Take a look at Office 365 Advanced Threat Protection. Get an overview of Advanced Threat Protection, and learn about licensing, adding on to an existing Office 365 tenant, Office 365 Security & Compliance Center, and buying/editing an add-on for Office 365 Business.
- [Instructor] We have reviewed the Office 365 protection against malware, spam, and phishing, but tactics have become more sophisticated and advanced protection is now a necessity. This is where advanced threat protection, or ATP, within Office 365 comes in. ATP provides a series of advanced security features to protect emails, attachments, URL links, and files stored in share point online, one drive for business, and Microsoft teams. Office 365 advanced threat protection is included in Office 365 Enterprise E5, Office 365 Education A5, and Microsoft 365 Enterprise E5 subscriptions.
However, if you currently have another Microsoft subscription, for example, an Enterprise E1 or E3 subscription, or an Exchange online plan one, then you should be able to buy ATP as a separate add on. This can be done via your Office 365 admin center in the billing and the subscriptions area. It's best practice to turn on audit logging, especially when using Office 365 advanced threat protection. The Office 365 audit log keeps a record of all user and admin activity for your organization.
And this is recorded in the audit log and retained for 90 days. Once turned on, any global administrator within Office 365 or a user with the audit logs role in Exchange online can access and search the Office 365 logs. You may notice that some of the Microsoft Exchange or Exchange online mail features are used within Office 365. This is because they are. Office 365 is a suite of online applications. The bulk of the email functionality is provided by Exchange online.
Office 365 then builds additional functionality such as message filtering, checks on suspicious behavior, and authentication checks using SPF, DCAN, and DMARC. The main features offered by ATP for Office 365 will protect against phishing attacks, it will ensure that email attachments are safe, and that links displayed in emails are safe. Administrators must set up policies for ATP to use, such as anti phishing policies.
Once the policies have been curated, ATP will then use them to scan emails. Behind the scenes, machine learning is used to identify patterns and refine the threat confidence levels for your tenent. When configuring ATP, you will define which users and domains will be protected by these policies. Phishing emails are growing in complexity, and it can be difficult for users to identify sophisticated attacks. When an email is received, the ATP engine will scan the email through a set of machine learned models trying to detect phishing scams.
This will flag up if there are any indicators that the email is a phishing attack. In addition, ATP anti-phishing will learn how users communicate using email. The mailbox intelligence engine knows when a message contains your user's typical email signature style and can identify malicious impersonation based phishing attacks. The safe attachments feature of ATP provides zero-day protection against malware and viruses. Whenever a new virus is released and first detected anywhere in the world, you are immediately protected.
All received emails are checked and scanned and if malicious email attachments are detected, they will be blocked before it gets delivered. Additionally, suspicious emails are rerouted to a sandbox environment, are subjected to real time behavioral analysis, and detonated to check for suspicious content. A common attack vector is to use scripts or embedded macro code in documents then try to make changes to your system. For example, to write to the registry, or other system components.
The ATP safe attachments feature uses machine learning techniques to continually learn and update its knowledge about these threats and risks. If the email attachment is determined to contain a risk, it will not be delivered. In the settings, you can control whether the email body without the malicious attachment should be delivered and if an administrator should be informed. Emails often contain links to websites. Both internal and external emails are scanned by the Office 365 ATP safe links feature to check that these links are safe.
The safe links feature works by first checking the URL against a safe or blocked list, and if the URL is unknown, then the URL is redirected through to a Microsoft proxy server which then checks the link destination for malicious content. Since 2018, Microsoft added checking for URLs in Office 365 ProPlus, Office online documents on Windows, iOS, and Android devices. In this way, any malicious links are assessed in real time and can be dynamically blocked before they can cause harm.
If a malicious site link is detected, then the user is shown a warning website and the URL is added to the blocked list. Administrators can review reports of malicious links that have been blocked for the last seven days. Now that you've seen the details of each component, let's review the big picture of how these three functions of Office 365 work together. When an email is received, Office 365 scans and filters the email. It then checks for phishing attacks and viruses.
If the email is deemed safe, it's sent to the recipient. If the email has an attachment, then the attachment is checked and sent to the detonation chamber if it looks suspicious. If it's unsafe, then the attachment is deleted, whereas if it is safe, then this is delivered unto the recipient. And finally, if an email includes an unknown URL, then the link is sent via a proxy server to be checked before the user can access the link. We've discussed the technical features of what Office 365 ATP can offer.
As you can see, there's a lot of activity carried out behind the scenes. On a day to day basis, you can review the activity using the Office 365 security and compliance center. This web based portal is for your global administrators and security administrators to review and manage the ATP settings and to configure policies. ATP continually collects data and logs activity in real time which can be helpful for administrators to gain insights concerning the threats their organization is facing.
These reports are also available in the security and compliance center. The reports are delivered in real time and include the threat protection status, spoof email and malware detections, and email reports which include details of the top email senders and receivers, top malware, and spam detected. And for each report you can drill down into the activity and request the report emailed to you covering a defined time period.
- Implementing Office 365 ATP
- Common Office 365 threats
- Configuring security admin roles
- Creating Safe Attachments policies
- Anti-spam options and settings
- Managing advanced spoofing filters
- Using Office 365 threat intelligence features
- Using the Attack Simulator
- Leveraging ATP reports