Office 365 Advanced Threat Protection
Frequently Asked Questions
What is Office 365 Advanced Threat Protection?
Office 365 Advanced Threat Protection (ATP) helps to secure your mailboxes against advanced threats, providing time-of-click protection against unknown malware and zero-day attacks. Advanced Threat Protection delivers several capabilities including Safe Attachments, Safe Links and rich reporting to help combat sophisticated attacks.
Will ATP catch 100% of malicious attacks?
No. In fact, no advanced threat protection product can catch 100% of malicious attacks, despite claims to the contrary. The notion of 100% protection is a misperception that is driven by the marketing and sales messages of some vendors in this industry.
What is Microsoft’s SLA on virus and spam detection?
Microsoft’s SLA on known viruses is 100%, with a spam effectiveness SLA of greater than 90%, a false positive ratio SLA of 1:250,000, and a monthly uptime SLA of 99.999%. Additionally, we keep continuously updated lists of malicious URLs that is checked approximately every 20 minutes.
Do I need to assign licenses and configure policies in order for Advanced Threat Protection to work?
Enabling ATP requires the configuration of policies in order to activate and target specific users, groups or domains to be protected by the service. You can configure separate policies for ATP to check links, attachments, or both.
Safe Links and Safe Attachments policies can each be applied to specific sets of users. Learn how to do this at Set up a Safe Attachments policy in ATP and Set up a Safe Links policy in ATP. You can also create individualized policies within the Safe Links and Safe Attachments settings so that subgroups of users can have custom protection settings.
Assigning licenses is not a technical requirement, but it is required to be compliant.
How long does it take for Advanced Threat Protection policies to be effective?
Once a change is made to an Advanced Threat Protection policy, it can take up to 30 minutes for that change to propagate.
Does Advanced Threat Protection only work for Exchange Online mailboxes?
Advanced Threat Protection works for Exchange Online cloud-hosted mailboxes; on-premises customers running Exchange Server 2010, Exchange Server 2013, and Exchange Server 2016; and on-premises customers running non-Microsoft mail servers.
Can a user be configured only for Safe Attachments or only for Safe Links?
Yes, there are separate policies for Safe Links and Safe Attachments. Each policy can be applied to a specific set of users, distribution groups, or domains. It is also possible to have unique policies within Safe Links and Safe Attachments so each group of users can have custom settings.
Does it protect only internal mailboxes?
Safe Attachments scans incoming mail from outside the organization for all customers, as well as internal emails between employees for hosted mailbox customers. Safe Links is only applied for inbound traffic from external senders to internal recipients.
All suspicious content goes through a real-time behavioral malware analysis
that uses machine learning techniques to evaluate the content for suspicious activity
Does Exchange Online Protection (EOP) anti-malware work with Advanced Threat Protection?
Yes, Advanced Threat Protection complements EOP anti-malware filtering. Only those attachments that successfully pass EOP anti-malware scanning are impacted by Safe Attachments or Safe Links policies.
The EOP anti-malware filtering is also designed to learn from ATP. Our ATP customers are protected immediately when ATP identifies a new threat, but we are also working constantly to improve the protection across the entire service.
Can on-premises organizations use Advanced Threat Protection?
Yes, Exchange organizations with on-premises mail servers can use Advanced Threat Protection, so long as they use Exchange Online Protection to route incoming messages.
What additional bandwidth is required once ATP is enabled for a tenant of 80k users? Will I see latency in service now that all email is ATP-scanned?
- Email delivery. If the Safe Attachments policy that applies to a particular recipient has an action of Block, the email will not be delivered until the attachments can be detonated by the Safe Attachments technology in ATP. Safe Attachments will launch a unique hypervisor to open the attachment. This can result in a delivery delay of 2-30 minutes for each mail evaluated by Safe Attachments.
- Dynamic Delivery. Dynamic Delivery is a new Office 365 ATP capability that is scheduled to be released later this year. Dynamic Delivery will eliminate the latency described above by delivering the body of an email with a placeholder attachment, to be replaced by the actual attachment after it has undergone a Safe Attachments scan. This allows recipients to read and respond to the message immediately, while also notifying them that the original attachment is still being analyzed.
- Web browsing. If a link points to a website recognized as not malicious, Safe Links adds very little latency to loading the target page. If the link points to a website recognized as malicious, the user is routed to a warning page and has to go through it (if click-through is enabled) in order to continue on to the site.
Note: After a change is made to an ATP policy, it can take up to 30 minutes for that change to propagate to every server.
Why should I be interested in Office 365 Advanced Threat Protection if I’m already using Windows Defender Advanced Threat Protection?
Windows Defender Advanced Threat Protection (WDATP) is a new service that builds on the existing pre-breach security features and services Windows 10 offers today. Windows Defender ATP provides a new post-breach layer of protection to the Windows 10 security stack that enables customers to detect, investigate, and respond to advanced and targeted attacks on their networks.
Office 365 Advanced Threat Protection further supplements these defenses by providing focused protection for customers’ email and messaging environments. Together, Windows Defender ATP and Office 365 ATP provide a comprehensive and robust set of protection and threat analysis tools for our customers. For more information, see Announcing Windows Defender Advanced Threat Protection.
How do we respond to Proofpoint’s collateral that accuses Microsoft of missing a lot of malware attacks and positions us as an incomplete solution?
The recent Proofpoint materials are comparing their full solution to Exchange Online Protection only, and not Office 365 ATP. This is not a valid comparison of our competing security offerings.
Can ATP protect me from crypto malware (i.e. ransomware)? How does it determine this?
Both Crypto Locker and Locky are detected by Office 365 ATP. Office 365 ATP uses an internal sandbox technology which detonates the attachments in VMs and detects any anomalies. It uses several internal tools to detect vulnerabilities triggered by the sample being examined as well as other behavioral analysis to identify malicious activity.
Ok, but I need a solution that protects me from ransomware on my desktops and tablets. Does Office 365 ATP offer this?
Windows Defender ATP, not Office 365 ATP, provides protection for Windows. However, Office 365 ATP and WDATP share signals which provide a holistic solution.
In June 2016, Office 365 was the target of a massive, zero-day Cerber ransomware attack. How did Microsoft respond to the attack when it affected customers of EOP/ATP security?
Microsoft has a responsibility to continue to evolve the service to be ahead of the malware attacks. As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family.
These additions to MSRT complement our Cerber-specific family detection in Windows Defender, and our ransomware-dedicated cloud protection features.
Does ATP identify phishing? How does it determine this? If so, what is the false positive rate?
Here are some of the key features as part of EOP and ATP that help combat phishing email threats:
- EOP has strengthened its counterfeit detection by over 500 percent and helps to protect against insider spoofing, also known as whale attacks, that target high profile users in an organization.
- Advanced Threat Protection, such as “Time of Click” malicious URL and “Zero-day” unknown malware protection.
- Strengthened coverage against malicious URLs by EOP and ATP.
- Implementation of key sender authentication technologies, such as DKIM and DMARC, provided by EOP.
- Improved protection against bulk mail provided by EOP.