Office 365 Advanced Threat Protection Service Description

Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard your organization from harmful links in real time. ATP has rich reporting and URL trace capabilities that give administrators insight into the kind of attacks happening in your organization.

The following are the primary ways you can use ATP for message protection:

  • In an Office 365 ATP filtering-only scenario, ATP provides cloud-based email protection for your on-premises Exchange Server environment or any other on-premises SMTP email solution.

  • Office 365 ATP can be enabled to protect Exchange Online cloud-hosted mailboxes. To learn more about Exchange Online, see the Exchange Online Service Description.

  • In a hybrid deployment, ATP can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes with Exchange Online Protection for inbound email filtering.

Office 365 Advanced Threat Protection (ATP) availability

ATP is included in Office 365 Enterprise E5, Office 365 Education A5, and Microsoft 365 Business.

You can add ATP to the following Exchange and Office 365 subscription plans:

  • Exchange Online Plan 1

  • Exchange Online Plan 2

  • Exchange Online Kiosk

  • Exchange Online Protection

  • Office 365 Business Essentials

  • Office 365 Business Premium

  • Office 365 Enterprise E1

  • Office 365 Enterprise E3

  • Office 365 Enterprise F1

  • Office 365 A1

  • Office 365 A3

To buy Office 365 Advanced Threat Protection, see Office 365 Advanced Threat Protection.

To compare features across plans, see Compare Office 365 for Business plans and Discover the Microsoft 365 Enterprise solution that's right for you.

What's new in Office 365 Advanced Threat Protection (ATP)

We are continuing to add new features to Office 365 ATP. Below is a list of several new features, some of which call for an ATP policy to be reviewed and updated. To learn more about new features coming to ATP (or Microsoft 365 in general), visit the Microsoft 365 Roadmap.

Feature updates Action items
Office 365 Threat Intelligence (TI) capabilities are now threat investigation and response capabilities as part of ATP Plan 2. New features, such as automated incident response, and enhancements to Threat Explorer, are rolling out.

If your organization does not currently have ATP, or if you had ATP but not TI, you now have several options to consider, with the availability of ATP Plan 1 and ATP Plan 2. To learn more, see Feature availability across Advanced Threat Protection (ATP) plans (in this article) and Office 365 Advanced Threat Protection plans and pricing.
Review your organization's subscription, and if needed, Buy or edit an add-on.
When people are using Outlook or Outlook Web Application (OWA), ATP Safe Links renders original URLs, not rewritten URLs. (We call this native link rendering.)
When native link rendering is available for your organization, this feature will work in Outlook 365 (Click-to-Run), OWA, and on Windows and Mac OS.
Office 365 ATP warning pages feature a new color scheme, more details, and the ability to continue to a site despite given warnings and recommendations. None
ATP Safe Links protection is extended to apply to URLs in Office for the web (Word for the web, Excel for the web, PowerPoint for the web, and OneNote for the web), and Office 365 ProPlus on Mac. Review and edit your ATP Safe Links policies
Quarantine capabilities in the Security & Compliance Center are extended to ATP for SharePoint Online, OneDrive for Business, and Microsoft Teams. Review and edit your ATP Safe Attachments policies
ATP Safe Links protection is extended to apply to email sent between people within an organization. Review and edit your ATP Safe Links policies
ATP Safe Links protection is extended to apply to URLs in email as well as URLs in Office 365 ProPlus documents, such as Word, Excel, PowerPoint, and Visio on Windows, as well as Office apps on iOS and Android devices. Make sure you're using Modern Authentication for Office

Requirements for Office 365 Advanced Threat Protection (ATP)

ATP can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server. For information about the operating systems, web browsers, and languages that are supported by ATP, see the "Supported browsers" and "Supported languages" sections in Exchange Admin Center in Exchange Online Protection.

Feature availability across Advanced Threat Protection (ATP) plans

Each feature is listed below. When Exchange Online is mentioned, it typically refers to the Office 365 Enterprise service family.

Feature ATP Plan 1
(formerly ATP standalone)
ATP Plan 2
(formerly Threat Intelligence
Office 365 Enterprise E5
Configuration, Protection, and Detection
Safe Attachments Yes Yes Yes
Safe Links Yes Yes Yes
Anti-Phishing Policies Yes Yes Yes
ATP for SharePoint, OneDrive and Microsoft Teams Yes Yes Yes
Safe Attachments in Teams Yes Yes Yes
Safe Links in Teams No No No
Real-time reports Yes Yes Yes
Automation, Investigation, Remediation and Education
Threat Trackers No Yes Yes
Explorer (advanced threat investigation) No Yes Yes
Automated incident response No Yes Yes
Attack Simulator No Yes Yes

Advanced Threat Protection (ATP) Capabilities

Safe Attachments

ATP Safe Attachments protects against unknown malware and viruses, and provides zero-day protection to safeguard your messaging system. All messages and attachments that don't have a known virus/malware signature are routed to a special environment where ATP uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.


ATP Safe Attachments scanning takes place in the same region where your Office 365 data resides. For more information about data center geography, see Where is your data located?

The ATP Safe Links feature proactively protects your users from malicious URLs in a message or in an Office document. The protection remains every time they click the link, as malicious links are dynamically blocked while good links can be accessed.

Safe Links is available for URLs in the following apps:

  • Office 365 ProPlus on Windows or Mac.

  • Office for the web (Word for the web, Excel for the web, PowerPoint for the web, and OneNote for the web).

  • Word, Excel, PowerPoint, and Visio on Windows, as well as Office apps on iOS and Android devices.


Users must be licensed for ATP*, must be included in ATP Safe Links policies, and must be signed in on their devices for protection to be in place.

* For organization-wide ATP licenses (for example, ATP_ENTERPRISE_FACULTY), you don't need to assign ATP licenses to individual users.

Anti-phishing policies

ATP anti-phishing checks incoming messages for indicators that a message might be a phishing attempt. When users are covered by ATP policies (safe attachments, safe links or anti-phishing), incoming messages are evaluated by multiple machine learning models that analyze messages and the appropriate action is taken, based on the configured policies.

ATP for SharePoint, OneDrive, and Microsoft Teams

ATP for SharePoint, OneDrive, and Microsoft Teams helps detect and block files that are identified as malicious in team sites and document libraries.

Real-time reports

Monitoring capabilities available in the Office 365 Security & Compliance Center include real-time reports and insights that enable your security and compliance administrators to focus on high-priority issues, such as security attacks or increased suspicious activity. In addition to highlighting problem areas, smart reports and insights include recommendations and links to view and explore data and also take quick actions.

Threat Trackers

Threat Trackers are informative widgets and views that provide authorized users with intelligence on cybersecurity issues that might impact your organization.


Explorer (also referred to as Threat Explorer) is a real-time report that enables authorized users to identify and analyze recent threats. By default, this report shows data for the past 7 days; however, views can be modified to show data for the past 30 days.

For more information about Explorer (in Office 365 Advanced Threat Protection Plan 2) and real-time detections (in Office 365 Advanced Threat Protection Plan 1), see Threat Explorer (and real-time detections).

Attack Simulator

Attack Simulator enables authorized users to run realistic attack scenarios in your organization. Several different kinds of attacks are available, including a display name spear-phishing attack, a password-spray attack, and a brute-force password attack.