Microsoft Office 365 Advanced Threat Protection

Microsoft Office 365 Advanced Threat Protection (ATP) is Microsoft's optional cloud-based service that scans and filters email to protect subscribers from malware in attachments and hyperlinks to malicious websites.

With ATP, Microsoft attempts to reduce the impact of zero-day threats that often arrive via malicious attachments and URLs. ATP assesses the content of email before recipients open attachments or click on URLs. ATP scans attachments and hyperlinks through separate, independent policies that administrators apply to specific users, groups or domains. ATP is a cloud service from Microsoft that does not require additional hardware or software tools to run.

Safe attachments reviews files

The "safe attachments" feature in ATP analyzes all attachments. First, ATP isolates the attachment in a sandbox VM -- a feature Microsoft calls a "detonation chamber" -- to prevent the delivery of malicious payloads. ATP then checks for tell-tale signatures of malicious content and uses machine learning techniques to assess unknown content for suspicious behavior. Recipients cannot open the attachment until the scan completes.

Safe links scans URLs

ATP's "safe links" feature scans the content of the web page from hyperlinks in email and Office documents to reduce incidents of phishing and other website-based attacks. If ATP determines a hyperlink leads to an unsafe site, it sends the user to a warning page.

Microsoft Office 365 Advanced Threat Protection assists with training

ATP generates detailed reports to alert IT administrators if particular users receive an unusual amount of malicious email, the type of malicious content, and which users opened or clicked on potentially malicious content. This information helps IT train users to be more vigilant to avoid attacks.

Inspection may delay attachment delivery

According to Microsoft, the time it takes the safe attachments process to complete depends on the attachment and its content. Rather than delay a message, Microsoft uses a "dynamic delivery" feature to let recipients to read and to respond to an email, and uses a placeholder to indicate the attachment is undergoing the scanning process. If ATP determines the file is not a danger, the attachment returns to the email. If ATP finds a malicious file, it removes the attachment.   

Microsoft's unified Advanced Threat
Protection in Office 365 and Windows.

The safe links process adds no noticeable delay to a non-malicious link, but links ATP deems malicious will result in a warning to the user.

Microsoft Office 365 Advanced Threat Protection pricing

Microsoft includes ATP with its top-tier Office 365 Enterprise E5 subscription, but organizations can add the service to other Exchange and Office 365 subscriptions for $2 per user, per month. Compatible plans that support ATP include Exchange Online Plan 1, Exchange Online Plan 2, Exchange Online Kiosk, Exchange Online Protection, Office 365 Business Essentials, Office 365 Business Premium, Office 365 Enterprise E1, Office 365 Enterprise E3, Office 365 Enterprise E4, Office 365 Enterprise K1, Office 365 Enterprise K2 and Office 365 Education.

Comparison to Exchange Online Protection

Microsoft calls ATP a complementary addition to its Exchange Online Protection (EOP) service. They share similar features but ATP provides added protection from spoofing and phishing techniques. Organizations can add EOP to online email services for $1 per user per month.

This was last updated in September 2017

Continue Reading About Microsoft Office 365 Advanced Threat Protection

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop