Make the Most of Exchange Online Advanced Threat Protection

Attackers use a variety of trajectories to infiltrate organizations with viruses and malware these days. There is a premium service from Microsoft Exchange called Exchange Online Advanced Threat Protection (ATP) that offers five distinct features that add additional layers of security to your email and documents:

  • Safe Links
  • Safe Attachments
  • Spoof intelligence
  • Quarantine
  • Advanced anti-phishing capabilities

This blog post describes the first three of these features.


ATP is included only for users who are licensed for Office 365 Enterprise E5, Office 365 Education A5 and Microsoft 365 Business plans. If you don’t want to upgrade everyone to one of these plans, you can purchase ATP as an add-on license for US$2 per user per month.  You can add ATP to the following Exchange and Office 365 subscription plans:

  • Exchange Online Plan 1
  • Exchange Online Plan 2
  • Exchange Online Kiosk
  • Exchange Online Protection
  • Office 365 Business Essentials
  • Office 365 Business Premium
  • Office 365 Enterprise E1
  • Office 365 Enterprise E3
  • Office 365 Enterprise F1
  • Office 365 A1
  • Office 365 A3


ATP can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server 2013. For more information, check the “Supported browsers” and “Supported languages” sections in the Exchange Admin Center in Exchange Online Protection.

Safe Links

The Safe Links feature of ATP guards against malicious links in both emails and Office documents in real time. It is similar to the unified threat management of older edge-protection and web-protection firewalls, in which the URLs users clicked on were intercepted by the firewall and run through a scanning and hygiene process before the content was allowed to come into the network. With Safe Links, email entering or leaving the organization goes through Exchange Online Protection (EOP), which filters out spam and phishing messages it knows about and scans each message through a variety of antimalware detection engines.

When users click on links in messages that land in their inboxes, the ATP service checks the link and does one of the following:

  • If the URL has been deemed by the ATP service to be safe, it is allowed to be opened.
  • If the URL is on your organization’s “do not rewrite” list, the website simply opens when the user clicks the link. A “do not rewrite” list is good for internal systems and line-of-business applications that take certain actions based on URLs, like one-click expense report approvals.
  • If the URL is on a custom block list that your organization configured, a warning page is displayed to the user.
  • If the URL has been deemed by the ATP service to be malicious in nature, a warning page is displayed to the user.
  • If the URL goes to a downloadable file and your organization’s ATP Safe Links policies are configured to scan such content, the ATP service will scan the file before downloading it.

To modify your Safe Links policy, take the following steps:

  1. Navigate to https://protection.office.com. Under Threat management, choose Policy and then click Safe Links.
  2. In the “Policies that apply to the entire organization” section, select Default and then click the pencil button to edit the policy configuration.
  3. In the “Block the following URLs” section, you can add sites that no one in your organization ought to be able to visit. (This won’t stop them from going to the site by directly entering its address into the address bar in their web browser, but it will prevent them from clicking a link in an email or document to visit it.)
  4. In the “Settings that apply to content except email” section, leave everything checked.
  5. Click Save.

When a user clicks a link in an email or Office document, they will see a message like this:

Exchange Online Advanced Threat Protection Safe Links Notification

Figure 1. How Safe Links notifies a user that it is scanning a link

Safe Attachments

Scanning engines can miss unknown malware and viruses when they first break out, before they have been classified and the signatures have been updated. With Safe Attachments, messages with unsafe attachments — those that don’t match known signatures — are sent to a sandboxed virtual environment where they are securely opened. If the service detects suspicious activity like a virus or malware trying to execute, the message is rejected or quarantined. If no suspicious activity is detected, the message is released to the user.

Exchange Online Advanced Threat Protection ATP Safe Attachments Service

Figure 2. Scanning attachments with the ATP safe attachments service

To configure Safe Attachments policies, take these steps:

  1. Go to https://protection.office.com. In the left pane, under Threat management, choose Policy and then click Safe Attachments. Make sure that if you’re presented with the option to “Turn on ATP for SharePoint, OneDrive, and Microsoft Teams,” you do so. (You’ll want to allow at least 30 minutes for this to take effect across all of Microsoft’s global Office 365 datacenters.)
  2. Click the + sign to create a new Safe Attachment Policy, and then enter a name and description for the policy. The table below explains the available settings. I recommend dynamic delivery for most recipients. It’s the safest, it won’t delay the body of an email, and it is virtually transparent to users who are not in front of their computer all the time.

Exchange Online Advanced Threat Protection Safe Attachments Policy Options

Figure 3. Safe Attachments policy options (image courtesy Microsoft Corporation)

Spoof Intelligence

Spoof intelligence spots mail that appears to be from a user account within one of your organization’s domains. Specifically, it detects mail with a From address (or with a sender field in the headers of a message) that matches one of the domains configured on your Office 365 tenant. Sometimes these messages can be legitimate — for example, you might send a marketing newsletter from a separate service like Aweber or Mailchimp, or your copier and scanner might send emails to your tenant and have a “From” address in your tenant. But other times it is someone impersonating an internal user in order to trick people into sending a check to pay a fake invoice, initiate a foreign wire transfer and so on.

Spoof intelligence collects all the suspicious senders it detects in your mail flow and presents them in one convenient location, where you can decide which senders you’ll allow to send mail into your tenant and which ones should be blocked. To review this list, go to the Security and Compliance page and click Anti-spam settings.


The ATP can’t thwart all malicious attacks but it’s a good tool that provides a robust zero-day protection against unknown malware and viruses. If you’re ready to learn about other Office 365 services that help protect sensitive data, check out this Managing Office 365 Data Loss Prevention blog post.

Author, consultant, and speaker on a variety of IT topics. Jonathan has written books on Windows Server and related products and has spoken worldwide on topics ranging from networking and security to Windows administration.