Stillwater Cyber Compliance

Features of Office365 Advanced Threat Protection

Microsoft 365 cloud platform provides special protection solutions within the Microsoft 365 suite that can be used to protect your data against threats.

Today’s cybersecurity landscape is changing to remote and threats are changing daily. It’s important to know what tools are out there to protect your organization.

In recent months, organizations have been forced to change their collaboration methods to support a full ‘work from home’ workforce,” officials wrote. “While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.”

Microsoft 365 cloud platform provides special protection solutions within the Microsoft 365 suite that can be used to protect your data against threats. In this blog post, we will look at this solution from Microsoft known as Office 365 Advanced Threat Protection.

What Is Advanced Threat Protection?

Office 365 Advanced Threat Protection is a cloud-based filtering service to protect your company against viruses and other malware, including zero-day attacks (attacks performed with malware by using new found vulnerabilities that have not been fixed yet by patches or updates). Microsoft Office 365 Advanced Threat Protection can protect Exchange Online and other Microsoft 365 services in your organization against the newest viruses and unidentified complex threats that have not been studied yet and cannot be recognized by the latest virus signature databases of most antiviruses.


Recent insights from the National Security Agency and Microsoft shed light on techniques hackers are using to take advantage of the remote workforce and vulnerabilities. Office 365 Advanced Threat Protection contains many useful features to protect your data when using Office 365 services. Advanced Protection Threat leverages the NSA recommendations to ensure their new cloud configurations are protected, along with detection and response mitigations in the event the Office365 platform is attacked.


Policies determine the protection level and the reaction to predefined threats that can be set on different levels. Policies provide flexible options that a system administrator who manages Microsoft 365 can configure. As a system administrator, you can set who is affected by policies and how strict these policies are.

Safe attachments

Safe attachments are used to ensure that files attached to email messages are not malicious. Zero-day protection is provided to safeguard your email messaging system. Before a message is received to a user’s mailbox, the message is routed to a special environment, where attachment files are checked by using virus signatures, machine learning and advanced analysis techniques to detect viruses.

If there are no viruses detected in the email attachment, the email message is forwarded to your mailbox.

You can apply Safe Attachment policies to a specific person on your team, or your organization as a whole.

Safe Links

Safe Links use a working principle similar to safe attachments. This feature provides time-of-click verification of website addresses in both email messages and Office documents. If Microsoft 365 ATP detects that a link is not safe, a warning message is displayed (just like for downloadable files). You can configure the feature to redirect users to a warning page if a user tries to click a link detected as malicious. A system dynamically blocks malicious links. The Safe Links feature was updated and now doesn’t substitute an original link with a modified link to a web page in the Microsoft cloud.

ATP for SharePoint and OneDrive

ATP for SharePoint protects users who collaborate by using SharePoint Online sites and shared files inside your organization by detecting and blocking suspicious files in document libraries and team sites, including files stored on OneDrive. The identified malicious content is blocked. Users cannot open, copy, move, edit or share a blocked file that is classified as malicious. These files will be included in a list of quarantined items, so members of your security team can download, release, and report or delete them from the system.

Anti-phishing protection

Anti-phishing policy is a self-learning system with complex algorithms used to detect phishing attacks automatically and quickly. Mailbox intelligence analyzes email and communication habits of users and aggregates the learned data to help detect phishing attempts in future. These complex measures make any scamming attacks difficult to accomplish successfully.

These Anti-Phishing policies can be set for a specific group of people in your organization, or to an entire domain, or to every domain you own.


Unwanted and potentially dangerous files can be moved to quarantine. The quarantined data can be manually restored or deleted by a system administrator. Data in the quarantine is deleted after the configured retention period expires. You may be familiar with the working principle of quarantine if you have used Microsoft 365 Exchange Online Protection.

Spoof Intelligence

Hackers can send emails on behalf of one or more accounts by substituting a sender name. If a user receives such “spoofed” email, it may appear safe if the sender uses a manager’s name in the sender field. Office 365 ATP includes the Spoof Intelligence feature that can detect whether a sender is using a real name or a spoofed name. The administrator of your company can see the full list of users who use a certain company domain and review who is spoofing your domain or any external domains. Administrators can block the sender using a domain name or user name pretending to be an employee in your company.


Office 365 Advanced Threat Protection provides informative reports so you can see the protection status and analyze incoming threats. A report is a single view that combines information about detected threats including malicious email and other malicious content. Threats detected by Office 365 Advanced Treat Protection and Exchange Online Protection are shown in reports. Information for the previous 90 days (the maximum period that can be configured) is displayed in the reports. After analyzing the reports, administrators can make adjustments to the policies.


Unlike Exchange Online Protection that is available by default for Microsoft 365 users, Advanced Threat Protection is available for top subscription plans or can be bought separately.

Users often ask: “Does Microsoft 365 E3 include advanced threat protection?”

Unfortunately, it doesn’t. Microsoft Office 365 Advanced Threat Protection is included in the following subscription plans:

•           Microsoft 365 A5

•           Microsoft 365 E5

•           Microsoft 365 Business Premium

However, you can buy the Office 365 Advanced Threat Protection license on top of the following subscription plans:

•           Exchange Online Plan 1

•           Exchange Online Plan 2

•           Exchange Online Kiosk

•           Exchange Online Protection

•           Microsoft 365 Business Basic

•           Microsoft 365 Business Standard

•           Microsoft 365 Enterprise E1

•           Microsoft 365 Enterprise E3

•           Microsoft 365 Enterprise F3

•           Microsoft 365 A1

•           Microsoft 365 A3

If Office 365 Advanced Threat Protection is not included in your subscription plan, you can pay for one of the standalone ATP subscription plans using a per user licensing model:

•           Advanced Threat Protection Plan 1

•           Advanced Threat Protection Plan 2

Let Office 365 ATP Help You!

So, the question is, do you want real-time protection against sophisticated attacks? Protection from unsafe attachments? Visibility into who might be targeting your organization and what kinds of attacks you might be facing? The ability to block links that are harmful to your users? Or determine what a phishing message is and be able to handle it before it becomes a problem?

All of these issues can be addressed by implementing Office 365 Advanced Threat Protection in your organization.