Microsoft Office 365 ATP

Every Office 365 tenant, which includes e-mail, is protected by Exchange Online Protection (EOP). EOP is a cloud-based e-mail filtering service that protects against spam and malware. EOP filters inbound and outbound e-mail using rules and policies based on the sender’s reputation, keywords, e-mail address, and sophisticated algorithms.

When it comes to phishing, security awareness of your employees is critical. Any given employee needs to be able to identify if an e-mail they received is malicious. If a malicious e-mail is received, the employee should then know what to do when it comes to handling the e-mail.

Microsoft Office 365 ATP helps lower the risk of a user receiving a malicious e-mail in their mailbox. EOP is the first line of defense e-mail filtering, whereas Microsoft Office 365 ATP is the advanced cloud-based e-mail filtering. In this blog post, I will take a more in-depth look into Microsoft Office 365 ATP.

Figure 1: Microsoft Office 365 ATP Protection

Configuration, protection, and detection

The “main” features of Microsoft Office 365 ATP are Safe Attachments, Safe Links, and Anti-Phishing policies.

Safe Attachments

Safe Attachments is a feature that protects the organization from malicious attachments being received by e-mail and blocks files that identify as malicious in Teams and document libraries (OneDrive and SharePoint). Safe Attachments uses machine learning and analysis techniques to detect malicious intent.

There are several options that you can configure for Safe Attachments: monitor, block, replace, and Dynamic Delivery. All attachments, before delivery, are scanned in a sandbox for malicious content. With Dynamic Delivery, the e-mail gets delivered in the user’s inbox, and with a slight delay, the attachment will be attached to the e-mail if the attachment considered to be safe. The slight delay will have a user-impact since the e-mail is delivered first and the attachment later.

Safe Links is a feature that protects the organization from malicious links sent in an e-mail. The original URL will be re-written after being scanned. The original URL will still be shown by the end-user to prevent confusion, but when the user clicks the link, it will first go to “<original url>” for monitoring purposes. Once a user clicks a link, Microsoft knows who clicked the link since it first goes to the re-written link before the user visits the original URL. During an incident, it is nearly effortless to detect which user clicked the link to mitigate the attack by acting (a password reset, for example).


Anti-Phishing policies use machine learning models and advanced impersonation-detection algorithm to prevent impersonation of users and domains. When the sending domain or sending user has suspecting malicious intent, Anti-Phishing will prevent the e-mail from delivery. An administrator can set different options what will happen with suspicious e-mail. So if your company is called and you will receive an e-mail from (hence the double L), the e-mail is marked as suspicious if other indicators identify as spam. A suspicious e-mail can be as simple if the sender’s name is the same as the recipient’s name, the signature used in an e-mail, text in the body’s content, etc.

Zero-hour Auto Purge

Even with all these countermeasures in place, more advanced hackers will eventually get an e-mail delivered in the mailbox. When this happens, Explorer is the tool to hunt manually, but there’s an automated tool as well called Zero-hour Auto Purge (ZAP). ZAP is an e-mail protection feature that retroactively detects and neutralizes (e.q. deleting) malicious phishing, spam, or malware messages delivered to Exchange Online mailboxes. If Microsoft identifies a malicious e-mail, ZAP will remove the malicious e-mail in all Exchange Online mailboxes.

Attack Simulator

At the beginning of the blog post, I mentioned: “awareness of your employees is critical.” Microsoft recognizes this as well and created a feature called the Attack Simulator. Attack simulator contains four simulated attacks that you can use to higher the user’s awareness within your tenant. The four attacks include; Spear Phishing (Credential Harvesting), Spear Phishing (Attachment), Brute Force Password (Dictionary Attack), Password Spray Attack.


Microsoft Office 365 ATP is a separate license, but it comes with additional license plans as well. There are two different licenses: Plan 1 and Plan 2. Microsoft Office 365 ATP Plan 2 includes Microsoft Office 365 ATP Plan 1, including Threat Tracker, Explorer (advanced threat investigation), Automated investigation and response, and the Attack Simulator.

Microsoft Office 365 ATP Plan 1 comes with the following license plan: Microsoft 365 Business Premium.

Microsoft Office 365 ATP Plan 2 comes with the following license plans: Office 365 E5, Office 365 A5, and Microsoft 365 E5.