Whats New In Microsoft Advanced Threat Protection?

Microsoft is using the term Advanced Threat Protection with several products so it can be difficult to find the information you need.  In this article we are referring to Office 365 Advanced Threat Protection which is unrelated to Windows Defender Advanced Threat Protection.

In case you want to play along at home, you can get to Office 365 ATP by:

  1. Logging into Portal.Office.com and clicking ADMIN (if you are not already there)office-365-advanced-threat-protection-e5 office-365-advanced-threat-protection-e3
  2. Scroll to the bottom and expand ADMIN CENTERS
  5. Click on POLICY

As you can see in the screen shots to the right, it makes a difference which package you are on.  If you don’t have all 6 blocks fear not, you can pay for them 🙂

NOTE: If you are a Microsoft Partner, like me, you CANNOT buy them, but everyone else can.  An MS staffer told me that this is a qwerk of the system and that Microsoft would like to allow their re-sellers access to these features but can’t.  They should fix that because it is hard for me to sell something I can’t play with and learn about in advance.  … but I digress…

The three features available in Office 365 Advanced Threat Protection are:

ATP AntiPhishing

Anti-Phishing opens all links in a Microsoft cloud virtual machine to see if it is asking for credentials AND if that page is legitimate or not. If the message appears legitimate the email is delivered to a users inbox.  If not it can be flagged, quarantined or deleted.

ATP Safe Attachments

Safe Attachments opens every attachment in a Microsoft cloud virtual machine and runs it against all common software.  For instance, if the attachment was a Word .DOC file, Safe Attachments will open it in Word 2007, 2010, 2013, 2016 and 2019 to see if it contains a malicious payload.  If the message appears legitimate the email is delivered to a users inbox.  If not it can be flagged, quarantined or deleted.

ATP Safe Links

Safe Links rewrites every external link to a Microsoft link (i.e. www.JohnsTravel/FakeLoginPage.asp becomes www.aka.ms/Werwer$#%$ sadfwww.JohnsTravel /FakeLoginpage.asp) so when the link is clicked, it actually goes to Microsoft and Microsoft opens it for you in a protected cloud virtual machine to see if the link is malicious.  If the link is malicious, it blocks you.  If it is not, it takes you to the link.  There are two advantage to rewriting the URL’s to a Microsoft URL:

  1. it works on every device and every piece of software (i.e. Outlook on a PC, Android Mail, Apple Mail…)
  2. some tricky hackers may build a site with nothing malicious on it, then send the email, wait an hour or two for it to get through the Safe Links / Anti-Spam / Malware checks THEN change the site to have malicious content.  If Microsoft were to only check links in the cloud before email was delivered to your inbox, this hacker would get through the filters.

Advanced Threat Protection Cost

These three features cost USD$2/seat/month and for most companies is money well spent.

At the the recent Microsoft Ignite conference in Florida I took an ATP hands-on lab and argued that Phishing is not only the biggest threat facing IT but the biggest threat facing nearly ALL companies.  Staff stealing data, CFO’s stealing money, not being able to find qualified staff for critical positions and even threats of war in some regions pales in comparison to the threat Phishing poses.  All of the other things are either limited in scope or MIGHT occur in the future.  Phishing can bankrupt a company (through the actual theft AND loss of reputation) and it is constantly occurring at an increasing pace and quality inside of every organization including yours.

I believe that ATP should be part of the Exchange Online Protection module and made available at no ADDITIONAL cost to ALL Office 365 customers.  If the price needs to rise to cover the cost, so be it.  The damage occurring to Microsoft’s reputation because they know about these hacks but let them through anyway is increasing daily.

One argument I heard against this is that it will delay email delivery and while that is true I suspect it will only delay it a few seconds at most and virtually no-one would notice.

Questions or Comments?