Implementing Exchange Online Advanced Threat Protection (Part 1)

If you would like to read the next part in this article series please go to Implementing Exchange Online Advanced Threat Protection (Part 2).


Exchange Online Protection (EOP) is the anti-spam and anti-malware component of Office 365 and included in all plans that include email, and also available as a standalone offering.

EOP is often sufficient for most organizations, however some need protection from unusual threats such as spear phishing attacks (where a user is encouraged to click a dangerous link) or zero-day protection from malware contained within attachments.

Advanced Threat Protection is an add-on for Exchange Online Protection that provides protection from both these threats. In this two part article series we’ll examine how to implement Advanced Threat Protection for an appropriate level of effectiveness.

Pre-Requisites for Office 365

Office 365 customers who use Exchange Online for email do not need to perform any technical configuration before considering the steps in this article. You will need to add a subscription to your Office 365 tenant for Advanced Threat Protection. This is a new SKU released in September and is also included in the new Office 365 E5 plan.

Pre-Requisites for Exchange On-Premises

On premises Exchange users will already need to be using Exchange Online Protection before implementing Advanced Threat Protection. ATP is a step-up product, therefore by implementing EOP you are ready to consider the steps in this article. If you are in a Hybrid deployment and inbound mail already reaches your on-premises servers via your Office 365 tenant, you already use EOP. Pure EOP users will typically consider the ATP add-on.

Our example scenario

For our example scenario, we’ll be re-visiting Lisa Jane Designs. This time round, our example organization is suffering from a persistent attack from phishers and zero-day attachment exploits!

The phishing threat is the most prevalent. Users are receiving emails suggesting they click a link to verify their details. They click the link – which is at the time of access, an unknown threat, and either provide credentials to a phisher or download malware.

Often this looks innocuous to the user and they are happily clicking away, providing the credentials to whoever asks.

Figure 1: How users at Lisa Jane Designs are currently infecting their machines when clicking on URLs

Another threat, affecting a smaller number of users in the Finance team, takes advantage of zero-day vulnerabilities in software they must use to accomplish their job. They receive purchase orders from clients and use fully patched software to open the attachments. Occasionally these attachments are actually malware and have potentially disastrous effects.

Figure 2: How zero-day exploits are tricking the users at Lisa Jane Designs into infecting their machines

It seems that it never rains, but it pours for our small design company. After implementing all the latest technology they still feel they are one step behind the phishers. After evaluating a range of solutions, Lisa Jane Designs’ IT manager has decided to add Advanced Threat Protection to their Exchange 2013 and Exchange Online Protection set up.

How Safe Links will help

ATP’s first feature, Safe Links helps protect us from spear-phishing attacks. When a message is received by Exchange Online Protection it is checked as normal. If the message matches a policy for Safe Links, ATP can replace URLs within the message to special URLs that are hosted by Microsoft, under the domain, and are intended to re-direct the user to the original content. The message is then delivered as normal:

Figure 3: Replacement of the URL in a message received via Advanced Threat Protection

At some point after delivery, the user may open the message and then choose to click the URL. At this point, the URL will be checked before the user is redirected to it.

If the destination URL is known to be safe or, simply unknown then they will be redirected. If, at the point of access, the destination URL is known to be dangerous then the user will be warned. Depending on the policy, blocked from accessing the URL or given the choice to click through:

Figure 4: The process when a user clicks on a ATP-re-written URL within an email message

How Safe Attachments will help

Exchange Online Protection and other anti-malware software, such as endpoint protection installed on clients typically use definition files to detect known threats. The anti-malware vendors use a variety of techniques to catch malware quickly, however there is a point – the “day zero” before it is known.

Safe Attachments is used after Exchange Online Protection has already scanned the attachment for known malware.

After EOP has marked the message as clean, if the Safe Attachments policy applies to the message then it will be opened inside an isolated virtual machine in Azure. This is effectively a “detonation chamber” where the effects of opening the attachment are safely monitored.

The process to open an attachment automatically and monitor for ill effects take about 10 minutes, so provides a slight delay on timely message delivery.

If the attachment appears to cause negative effects, the attachment will not be delivered to the recipient:

Figure 5: Using Safe Attachments to allow Microsoft to automatically open and examine any threats within an email message in an automated sandbox environment

Combining these two features provides an additional layer of defence within email, both of which are intended to catch threats that may not be known about at the time of the message delivery.

Key decisions before implementation

Before implementing Advanced Threat Protection, we’ll need to make some decisions with regards to how we will perform the implementation:

  • Who should the Safe Links policy apply to?
    Collate a list of email addresses, distribution groups or domain names for the policy to apply to.
  • What URLs should be excluded from Safe Links?
    Although not essential, you might want to exclude some URLs you trust and / or know to be safe.
  • Will you want to track link clicks?
    In the event of a surreptitious link being accessed you may need to track down who clicked it, especially if it wasn’t known to be unsafe at the time of access.
    If you will track clicks, will this apply to everyone? You may need multiple policies to track certain people and not others
  • Who should the Safe Attachments policy apply to?
    Safe Attachments delays mail at the expense of security, and only cover a small minority of threats. For maximum protection target at all licenced users but for speed vs risk you may want to only target Safe Attachments at users venerable to this kind of threat or who are most critical to the organization.
  • What should the Safe Attachments policy do it if discovers a threat?
    Safe attachments has a number of actions it can take. These allow you to take no action, monitor that a threat has been detected, block the threat or replace the attachment.
  • Who should the Safe Attachments policy notify if a threat is discovered, if anyone?
    Often a security team will want to be notified if a zero-day threat is being sent to the organization. A contact address can be added here.

With the decisions made (and hopefully licences available) you are now ready to define your safe links and safe attachments policies.


In part one of this series we’ve looked at why you might want to consider using the new Advanced Threat Protection feature in Exchange Online Protection, and walked through the key decisions required before implementation. In the final part of this series we will walk through the implementation and usage of ATP.

If you would like to read the next part in this article series please go to Implementing Exchange Online Advanced Threat Protection (Part 2).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top