A few weeks ago, after my podcast with Brian Reid about Exchange Online Protection, I finally got around to signing up my Office 365 tenant for Advanced Threat Protection.
If you're new to EOP and ATP, I recommend having a listen to the podcast to learn more. But in brief, ATP delivers a series of enhanced email security features for Exchange Online Protection to prevent malicious attachments and links from causing customers to be infected with malware.
The three main capabilities of Advanced Threat Protection are:
- Safe Links – URLs in email messages are rewritten so that users are redirected through a Microsoft service that checks the link for malicious content when the user clicks it.
- Safe Attachments – email attachments are tested in a sandbox environment to detect malicious behaviour and attempt to block zero day attacks.
- Anti-Impersonation (anti-phishing) – detects phishing attacks that use lookalike domains and email addresses.
In this article I'll share my experience with those features so far.
Enabling Advanced Threat Protection
Enabling ATP was simple enough, as I'm already an Office 365 customer. I purchased the additional ATP license and assigned it to my user account.
As a single-user tenant I wasn't quite sure how many licenses I would need. I do have a handful of shared mailboxes that I use for various purposes, so I asked Microsoft whether I needed to license each of those as well. The answer I received was to license anyone who would normally utilize an Office 365 license. Since shared mailboxes do not consume a license, I don't need to buy them ATP licenses. However, don't take licensing advice from me. Ask your licensing provider who you need to license for ATP in your tenant.
After activating the license a new Advanced Threats option appeared in my Exchange admin center after a few minutes.
The first feature I looked at was Safe Attachments. There were no default policies created in ATP for my tenant. I am told that sometime in the past default policies were created, and maybe that will change again in the future. If you don't see any default policies in your tenant, just go ahead and create one or more to suit your needs.
Safe Attachments policies can be targeted at specific recipients, domains, or group members. I chose to apply one policy to all of my domains.
A Safe Attachment policy can be set to Off (not sure why you would do that), Monitor, Block, Replace, or Dynamic Delivery. At first I used Block. But there were a few false positives early on, so I changed it to Dynamic Delivery, which will deliver the message without the attachment, and then a few minutes later when the attachment analysis is complete, the delivered email is updated with the attachment. In my experience so far no spammy emails with stripped attachments have made it to my inbox. I guess if the email itself is spam, one of the other filters in EOP will block it.
I also elected to redirect blocked messages to a quarantine mailbox. Mostly I was curious to see what it blocked. I've been happy to see ATP block multiple ransomware emails over the last several weeks. Also, I decided to enforce the Replace action if ATP malware scanning ever fails or times out. So far it seems to have had no trouble.
Speaking of timing out, if you're wondering whether the testing of email attachments in a sandbox environment slows down email, the answer is yes.
Emails with attachments see a delay of several minutes. I don't notice this, because I'm rarely expecting a specific email attachment to arrive. Things just appear when they appear, and everything is fine.
The only “problem” I've had with ATP was an obvious false negative that occurred within the first week or so. A fake FedEx email arrived in my inbox. The attachment was a 0KB Word document. My desktop AV didn't consider it malware at first (a few days later it did), but I wasn't willing to try and open it to see for myself. I logged a support case with Microsoft, and after a few weeks of investigation (yes, weeks, I needed to run multiple message traces, and there was the usual delays you get when you're involved in a support case across multiple time zones) Microsoft determined that the reason was that the 0KB attachment was not seen by ATP as something it should scan. I haven't seen a repeat of this type of email though, so my guess is Microsoft has successfully closed that gap.
All in all, Safe Attachments is working fine for me and I've had no more issues of false positives/negatives since the first week or so.
Safe Links replaces URLs in email messages with URLs that redirect the user through a Microsoft service that checks the URL for malicious behaviour or content at the time the person clicks on it. The user's browsing traffic isn't proxied through the Microsoft server, it's just a security check and then the user is sent to the real URL.
Safe Links policies can be set to Off (again, why? I guess so you can temporarily turn it off?), or On. There's some tracking of user clicks (this is available in the URL trace tool under mail flow in the Exchange admin center), and an option for whether to allow users to click through a blocked URL (in effect, they would be overriding the block if Microsoft had detected a malicious URL).
I added some URLs that should never be rewritten by Safe Links. These are URLs that I get in emails at lot (such as for blog comments) and the long Safe Links were quite messy and confusing to look at sometimes, so I started adding exceptions. As it turns out, there's a cap length of the property that stores the exceptions. I got to about 10 entries before I hit that cap.
I thought that perhaps adding multiple Safe Links policies would be a way around this cap. For example, could you have one general policy applied to the entire domain, and then separate individual policies for exceptions that specific people need. Unfortunately, chaining multiple policies like that doesn't seem to work. Instead, the highest priority rule matching the recipient is applied.
I also found that it is not necessary to set exclusions for some domains. Microsoft seems to have a list of trusted domains that Safe Links does not rewrite the URLs for. For example, a Google URL is not rewritten as you can see here. Similar behaviour occurs for many Microsoft domains as well.
However, if the URL is hidden behind some anchor text, it still gets rewritten.
Safe Links has been working fine for me. There's the briefest of delays after clicking a link while I wait for Microsoft to redirect me to the real URL. I have occasionally sent someone a Safe Link instead of the real URL, but since the links still work fine for anyone who clicks on them (they're not restricted to just your users) that is more of a cosmetic issue than a functional issue.
The anti-impersonation features of Office 365 ATP are a recent addition to the service to help prevent phishing, spear-phishing and whaling attacks. Using anti-phishing policies in ATP you can protect your users from receiving phishing emails that attempt to impersonate legitimate senders by using lookalike domain names and email addresses.
I've written a detailed look at Office 365 ATP anti-phishing here.
My experience so far with Exchange Online Protection and Advanced Threat Protection has been good. Granted, I am a very small customer. But I do support other customers of varying sizes that also rely on EOP and ATP for email protection, and it works well for those companies as well. As far as Advanced Threat Protection goes, I think it is worth the additional investment to add it to your Office 365 tenant and get some more powerful protection from malware, phishing, and other attacks.