Saturday, January 2, 2016

Exchange Online Protection Advanced Threat Protection


Exchange Online Protection (EOP) Advanced Threat Protection (ATP) has been available for the past few months.  ATP is a new high-end security feature that is part of the new E5 suite for Office 365.
Exchange Online Protection Advanced Threat Protection has three core capabilities.  They are:

  • Safe Attachments
  • Safe Links
  • URL Tracking/Reporting capabilities.
ATP was added as an option to the EOP service given the evolving sophisticated attacks that are occurring today in email.  Phishing, spear phishing and zero day threats are a real threat for enterprise customers and many organizations will seriously consider adding ATP to their Office 365 tenant.  ATP will provide organizations insight into users who are being targeted, attacked and compromised.

The new ATP capability is part of EOP service.  Email messages will continue to go through EOP and still go through malware and virus protection checks.  Once the message goes through the standard EOP protections, if an ATP policy applies to the email message it will go through the additional Safe Attachment and Safe Links checks.  ATP policies can be configured through the Exchange Admin Console (EAC) or through PowerShell.
It is worth noting that ATP can be used with Exchange Online, Exchange on-premises and in Exchange Hybrid scenarios.

Safe Attachments

Safe Attachments will help organizations protect against zero day exploits in email attachments by blocking messages.  Common unsafe attachments such as Office files, PDFs, executable file types, Flash files, etc. would be inspected.
Safe Attachments leverage sandboxing technology.  All attachments that do not have a known virus/malware signatures are routed to this special hypervisor environment where behavior analysis is performed using a variety of machine learning and analysis techniques to find malicious intent.  If a message’s attachment(s) is deemed unsafe, the email is blocked until the attachments have been detonated in the hypervisor.  Each attachment will be opened in a unique hypervisor which can result in an email delivery delay of 5 to 30 minutes while the attachment is being evaluated.

Here is the configure screen in EAC for the Safe Attachment Policy.  Here is where you can configure the behavior when unknown malware is discovered.  For instance, you can monitor message by allowing it to still go through and just get reporting.  You can completely block the message all together or allow the email to go through without the attachments.

Below is an example email that would be sent to an administrator based on the policy configuration you make.

Safe Links

Safe Links will help protect against malicious sites and content in phishing attacks.  A common threat is to try to hide malicious URLs in an email that seem to be safe but redirect users to unsafe sites. 
When Safe Links policy is configured, every time a user clicks a URL from an email message that click is inspected.  Specifically, URLs in the email are rewritten to proxy them through another server managed in ATP service.  If the URL is pointing to a good site, there is almost no latency in the click and the user go to the site.  If the URL points to a malicious site, a landing page will be presented to the user warning them are about to go to an unsafe site.

Here is the configuration screen for this policy in the EAC.  There is an option to track user clicks on malicious URLs.  You do have the option to not allow the user to click through to a known malicious URL.  You also have the ability to add your own custom list of blocked URLs.

The following is an example of what a user would see if they click a malicious URL in an email.  Depending on how you configured the policy, the malicious URL will not be presented to the end user so that they cannot click-through.

URL Tracking

Safe Attachments and Safe Links will provide organizations visibility to people who may be compromised.  With this reporting you can see how your organization is being targeted and whether you do need introduce new policies, more user training, etc. 
For Safe Attachments, you can see reporting of the unsafe attachments that were blocked. 

As part of Safe Links, you can also see who has been receiving malicious URLs and who has been clicking through to malicious URLs (if you allow it).

Advanced Threat Protection Service Description -

ATP Overview -

Announcement of ATP -