Exchange Online Protection (EOP) Advanced Threat Protection
(ATP) has been available for the past few months. ATP is a new high-end security feature that
is part of the new E5 suite for Office 365.
Exchange Online Protection Advanced Threat Protection has
three core capabilities. They are: - Safe Attachments
- Safe Links
- URL Tracking/Reporting capabilities.
The new ATP capability is part of EOP service. Email messages will continue to go through
EOP and still go through malware and virus protection checks. Once the message goes through the standard EOP
protections, if an ATP policy applies to the email message it will go through
the additional Safe Attachment and Safe Links checks. ATP policies can be configured through the
Exchange Admin Console (EAC) or through PowerShell.
It is worth noting that ATP can be used with
Exchange Online, Exchange on-premises and in Exchange Hybrid scenarios.Safe Attachments
Safe Attachments will help organizations protect against
zero day exploits in email attachments by blocking messages. Common unsafe attachments such as Office
files, PDFs, executable file types, Flash files, etc. would be inspected.
Safe Attachments leverage sandboxing technology. All attachments that do not have a known
virus/malware signatures are routed to this special hypervisor environment
where behavior analysis is performed using a variety of machine learning and
analysis techniques to find malicious intent.
If a message’s attachment(s) is deemed unsafe, the email is blocked
until the attachments have been detonated in the hypervisor. Each attachment will be opened in a unique
hypervisor which can result in an email delivery delay of 5 to 30 minutes while
the attachment is being evaluated.Here is the configure screen in EAC for the Safe Attachment Policy. Here is where you can configure the behavior when unknown malware is discovered. For instance, you can monitor message by allowing it to still go through and just get reporting. You can completely block the message all together or allow the email to go through without the attachments.
Below is an example email that would be sent to an administrator based on the policy configuration you make.
Safe Links
Safe Links will help protect against malicious sites and
content in phishing attacks. A common
threat is to try to hide malicious URLs in an email that seem to be safe but
redirect users to unsafe sites.
When Safe Links policy is configured, every time a user
clicks a URL from an email message that click is inspected. Specifically, URLs in the email are rewritten
to proxy them through another server managed in ATP service. If the URL is pointing to a good site, there
is almost no latency in the click and the user go to the site. If the URL points to a malicious site, a
landing page will be presented to the user warning them are about to go to an
unsafe site.Here is the configuration screen for this policy in the EAC. There is an option to track user clicks on malicious URLs. You do have the option to not allow the user to click through to a known malicious URL. You also have the ability to add your own custom list of blocked URLs.
The following is an example of what a user would see if they click a malicious URL in an email. Depending on how you configured the policy, the malicious URL will not be presented to the end user so that they cannot click-through.
URL Tracking
Safe Attachments and Safe Links will provide organizations
visibility to people who may be compromised.
With this reporting you can see how your organization is being targeted
and whether you do need introduce new policies, more user training, etc.
For Safe Attachments, you can see reporting of the unsafe
attachments that were blocked. As part of Safe Links, you can also see who has been receiving malicious URLs and who has been clicking through to malicious URLs (if you allow it).
Resources
Advanced Threat Protection Service Description - https://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspx
Safe Links and Safe Attachments TechNet - https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx
ATP Overview - https://products.office.com/en-us/exchange/online-email-threat-protection
Announcement of ATP - https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/