maxkabakov - Fotolia

Advanced threat protection add-on comes to Microsoft EOP

The ATP add-on for Exchange Online Protection gives on-premises Exchange Server and Office 365 customers another layer of security.

Microsoft is providing new tools and options for advanced threat protection that extends to Exchange Online Protection features. Exchange Online Protection is Microsoft's cloud-based email scrubbing option for spam and malware, both for email coming in to Office 365 and on-premises Exchange Server. The quality of Exchange Online Protection when compared to existing third-party options is debatable, but one thing is certain: A need exists for more than just antimalware protection in the modern world. Let's explore what advanced threat protection can do.

Advanced threat protection (ATP) includes these additional features for Exchange Online Protection (EOP) end users.

  • Protection against unknown malware and viruses. You need to protect end users from unknown threats. EOP already provides a multilayered approach to antimalware with three different engines. ATP extends this approach with safe attachment protection, which provides a safeguard from suspicious attachments by opening the attachment in a sandbox using a hypervisor environment; the assumption is through Azure virtual machines.
  • Real-time, time-of-click protection against malicious URLs. EOP already scans each message for threats such as a known bad link (phishing, for example). But what if a message comes in with a seemingly safe link that turns out to be malicious? ATP looks to protect end users when they click the link, helping to prevent these kind of spear-phishing attacks.
  • Rich reporting and URL trace capabilities. ATP sets up better feedback regarding end users who may be targeted within the organization, and to investigate blocked messages.

Enable advanced threat protection

To work with ATP, go through the Office 365 Admin Center and click the Exchange link to access the Exchange Admin Center (Figure 1). You should see the advanced threats feature in the pane.

Enable ATP in the Office 365 admin center
Figure 1

Selecting advanced threats will let you see the safe attachments (Figure 2) and safe links (Figure 3) tabs to work with the policies.

Safe attachments tab
Figure 2


Safe links tab
Figure 3

For safe attachments, you can create multiple policies or alter the default settings (Figure 4). There are also options to monitor, block or replace the attachments or to redirect attachments to an alternate address if something is detected.

Create or alter safe attachment policies
Figure 4

A warning: These attachments may cause significant delay to email delivery. It takes seven or eight minutes for messages with attachments to pass through the sandbox (with a 30-minute service-level agreement), Microsoft says. Using machine learning on a large scale to determine threats and neutralize them is an interesting way to accomplish the task. The downside of the time delay may not work for some organizations.

With safe links, you can create new policies or alter the default (Figure 5). There are a number of available options. For example, Off/On is where URLs are rewritten and checked against a list of known malicious links when the end user clicks the link. Choose whether to track end users' clicks for reporting purposes, or whether to allow end users to click the original URL. You can also configure a manual list of URLs you don't want rewritten.

Create or alter safe link policies
Figure 5

You can also choose to see reports of ATP by disposition and ATP File Types from within the dialog box for safe attachments and safe links.

Is ATP worth it?

From a feature perspective, advanced threat protection is a welcome addition to the Exchange Online Protection toolbox. But there are a couple of lingering concerns about cost. For example, EOP is free for Office 365 end users and costs $1 per end user per month for on-premises Exchange end users. But ATP will cost $2 per end user per month ($24 annually) -- or $1.75 per end user per month for government pricing -- that's a bit high for some organizations and will have to be considered in budgets when organizations are looking to move to Office 365. It's a bit frustrating that people can't buy à la carte (for example, just buy sandboxing and not time-of-click). On the plus side, organizations can decide to buy ATP for some folks and not for others, and deploy it to groups.

It's good to see Microsoft acknowledge that modern times call for more modern measures to deal with attacks through email. ATP is a good extension to EOP, and some companies may see the value in the added expense. Still, companies may consider alternative options to layer onto EOP for improved security in a sketchy world. Either way, modern threats require modern barriers.

About the author:
J. Peter Bruzzese is a Microsoft Office 365 MVP, as a five-time awardee with previous technical expertise in Exchange, a Triple-MCSE, an MCT and an MCITP: Enterprise Messaging. He is the co-founder of an end-user training solution called and is a strategic technical consultant for Mimecast. He is an internationally published author with more than a dozen titles to his name. He is a technical speaker for a number of conferences, including Techmentor, IT/Dev Connections and Microsoft TechEd. He writes for online and in-print tech and has written InfoWorld's Enterprise Windows column for more than five years. More recently, he focused his attention on new users in the Exchange/Office 365 community and wrote a short book titled Conversational Exchange (in 10 days!) to help them learn Exchange's conceptual side. In his spare time -- well, let's face it, folks, with all that, JPB has no spare time.

Next Steps

How EOP fits in after an Exchange Online migration

Antimalware protection in Exchange 2013

Dig Deeper on Microsoft messaging and collaboration

Cloud Computing
Enterprise Desktop
Virtual Desktop