Office 365 Advanced Threat Protection (ATP)
This article is intended for business customers who have Office 365 Advanced Threat Protection. If you are using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safe Links or Safe Attachments in Outlook, see Advanced Outlook.com security for Microsoft 365 subscribers.
Office 365 Advanced Threat Protection (ATP) safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. ATP includes:
Threat protection policies: Define threat-protection policies to set the appropriate level of protection for your organization.
Reports: View real-time reports to monitor ATP performance in your organization.
Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.
If you're new to Office 365 Advanced Threat Protection or learn best by doing, you may benefit from breaking initial ATP configuration into chunks, investigating, and viewing reports using this article as a reference. Here are logical early configuration chunks:
- Configure everything with 'anti' in the name.
- Set up everything with 'safe' in the name.
- safe links
- safe attachments
- Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)
- Protect with Zero-Hour auto purge
To learn by doing, click this link.
ATP comes in two different Plan types. You can tell if you have Plan 1 if you have 'Real-time Detections', and Plan 2, if you have Threat Explorer. The Plan you have influences the tools you will see, so be certain that you're aware of your Plan as you learn.
Office 365 ATP Plan 1 and Plan 2
The following table summarizes what's included in each plan.
|Office 365 ATP Plan 1||Office 365 ATP Plan 2|
Configuration, protection, and detection capabilities:
|Office 365 ATP Plan 1 capabilities
--- plus ---
Automation, investigation, remediation, and education capabilities:
Office 365 ATP Plan 2 is included in Office 365 E5, Office 365 A5, Microsoft 365 E5 Security, and Microsoft 365 E5.
Office 365 ATP Plan 1 is included in Microsoft 365 Business Premium.
Office 365 ATP Plan 1 and Office 365 ATP Plan 2 are each available as an add-on for certain subscriptions. To learn more, see Feature availability across ATP plans.
The Safe Documents feature is only available to users with the Microsoft 365 E5 or Microsoft 365 E5 Security licenses (not included in Office 365 ATP plans).
If your current subscription does not include Office 365 ATP, contact sales to start a trial, and see how ATP can work for your organization.
Configure ATP policies
With Office 365 ATP, your organization's security team can configure protection by defining policies in the Security & Compliance Center (Go to https://protection.office.com > Threat management > Policy.)
For a quick list of policies to define, see Protect against threats.
Advanced Threat Protection Policies
The policies that are defined for your organization determine the behavior and protection level for predefined threats. Policy options are extremely flexible. For example, your organization's security team can set fine-grained threat protection at the user, organization, recipient, and domain level. It is important to review your policies regularly because new threats and challenges emerge daily.
ATP Safe Attachments: Provides zero-day protection to safeguard your messaging system, by checking email attachments for malicious content. It routes all messages and attachments that do not have a virus/malware signature to a special environment, and then uses machine learning and analysis techniques to detect malicious intent. If no suspicious activity is found, the message is forwarded to the mailbox. To learn more, see Set up Office 365 ATP Safe Attachments policies.
ATP Safe Links: Provides time-of-click verification of URLs, for example, in emails messages and Office files. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click: safe links remain accessible and malicious links are dynamically blocked. To learn more, see Set up Office 365 ATP Safe Links policies.
ATP for SharePoint, OneDrive, and Microsoft Teams: Protects your organization when users collaborate and share files, by identifying and blocking malicious files in team sites and document libraries. To learn more, see Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams.
ATP anti-phishing protection: Detects attempts to impersonate your users and internal or custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks. To learn more, see Configure ATP anti-phishing policies in Office 365.
View Office 365 ATP reports
Office 365 ATP includes an advanced reporting dashboard to monitor your ATP performance. You can access it at Reports > Dashboard in the Security & Compliance Center.
Reports update in real-time, providing you with the latest insights. These reports also provide recommendations and alert you to imminent threats. Predefined reports include the following:
... and several more.
Use threat investigation and response capabilities
Office 365 ATP Plan 2 includes best-of-class threat investigation and response tools that enable your organization's security team to anticipate, understand, and prevent malicious attacks.
Threat trackers provide the latest intelligence on prevailing cybersecurity issues. For example, you can view information about the latest malware, and take countermeasures before it becomes an actual threat to your organization. Available trackers include Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.
Threat Explorer (or real-time detections) (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods.
Attack Simulator allows you to run realistic attack scenarios in your organization to identify vulnerabilities. Simulations of current types of attacks are available, including spear phishing credential harvest and attachment attacks, and password spray and brute force password attacks.
Save time with automated investigation and response
(NEW!) When you are investigating a potential cyberattack, time is of the essence. The sooner you can identify and mitigate threats, the better off your organization will be. Automated investigation and response (AIR) capabilities include a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually, such as from a view in Explorer. AIR can save your security operations team time and effort in mitigating threats effectively and efficiently. To learn more, see AIR in Office 365.
Permissions required to use ATP features
To access ATP features in the Security & Compliance Center, you must be assigned an appropriate role. The following table includes some examples:
|Role or role group||Resources to learn more|
|global administrator (this can be assigned in either Azure Active Directory or in the Security & Compliance Center)||About Microsoft 365 admin roles|
|Security Administrator (this can be assigned in either Azure Active Directory or the Security & Compliance Center)||Administrator role permissions in Azure Active Directory
Permissions in the Security & Compliance Center
|Exchange Online Organization Management (this is assigned in Exchange Online)||Permissions in Exchange Online
Exchange Online PowerShell
|Search and Purge (this is assigned only in the Security & Compliance Center)||Permissions in the Security & Compliance Center|
For more information, see Permissions in the Security & Compliance Center.
Get Office 365 ATP
Office 365 ATP is included in certain subscriptions, such as Microsoft 365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium. If your subscription does not include Office 365 ATP, you can purchase ATP Plan 1 or ATP Plan 2 as an add-on to certain subscriptions. To learn more, see the following resources:
Office 365 Advanced Threat Protection availability for a list of subscriptions that include ATP plans.
Feature availability across Advanced Threat Protection (ATP) plans for a list of features included in Plan 1 and 2.
Get the right Office 365 Advanced Threat Protection to compare plans and purchase Office 365 ATP.
New features in Office 365 ATP
New features are added to Office 365 ATP continually. To learn more, see the following resources:
Microsoft 365 Roadmap provides a list of new features in development and rolling out.
Office 365 Advanced Threat Protection Service Description describes features and availability across ATP plans.