In this blog I’ll write about the extras that Office 365 ATP adds to your environment, why you should consider it and how it goes beyond protecting only Exchange Online.
We’ll also take a short look at the different ATP products that Microsoft has to offer, which might be worth taking a look at.
What is Exchange Online Protection?
Before we get into Office 365 ATP, it is good to know what Exchange Online Protection is and what level of protection it adds to Exchange Online. EOP is the default email filtering service that’s available to you within Office 365, but it can also be licensed separately for use with your on-prem environment.
You can find a list of all the features EOP provides in this TechNet article.
Different ATP products
Microsoft offers a range of Advanced Threat Protection licenses, all focused on different workloads and layers of security. While this post focuses on Office 365 Advanced Threat Protection, you can find more information about these products on the links below;
- What is Azure Advanced Threat Protection
- Microsoft Defender Advanced Threat Protection
- Advanced Threat Protection for Azure SQL Database, Azure SQL Managed Instance and Azure Synapse Analytics
Depending on your environment, it might be good to consider implementing a combination of different ATP products.
Anti-malware is part of Exchange Online Protection, which is already available to you by default if you’re using Exchange Online. This feature scans attachments for malware using different engines. It however does have it limits, as it only scans email messages and does not add zero-day protection but relies on virus/malware signatures.
Safe Attachments adds zero-day protection by checking e-mail attachments for malicious content by routing the message to a special sandbox environment that uses machine learning and analysis techniques to detect malicious code.
This protection is also added to Office documents stored on OneDrive, Sharepoint and Teams. It does however not scan every single file, but scan the files asynchronously based on different activity events such as guest access and sharing. Depending on your license and needs, Automated investigation and response and Alert policies might be things you’d want to check out and.
Safe Links adds time-of-click verification of URL’s in email messages and Office documents. This can help you protect your users from malicious websites. You can setup a Safe Links policy that applies to all of your users and blocks any URL’s that ATP finds to be malicious.
This feature is available not only in the Office online environment but also in the Microsoft 365 Apps for enterprise, Office for iOS and Android apps. This will cover most, if not all, devices your users are using.
ATP for Sharepoint, OneDrive and Teams
ATP for SharePoint, OneDrive and Teams extends the Safe Attachments feature to these applications. It can make sure that when a malicious file is detected, it is blocked and can’t be downloaded, edited or deleted until an administrator takes action.
EOP can protect your users against phishing using different techniques including Spoof intelligence and Implicit email authentication. ATP adds additional functionality with ATP policies, Anti-impersonation, mailbox intelligence and adjustable phishing thresholds.
You can find more information about configuring ATP Anti-phishing policies on this link.
When you’re licensed for Office 365 ATP Plan 2, you’ll have the ability to use Threat Tracker. It can help you discover and take action against security threats.
It contains informative widgets and views that provides intelligence in threats and risk you should know about. It can for example give you more insight in campaigns targeted to your environment. Threat Explorer can highlight threats detected by Office 365 Safe Attachments, so you know when you’re targeted by a malware campaign.
Automated investigation and response
By alerting you are aware of whats going on in your environment, but these alerts still require manual further investigation by an administrator. This features can help your or your security team by launching automated investigations as a response on security alerts. AIR will await approval from your security team to respond on these threats. For full fuctionality, you must have a ATP Plan 2 licenses available.
How trained are your users and how do they respond on a threat such a phishing campaign? Attack Simulator enables you to create a spear phishing campaign to identify vulnerable users and make sure you can train them and prevent impact on your business.
During a password attack, an attacker tries to guess passwords of user accounts. This might most typically follow after a phishing campaign, especially if they were successful harvesting credentials from your users. This risk can be mitigated by making sure you’ve implemented Azure Multi Factor Authentication.
Attack Simulator also let you create a password attack campaign to simulate these attacks and there are two types of attacks available:
- Brute force password: You can use a large directory of passwords on your users accounts to identify users who have a weak password. Incorrect password lockouts help you protect yourself in some way to these attacks.
- Password spray attack: You can only specify one password to try against user accounts. These attacks are more difficult to identify as it will not trigger password lockouts, as only a single password is being tried.
This feature is only available to you with a ATP Plan 2 license.
Office 365 ATP Licensing
Office 365 ATP Plan 1 and Plan 2 are available as separate licenses. It can however be included in your subscription, such as when you’re using Microsoft 365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium. There are several differences between ATP Plan 1 and Plan 2 regarding available features. Also make sure you license all users in your Office 365 tenant.
A full list of subscriptions that contain Office 365 Advanced Threat Protection is listed here. The same link also contains a table with Feature availability across Advanced Threat Protection (ATP) plans.