Advanced Threat Protection in Exchange Online Protection

Share this post

If you’ve researched on, or had a conversation about email security and the effort to prevent a zero-day attack from malware and viruses, then you have probably heard the Advanced Threat Protection name, or ATP. Microsoft released ATP last year to address this need, and several Organizations, being an Exchange Online client or not, have been increasingly requesting information about it, and in many cases the questions start with a real unknown about where this service is exactly positioned in Office 365. The formal documentation form Microsoft is really good, but I have found that several times what seems to be an assumed statement ends up lost in the reading. My goal for this blog is providing a clear answer about the where the solution is, and giving you a good idea about how it works.


The Definition


First things first, what is Advanced Threat Protection? ATP is a service in Exchange Online Protection, designed to prevent zero-day attacks from malware and viruses by providing a real time scan, analysis and proactive action on links and attachments within an email. I’ll get deeper into the details in the following section, for a clear definition this should be sufficient.


That said, did you see the first line? “ATP is a service in Exchange Online Protection”, that is exactly where ATP is, so if you want to benefit from ATP, you have to route your email through EOP. Now, if your organization is not in Exchange Online, this will not exclude you from using it, the “relationship” is not Exchange Online, but it is Exchange Online Protection. So to level set, we are not talking mailboxes in the cloud, we are talking email flow regardless of where your mailboxes are.


And here is a note to clarify something, if your mailboxes actually are in Exchange Online and you are using a third party solution for email filtering, you are still passing your flow through EOP, even if you configure rules to set SCL to -1 when the source is your own solution, that configuration bypasses filtering but does not bypass EOP, that is the only way your messages can reach your mailboxes in Exchange Online, the front end is EOP.


The Features


There are two technical configuration features, with their corresponding options, and one reporting feature, so I will address the three of them individually as follows: Safe Links, Safe Attachments and Reporting.


Safe Links: In Addition to EOP content scanning for malicious links, ATP Safe Links adds a layer of security by providing additional protection at the time users actually click on a link within a message. If a user elects to open the message in a browser version (pretty common today since HTML emails normally display that option), the same level of protection is preserved. The mechanism used for this starts with a URL re-write pointing the link to go to Office 365 first, and once opened, two important actions take place, the destination URL is compared to the original URL looking for unsafe or malicious redirections, and the content of the destination web page is also scanned for malicious content. If everything checks, the final destination, with the corresponding original URL is displayed, otherwise, the user is presented with a page that states the site they are trying to access is not safe. Within the configuration of Safe Links there is an option to allow the user to still proceed to the site (click through), otherwise, that’s where they stop. Safe Links looks for the “href” attribute in HTML code, and if the email is in plain text format, Safe Links identifies text strings that resemble a URL.


Safe Attachments: In Addition to EOP content scanning for virus and malware in attached files, ATP Safe Attachments opens every unknown supported file attachment in a hypervisor environment (I like to call it a “detonation chamber”) with the intention to detect malicious content. We said zero-day right? Well that is a big deal when it comes to malware and viruses, think about this, if the malware is known, EOP will catch it already using its malware engines, but if there is no signature match then that is when we consider it a potential zero-day malware. This hypervisor is design to analyze attachments when no anti-virus or anti-malware signature is available, it is based on machine learning that uses behavioral malware analysis to evaluate the content for suspicious activity. When the content is found to be safe it is released to the recipient, otherwise we have the typical options to strip the malicious content and deliver the message, or to drop the entire message, including the option to sending a redirect copy to a specific mailbox for administrator access.


Reporting: The results of the reporting allow you to identify who was targeted and how it happened. There is a URL Trace options in the Mail Flow blade to look at the general picture or filter by specific users and URLs. Information gathered by actions taken by your policies is available via reporting and some more detailed information is also included in Message Trace when looking at malware events. The configuration of Safe Attachments also allows for sending a copy of malicious messages to a mailbox of your choice so that you can dig further into the message if desired. The ATP configuration for Safe Attachments and Safe Links have a reporting icon that will open up a report showing you the results of your policy.



Hands On


Let’s use some (malicious…) examples to see how ATP processes the messages. I am looking for some logging, actual SMTP processing and end user results.


For a Safe Link example (I will not use a real malicious URL here, but I will show the malicious intent and results), I will send a common fishing message where the user receives a link to go to a website to enter personal information. We expect the URL in the link to be re-written, and the user being stopped after clicking on it.


Here is the real bad link I am sending, note the Link and URLs don’t match:

Link before ATP


This is how the link looks in the message received by the user, in these type of scams users are presented with a website that looks pretty legit, they are asked for all sorts of personal and bank information, and of course there will be no SSL certificates in most cases, plus the URL will be definitely foreign to the company intranet or domain name, but the user doesn’t really know any of that.

ATP URl Re-write


The user will most likely just click on it without checking any of the details, so when the link is clicked, the destination will be tagged with the original URL plus some User and correlation ID information. I made up the URLs (didn’t want to incite bad ideas with real stuff anyone can hit online…) but let’s pretend the website really checked out as malicious, then the user will see the following:

Blocked Website


Note: the option to continue to the website can be easily removed, I left it there just to show it.


From the logging perspective, in the “Mail Flow” blade in the Exchange Admin Center, under “URL Trace” I can search for all or specific URLs for a user (pretty similar to message trace), and see the log for the URL in question, being blocked and not clicked through. I did not find an event for the URL re-write in the original message trace results, or a specific entry in the Message Headers besides the Correlation ID for the Filtering Service.


URL Trace


For a Safe Attachments example I will (carefully…) use real malicious content. I’ll pick a fun scenario that used to be really frequent in the early days of malware, here it is: someone sends an email with an attachment claiming to contain those “unbelievable pictures from the weekend BBQ party where everyone got drunk and ended up in a fist fight”. The user never attended and doesn’t even know the sender, but who cares, the attention has been attained!, can’t resist to check it out…


The message actually contains a Zip file that looks password protected, and within it, there are a couple of executables that don’t even look like applications, but they will trigger some really bad stuff if executed. At this point, EOP will not be able to tell what’s in there (not even the sending system could), signature or not, it must be first unpacked and detonated by ATP. Here we go…


This is the email with attachment I am about to send:

Sending a bad Zip file


I sent it and immediately jumped into message trace, found the message with a pending status, it looks like this:

ATP In Progress 1


Within 4 seconds, the message is sent to ATP for analysis. I can see a Defer event with a 4.7.721 code and some more readable “ATP scanning in progress” message. After a few refreshes, the message flow completed and the trace turned into this:

ATP Proccessed 2

So at this point I can see the completed message trace with actions. The highlighted event is the one showing the results of the analysis with some details. Important to note, the message took about 6 and a half minutes to get to the final destination. This is expected, probably not desired, but clearly stated in the Safe Attachment configuration in ATP as well as in Microsoft documentation; I couldn’t tell how long that delay will be in peak hours.


Look at the top message, that one wasn’t there while the scanning was in progress, but was stamped as an event when it finished, and it shows the action I actually have on my Safe Attachments configuration, which is “Monitor and Redirect”, the verdict is “Infected”, it looks like this:

ATP Proccessed 3


Right after the message trace completed, I got an email in the specified Administrator mailbox telling me there was a Malware event, with information about the message information, including the original message attached.

Admin Notification

In a similar test, where the Safe Attachments policy is configured to “Replace: Block the Attachment and Deliver the Message”, as expected the attachment was removed from the message and replaced with a text file; as an interesting finding, the email did not get direct delivery to the mailbox but was actually quarantined and had to be released for mailbox delivery, probably my EOP Malware policy was triggered and took action, once delivered I could then see the attachment below.

Attachment Replaced



Although my setting is “Replace Attachment and Deliver Message”, the corresponding Message Trace event for this message shows the action taken was “Replaced and Redirected” as shown.


Replace and Deliver





At last, from the configuration of your Safe Links or Safe Attachments you can access reporting, they show some file types and URLs taken action against, you can also click on a point in time in the graph and see the message related with sender and recipient, here is a sample of the graph:



ATP is an included service in the E5 license subscription, it can also be purchased as an add-on license by itself to pair with your EOP license or other subscription types.


Best regards!


For additional information on ATP, contact us today at 305-374-8788.

Share this post

No Comments Yet.

Leave a Reply

Your email address will not be published.