Configuring Office 365 Advanced Threat Protection

2017 saw massive growth in malicious attacks against computer systems, and 2018 will almost certainly prove to be even worse. E-mail attacks, such as Phishing, continue to be among the top methods of attack launched against businesses. No longer is a standard SPAM filter sufficient protection against the types and amount of attempts that will be made against your users. To combat this, most SPAM providers have rolled out products guarding against advanced e-mail threats. Microsoft is no different, offering a product called Office 365 Advanced Threat Protection to assist your organization in defending against…well, advanced threats!

O365 ATP utilizes 3 separate Anti-Virus engines to scan e-mail attachments and documents stored in SharePoint, Microsoft Teams, and OneDrive to locate and eradicate any malicious content. Additionally, ATP scans URLs, or internet links, contained in e-mails to ensure they are safe. However, it is not enough to simply purchase the licenses, as the product does require some configuration. Let’s see what that looks like and also discuss some “forks in the road” where you will need to make decisions for your organization on how to handle threats.

 

Licensing

ATP is licensed based on a per-user basis, and retail cost is $2.00 per user/month. You can obtain licenses in the usual method that you obtain Office 365 licensing, whether that be through your Cloud Solution Provider or directly in the O365 Admin portal. ATP is included with Office 365 E5 suite, but is available as an add-on to any other 365 suite or Exchange Online plan. Once the licenses are activated in your organization, the proper administrative portals and tools will also become active.

 

Configuring Safe Attachment Policies

To begin configuring ATP, log into the Office 365 admin portal and browse to the Exchange Admin Center, or log into the EAC directly.

Once inside the EAC, browse to the Advanced Threats page on the left-hand menu. This presents us with the Safe Attachments and Safe Links configuration pages.

Safe Attachments won’t work without a policy, so we must create one. Click the + sign in the center pane, to load the new policy window.

Some of the settings (Name, Description) are self explanatory, but let’s go over the settings that require a decision or further thought.

Malware Response – Choose how ATP should respond to detected Malware threats.

  • Off – Will not scan attachments, this is akin to simply not configuring ATP to begin with.
  • Monitor – Delivers the message whether or not it contains malware, but logs the results which can be viewed in a report. This option might be good to run for a limited time period to get an idea of the reporting and what types of items are coming through your ATP scanner.
  • Block – Strips the malware from the email and does not deliver the email. This is the most common setting to use.
  • Replace – Strips the malware from the e-mail but still delivers the message. This can be an effective rule so that users know they received an email, despite the attachment being blocked. However, use caution with this setting, as users should generally be shielded from the entirety of a malicious message.
  • Dynamic Delivery –  Delivers all emails immediately, but detains the attachments for scanning through the AV engines. May cause confusion with users who were expecting attachments. Users will receive the attachments later, so long as they pass the 3 AV scans.

Enable Redirect – Forwards e-mails that are blocked to a separate mailbox, so they can later be retrieved (if they are false positives, or dropped due to errors during the scan), or samples of malicious code can be obtained and forwarded to Microsoft or other 3rd party security agencies. When using this rule, create a Shared Mailbox to catch the redirected e-mails. Assign permission to that mailbox only when needed, and be careful to browse that mailbox with caution using an account with non-elevated permissions.

Apply the above selection if malware scanning for attachments times out or errors – This setting determines what action to take on attachments where the AV scans did not have time to complete or errors out. It’s a good idea to use this setting in conjunction with the Enable Redirect option, as there may be legitimate e-mails that get dropped and need to be recovered.

Applied To – Specifies the users, groups, domains, etc that the rule should apply to. If covering all users with ATP, select all domains that are assigned to users. Be sure to use the Exception field for any mailboxes that may be problematic when combined with ATP, such as ticketing systems or other automated systems. It would be a good idea to test such mailboxes with ATP activated and only turn it off if an incompatibility presents itself.

Once finished with your selections, Save the policy. ATP Safe Attachments is now enabled.

 

Configuring Safe Link Policies

At the top of the original page, click on Safe Links to bring up it’s configuration page. You’ll notice there are policies for the entire organization, as well as separate policies for users.

The default organization wide policy is provided for you, but we must create a user policy, as well. First, let’s double check the settings in the Default organization policy.

Block the following URLs – This section acts as a manual blacklist for links of your choosing that will apply company wide. This setting is useful if you are aware of a malicious site or just an unwanted site that is routinely sent to your users.

Settings that apply to content except email – ATP Safe Links can also be used in Office ProPlus, Office for iOS and Office for Android. The check box allows you to toggle this functionality on or off, as you see fit. If possible, it’s a good idea to utilize this feature. A document attached to an e-mail may pass the AV scanner, as it contains no malicious code, but could still contain a link to a malicious site.

Do not track when users click safe links – All URL clicks are tracked once ATP Safe Links is fully activated, but if you don’t want known good links clogging up your reporting, you can opt to disable their record keeping.

Do not let users click through safe links to original URL – When the user clicks a link and receives the blocked link page, by default they will be able to proceed through to the link anyway. I would advise turning this setting on. It is easy for users to get in a hurry and click links or buttons just to get through, and they may unintentionally proceed to a malicious site.

 

Once finished, save the default organization policy and move down to the Safe Links user policy section, and create a new policy.

Select the action for unknown potentially malicious URLs in messages – Enables the Safe Link URL scanning functionality. URLs will be re-written in Outlook (and Office, if enabled) to links with an address that contains safelinks.protection.outlook.com. This may require some end-user training if you have already trained your users to hover over links and be suspicious if the link and URL don’t align.

Use Safe Attachments to scan downloadable content –  If the URL points to an individual file that will prompt a download, this setting will run the file through the 3 Safe Attachment Anti-Virus engines.

Do not let users click through safe links to original URL –  Same as above, just applied at the user policy. You must decide what combination of this setting, or using it at all, makes the most sense for your organization and users.

Do not rewrite the following URLs –  If there are websites that you trust and want to ensure their URLs are not transformed into the safelinks.protection.outlook.com format, use this feature.

Applied To –  Similar to the setting by the same name on the Attachment policy. Assign users, groups, or entire domains to the policy.

Save the policy.

That’s it! Advanced Threat Protection is now active and protecting your e-mail attachments (as well as files in OneDrive, Teams, and SharePoint), along with scanning links in e-mail and Office for malicious destinations.

 

Blocked URL Example

To test that ATP Safe Link protection is active, I added Facebook.com to the manual blocked site list and then emailed that link to an end user covered by the policy. Attempting to utilize that link resulted in the ATP Blocked URL page, as seen below.

 

Reporting

The ATP service is active and protecting your organization, but it would be nice to know what’s happening with that protection on a routine basis. Microsoft provides reporting in the Security & Compliance Center of your Office 365 Admin Portal that details the activity within ATP. Notice that you may also schedule this report be emailed to you on a regular basis, so that you can more easily review ATP statistics routinely.

 

 

 

Conclusion

As stated before, the types and amount of attacks against your organization and end users is only going to increase year-over-year. It’s imperative that we find affordable but effective protection against these escalating threats. Office 365 Advanced Threat Protection is just another wrench in the toolbox for organizations looking to defend their selves, but it might just be the wrench you are looking for!