Office365 Advanced Threat Protection

Microsoft Office 365 is a major and the most widely used email platform for small businesses to large enterprises and government alike. From most metrics, 83-87% of cyber threats involve an email as a primary delivery method.

It is obvious that your cybersecurity initiatives should include email protection along with the traditional protection of your machine and the network. So, we have taken up this series of blogs to discuss the security features that Microsoft has made available.

With people working from home, the email security has become even more important.

Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that secures your organization against unknown malware, viruses, phishing attacks by providing robust zero-day protection and incorporates features to protect your organization from malicious links and malicious attachments in real-time. Office 365 ATP has rich reporting and URL trace capabilities that enables administrators to investigate the threats.

ATP Safe Attachments:

Provides zero-day protection to safeguard your email messaging system by checking email attachments for malicious content. It routes all messages and attachments that don’t have a virus or malware signature to a virtual environment (sandbox), and then uses machine learning and examination techniques to identify malicious intent.

Microsoft quickly spins up a virtual instance and executes the content in a controlled and monitored environment for suspicious/malicious code. If there is no suspicious/malicious activity found, then the email message is forwarded to the mailbox. If the attachment has the potential to contain any suspicious/malicious code, the email message is blocked from delivery and is quarantined. The security/IT administrators can then further examine and release to the users if appropriate.

Additionally, when a file with malicious content is uploaded to SharePoint or OneDrive, the ATP automatically scans the folder and marks the file(s) as unsafe, with a little red shield next to it.

If the user ignores or accidentally opens such files, the below warning message pops-up not allowing the user to proceed.

ATP Safe Links:

Provides time-of-click verification of URLs, for instance, in email messages and Office documents. Protection is continuous and applies across your email messaging and Office environment whenever users open the link.

URLs are scanned for each click, and the Safe links remain accessible. If the link/url is on the block list, users will see a message that the access has been blocked.

ATP for SharePoint, OneDrive and Microsoft Teams:

Helps to identify and block malicious files from entering your document libraries or team sites. The protection is intended to prevent anyone from accessing/opening a file once it has been identified as malicious. Even though it’ll still show in your site, the blocked file can’t be opened, moved, copied, or shared (however, you can delete it). Likewise, these blocked files are added to the quarantined item list, so your security team members can download, release, report, or delete from the system.

ATP anti-phishing protection:

Helps keep your organization protected from preventing phishing attacks. Machine learning models and advanced impersonation detection algorithms are used to identify those attempts.

Utilizing the anti-phishing capabilities, the security team can set up Office 365 ATP’s Anti-Phishing to check your incoming messages for any signs of phishing attempts.

When users are covered by ATP policies (Safe Attachments, Safe Links, or Anti-Phishing), incoming messages are evaluated and analyzed in multiple layers by machine learning models, and the appropriate action is taken, based on the policies configured.

Anti-Phishing policies can be set for a specific group(s) of people based on their role, their interaction with outside parties, among other factors.

Microsoft references:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide

https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#:~:text=Microsoft%20Office%20365%20Advanced%20Threat,harmful%20links%20in%20real%20time.

Microsoft has currently employed 2,400+ security professionals who are fine-tuning the algorithms and enhancing the machine learning programs to be proactive in protecting the data within Office 365 and Azure.

 

Nagendra Matharasi

Author: Nagendra Matharasi

Senior Security Analyst

Nagendra Matharasi is a Senior Security Analyst, with certifications in threat hunting.He has passion for and experience in protecting endpoints, networks, emails and cloud applications.

Ascent InfoSec, the cybersecurity focus of Ascent Innovations LLC

  • Microsoft Partner for providing Cloud Solutions
  • Top 100 Managed Security Services Provider
  • Inc 5000 fastest growing companies in US
Tags: