Office 365 Advanced Threat Protection
Overview of Office 365 Advanced Threat Protection
This article is intended for business customers. If you are a home user looking for information about Safe Links in Outlook, see Advanced Outlook.com security.
Office 365 Advanced Threat Protection (ATP) helps to protect your organization from malicious attacks by:
Scanning email attachments for malware with ATP Safe Attachments
Scanning web addresses (URLs) in email messages and Office documents with ATP Safe Links
Identifying and blocking malicious files in online libraries with ATP for SharePoint, OneDrive, and Microsoft Teams
Checking email messages for unauthorized spoofing with spoof intelligence
Detecting when someone attempts to impersonate your users and your organization's custom domains with ATP anti-phishing capabilities in Office 365
Protection through Office 365 ATP is determined by policies that your organization's security team defines for Safe Links, Safe Attachments, and Anti-Phishing. It's important to define policies, and to periodically review and revise those policies to keep them up to date and to take advantages of new features that are added to the service.
Reports are available to show how ATP is working for your organization. These reports can also show you areas where you might need to review and update your policies. And, if you have files that are marked as malware that shouldn't be, or files you'd like Microsoft to examine, you can submit a file to Microsoft for analysis.
New features are continually being added to ATP
We are continuing to add new features to Office 365, and that includes ATP. Below is a list of several new features, some of which call for an ATP policy to be reviewed and updated. To learn more about new features coming to ATP (or Microsoft 365 in general), visit the Microsoft 365 Roadmap.
|Feature updates||Action items|
|Beginning in February 2019 and rolling out over the next several months, Threat Intelligence capabilities are being added to ATP. In addition, if your organization does not currently have ATP, you'll have new options to consider, including ATP Plan 1 and ATP Plan 2. To learn more, see Office 365 Advanced Threat Protection plans and pricing and the Office 365 Advanced Threat Protection Service Description.||Review your organization's subscription, and if needed, Buy or edit an add-on.|
|Beginning in October 2018 and rolling out over the next several months, when people are using Outlook or Outlook Web Application (OWA), ATP Safe Links renders original URLs, not rewritten URLs. (We call this native link rendering.)
When native link rendering is available for your organization, this feature will work in Outlook 365 (Click-to-Run) and OWA.
|Beginning in September 2018, Office 365 ATP warning pages feature a new color scheme, more details, and the ability to continue to a site despite given warnings and recommendations.||None|
|Beginning in the second half of 2018, ATP Safe Links protection is extended to apply to URLs in Office Online (Word Online, Excel Online, PowerPoint Online, and OneNote Online) and Office 365 ProPlus on Mac.||Review and edit your ATP Safe Links policies|
|Beginning in late May 2018, quarantine capabilities in the Security & Compliance Center are being extended to ATP for SharePoint Online, OneDrive for Business, and Microsoft Teams.||Review and edit your ATP Safe Attachments policies|
|Beginning in March 2018, ATP Safe Links protection is extended to apply to email sent between people within an organization.||Review and edit your ATP Safe Links policies|
|Beginning in late October 2017, ATP Safe Links protection is extended to apply to URLs in email as well as URLs in Office 365 ProPlus documents, such as Word, Excel, PowerPoint, and Visio on Windows, as well as Office apps on iOS and Android devices.||Make sure you're using Modern Authentication for Office|
Get Office 365 ATP
Office 365 ATP is included in subscriptions, such as Microsoft 365 Enterprise, Microsoft 365 Business, Office 365 Enterprise E5, and Office 365 Education A5. If your organization has an Office 365 subscription that does not include Office 365 ATP, you can potentially purchase ATP as an add-on. For more information, see Office 365 Advanced Threat Protection plans and pricing and the Office 365 Advanced Threat Protection Service Description.
Define policies for ATP
To define (or edit) ATP policies, you must be assigned one of the roles described in the following table:
|Office 365 Global Administrator||The person who signs up to buy Office 365 is a global admin by default. (See About Office 365 admin roles to learn more.)|
|Security Administrator||Azure Active Directory admin center (https://aad.portal.azure.com)|
|Exchange Online Organization Management||Exchange admin center (https://outlook.office365.com/ecp)
PowerShell cmdlets (See Exchange Online PowerShell)
To learn more about roles and permissions, see Permissions in the Office 365 Security & Compliance Center.
There are several kinds of ATP policies to define and periodically review.
Set up ATP anti-phishing policies in Office 365 including impersonation-based attacks to protect against attackers who send email messages that appear to be from trusted people or domains.
Set up ATP Safe Attachments policies in Office 365 and choose from several options, such as Dynamic Delivery and previewing.
See how ATP is working by viewing reports
After your ATP policies are in place, reports are available to show how the service is working. (In the Office 365 Security & Compliance Center, go to Reports > Dashboard.)
As an Office 365 global administrator, a security administrator, or a security reader, go to https://protection.office.com and sign in.
Go to Reports > Dashboard. (To get help with these reports, see View reports for Advanced Threat Protection.)
If needed, make adjustments to your security policies. To get help with this, see the following resources:
Submit a suspicious file to Microsoft for analysis
If you get a file that you suspect could be malware, you can submit that file to Microsoft for analysis. Visit the Windows Defender Security Intelligence submission portal.
If you get an email message (with or without an attachment) that you'd like to submit to Microsoft for analysis, use the Report Message add-in.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.