adding conditions and selecting recipients. For example, you can apply the policy to the entire domain, group membership, or group and domain combinations. Then hit Next to continue and go to the next step.
Review your settings. Check your settings and edit them if needed. If everything is correct, hit Create this policy.
Email messages and files that are classified as potentially dangerous are moved to quarantine if the appropriate settings are used for Office 365 Advanced Threat Protection.
Go to Treat management > Review > Quarantine to open quarantine. You can also use a direct link: https://protection.office.com/quarantine
Quarantine can be accessed by the administrator or another user who has permissions to manage quarantine. Members of the Quarantine role in the Office 365 Security & Compliance Center have permissions to manage quarantine.
On the Quarantine page you can sort results by clicking the title of the needed column. Click Modify Columns to select which columns must be displayed.
Reports are useful to see the current status and statistics of your Microsoft 365 environment. In the navigation pane of the Office 365 Security & Compliance admin center click Reports > Dashboard to see the dashboard with graphs and diagrams.
On this page you can see the summary including:
- Recent reports for download
- Top 5 labels
- Labels trend over the past 90 days
- How labels were applied
- Labels classified as records
- Exchange Transport Rule
- Threat protection status
- Malware detected in email
- Top malware
- Top senders and recipients
- Spoof detections
- Spam detections
- Compromised users
- Sent and received email
- Forwarding report
- Connector report
- Encryption report
Hover over the graph to see more information. Click the needed chart or diagram to open it in the full-window mode and see the details. After clicking Spoof detections, a detailed spoof mail report is displayed.
By default, a 7-day period is displayed on charts and graphs, but this period can be increased up to 90 days in settings. Trial users of Microsoft 365 with Advanced Threat Protection can view data for a maximum of 30 days in reports.
This Office 365 Advanced Threat Protection review has detailed how you can protect your data against zero-day attacks and sophisticated threats when using Microsoft 365 and reduce the risk of data corruption and data loss. Real-time reporting capabilities help you monitor your Microsoft 365 environment and react in time if threats are detected. It is possible to configure automated actions to neutralize detected threats. Office 365 Advanced Threat Protection is integrated with other Microsoft 365 services such as OneDrive, SharePoint Online, Exchange Online and other services.
Advanced Threat Protection can help you protect against threats such as harmful links, spam, viruses and diverse malware. However, you can achieve a higher level of data protection if you perform Microsoft 365 backup and back up your data.