Office 365 Advanced Threat Protection
This article is intended for business customers who have Office 365 Advanced Threat Protection. If you are using Outlook.com, Office 365 Home, or Office 365 Personal, and you're looking for information about Safe Links in Outlook, see Advanced Outlook.com security.
Office 365 Advanced Threat Protection (ATP) safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. ATP includes:
Threat protection policies: Define threat-protection policies to set the appropriate level of protection for your organization.
Reports: View real-time reports to monitor ATP performance in your organization.
Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.
Office 365 ATP Plan 1 and Plan 2
ATP is included in Office 365 E5; however, ATP Plan and ATP Plan 2 are each available as an add-on for certain subscriptions. To learn more, see Feature availability across ATP plans.
Configure ATP policies
Office 365 ATP provides numerous tools to set an appropriate level of protection for your organization.
Your organization's security team must define policies for each ATP tool in the Office 365 Security & Compliance Center. Go to Threat management > Policy to access policy options. (To get some help with this, see Quick Start Guide: Set up Office 365 Advanced Threat Protection.)
The policies that are defined for your organization determine the behavior and protection level for predefined threats. Policy options are extremely flexible. For example, your organization's security team can set fine-grained threat protection at the user, organization, recipient, and domain level. It is important to review your policies regularly because new threats and challenges emerge daily.
ATP Safe Attachments: Provides zero-day protection to safeguard your messaging system, by checking email attachments for malicious content. It routes all messages and attachments that do not have a virus/malware signature to a special environment, and then uses machine learning and analysis techniques to detect malicious intent. If no suspicious activity is found, the message is forwarded to the mailbox. To learn more, see Set up Office 365 ATP Safe Attachments policies.
ATP Safe Links: Provides time-of-click verification of URLs in emails messages and Office files. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click: safe links remain accessible and malicious links are dynamically blocked. To learn more, see Set up Office 365 ATP Safe Links policies.
ATP for SharePoint, OneDrive, and Microsoft Teams: Protects your organization when users collaborate and share files, by identifying and blocking malicious files in team sites and document libraries. To learn more, see Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams.
ATP anti-phishing protection: Detects attempts to impersonate your users and custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks. To learn more, see Set up Office 365 ATP anti-phishing and anti-phishing policies.
View ATP reports
Office 365 ATP includes an advanced reporting dashboard to monitor your ATP performance. You can access it at Reports > Dashboard in the Security & Compliance Center.
Reports update in real-time, providing you with the latest insights. These reports also provide recommendations and alert you to imminent threats. Predefined reports include the following:
... and more.
Use threat investigation and response capabilities
Office 365 ATP Plan 2 includes best-of-class threat investigation and response tools that enable your organization's security team to anticipate, understand, and prevent malicious attacks.
Threat trackers provide the latest intelligence on prevailing cybersecurity issues. For example, you can view information about the latest malware, and take countermeasures before it becomes an actual threat to your organization. Available trackers include Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.
Threat Explorer (or real-time detections) (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods.
Attack Simulator allows you to run realistic attack scenarios in your organization to identify vulnerabilites. Simulations of current types of attacks are available, including a display name spear-phishing attack, a password-spray attack, a brute-force password attack, and more.
Save time with automated investigation and response
(NEW!) When you are investigating a potential cyber attack, time is of the essence. The sooner you can identify and mitigate threats, the better off your organization will be. Office 365 ATP Plan 2 will now include automated investigation and response (AIR) capabilities. (If you don't have these capabilities yet, you'll have them soon with ATP Plan 2.)
AIR includes a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually, such as from a view in Explorer. AIR can save your security operations team time and effort in mitigating threats, effectively and efficiently. To learn more, see Automated Investigation and Response (AIR) with Office 365.
Permissions required to use ATP features
To access ATP features in the Security & Compliance Center, you must be assigned an appropriate role. The following table includes some examples:
|Role or role group||Resources to learn more|
|Office 365 Global Administrator||About Office 365 admin roles|
|Security Administrator||Administrator role permissions in Azure Active Directory|
|Exchange Online Organization Management||Permissions in Exchange Online
Exchange Online PowerShell
For more information, see:
Get Office 365 ATP
Office 365 ATP Plan 2 is included in Office 365 Enterprise E5, Office 365 Education A5, and Microsoft 365 Business. If your subscription does not include Office 365 ATP, you can purchase ATP Plan 1 or ATP Plan 2 as an add-on to certain subscriptions. To learn more, see the following resources:
See Office 365 Advanced Threat Protection (ATP) availability for a list of subscriptions that include ATP plans.
See Feature availability across Advanced Threat Protection (ATP) plans for a list of features included in Plan 1 and 2.
See Get the right Office 365 Advanced Threat Protection to compare plans and purchase Office 365 ATP.
New features in Office 365 ATP
New features are added to Office 365 ATP continually. To learn more, see the following resources:
The Microsoft 365 Roadmap provides a list of new features in development and rolling out.
The Office 365 Advanced Threat Protection Service Description describes features and availability across ATP plans.