Let’s talk about Office 365 Advanced Threat Protection

Warning: Illegal string offset 'width' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'height' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'autoplay' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'theme' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'loop_video' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'enable_fullscreen' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_title' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_youtube_icon' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_annotations' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_progress_bar_color' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'autohide_parameters' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'set_initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Cannot assign an empty string to a string offset in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'disable_keyboard' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'set_initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 66

Warning: Illegal string offset 'set_initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 66

Warning: Illegal string offset 'enable_fullscreen' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 68

Warning: Illegal string offset 'autoplay' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 71

Warning: Illegal string offset 'loop_video' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 73

Warning: Illegal string offset 'enable_fullscreen' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 74

Warning: Illegal string offset 'show_title' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 75

Warning: Illegal string offset 'show_youtube_icon' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 76

Warning: Illegal string offset 'show_annotations' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 77

Warning: Illegal string offset 'show_progress_bar_color' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 78

Warning: Illegal string offset 'autohide_parameters' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 79

Warning: Illegal string offset 'disable_keyboard' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 80

Warning: Illegal string offset 'width' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 88

Warning: Illegal string offset 'height' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 88

english-castle-on-the-waterIn April of 2015, Microsoft announced Advanced Threat Protection (or, ATP), an enhancement to Exchange Online Protection focused on the analysis of known and ‘zero day’ threats contained in email attachments and an interception method to prevent click-through to compromised links.

Here’s a ‘Microsoft Mechanics’ video, explaining the technical details of ATP:

And here’s information about how to get ATP.

So far, so good.  But what is it like to deploy ATP in your Office 365 tenant and configure it?


Let’s take a look.

ATP is divided into two, distinct categories of action:

  • Safe Attachments (which, as the name implies, is the attachment analysis component)
  • Safe Links (which analyzes links against a list of known bad URLs)

Each area’s actions are configured by ATP policies which you can explore here.

In my experience thus far, the safe links component has proven to be quite aggressive, unhelpfully redirecting benign URLs (when Safelinks is active, URLs are parsed through https://na01/safelinks.protection.outlook.com/?=url to analyze here).

Your outcomes may vary, but within my tenant, Safelinks has been more intrusive than useful and has, therefore, been deactivated (no doubt, that decision will be revisited after further testing).

Safe attachments, on the other hand, has proven to be more effective, preventing 10 zero day threats from reaching end-users in a 5 day period, which is impressive needle-in-a-haystack finding when you consider the many tens of thousands of emails reviewed during that period.

There are additional steps required, I should mention, to determine what action ATP Safe attachments has taken.

Through the O365 admin GUI – Exchange Admin center https://outlook.office365.com/ecp  “advanced threats”  — “safe attachments” ATP does provide a decent visual overview of its activities:

To generate a report, click the icon that resembles a bar graph:

Screen Shot 2016-07-31 at 4.10.51 PM





By choosing “Advanced Threat by Disposition” you’ll see a bar chart reporting interface:

Screen Shot 2016-07-31 at 4.17.08 PM






Next, by choosing the “view pending or completed requests” link (not shown above), you’ll see a listing of the message trace activity that lies behind the reports you see in visual form:







Now we arrive at a key part of the ATP process – confirming, via reporting, that the ‘hits’ are, in fact, malware.

Earlier, I mentioned that in 5 days, ATP had successfully intercepted 10 zero day threats.  How do I know that?

The answer, unfortunately, isn’t straightforward.

Let’s return to the ATP safe attachments interface:

Screen Shot 2016-07-31 at 4.30.09 PM





ATP’s actions flow from policies you create here. By choosing the pencil icon, we can take a look at the configuration for safe attachments:

Screen Shot 2016-07-31 at 4.34.24 PM




And, by selecting “settings” you can configure how ATP will react (or, if it will react) to suspicious attachments:

Screen Shot 2016-07-31 at 4.36.57 PM






In the policy shown above, ATP is directed to replace a file that’s suspected of being compromised before it reaches a recipient and redirect that file to a mailbox for further analysis.  It will also do the same when processing times out.

To get more detail explaing why ATP red-flagged a file (or if a timeout occurred) I examine what’s sent to the reporting mailbox (a shared mailbox I created for this purpose) .

Looking at the reporting account Inbox, you can see the results of an ATP safe attachments report (sender, recipient, and other details obscured for obvious reasons):







Using this information, we can perform a message trace to discover why ATP intercepted this attachment:

Screen Shot 2016-07-31 at 5.36.07 PM




Notice the string of deferrals listed?

This means that ATP could not determine whether or not the attachment contained malware and, following policy, removed the file from the email sent to the recipient, redirecting it to our reporting mailbox.

Deferrals can prove challenging to understand since we don’t know if the attachment is compromised and, due to a current lack of detailed information regarding ATP’s performance characteristics, it’s difficult to know what makes one file an analysis hurdle (leading to deferrals) and what makes another simpler to process.

Is it file size? Or perhaps file type? Right now, we don’t know and I’ve yet to see firm information from Microsoft providing guidance (questions posed to the Office 365 Network haven’t been effectively answered).

You should be aware that either way, message delivery can be delayed by ATP:

Email delivery – If the safe attachments policy that applies to a particular recipient has an action of Block, the email will not be delivered until the attachments can be detonated by the safe attachments technology in EOP. Safe attachments will launch a unique hypervisor to open the attachment. This can result in a delivery delay of 5-30 minutes for each mail evaluated by safe attachments.”


full here

Although the quote above mentioned delays when ATP is configured to block, we’ve also seen latency when the rule is set to redirect.

Let’s take a look at a case of positively identified malware:

Screen Shot 2016-07-31 at 5.57.22 PM



Here, we see ATP safe attachments identifying malware within an attached file.

Of course, it isn’t sufficient to simply take ATP’s word for it, we need to confirm that the report is accurate.  To do that, we must submit the file for further analysis by a third party such as Virustotal or Malwr.

Reviewing the process so far…

1.) Deploy ATP to your tenant

2.) Configure the safe attachments and safe links policy

3.) Analyze the results and, in the case of safe attachments, submit those results to 3rd party tools to verify ATP’s interception.

Confirmation of findings is pretty labor-intensive and, at some critical points, very manual. It would be nice if the analytical portion was reflected in the ATP reporting interface (including a listing of deferrals vs. positive hits) and if there was a method to submit attachments for confirmation within the workflow.

So far, these options don’t exist.

In the next post, we’ll take a look at safe links and also, the PowerShell cmdlets for managing ATP. We’ll also review how to create a kind of whitelist.

The Cloud Era Demands More (and different) Things from IT Professionals


If you’re like me, an IT professional of ‘a certain age’, (and come to think of it, even if you’re younger but toiling in an enterprise still struggling with legacy practices) you know what it’s like to work in a siloed, IT environment.

I’m sure you know what I mean by “siloed”: the database team works separately from the SharePoint team who speak, imperfectly with the various dev teams and so on, and so on.

This approach to enterprise IT, which fosters an emphasis on individual, technical prowess over solutions, and a tendency towards isolation from the concerns and pain points of end-users and business units, is losing whatever charms it once held as cloud technologies and methodologies become standard practice.

Here’s a concrete example…

For many companies, messaging, in the form of Exchange Online, is the entry point to SaaS as represented by Office365.  Typically, the goal is to reduce server footprint, licensing costs and operational complexity by moving the email function to the cloud.

And just as typically, the messaging person, long accustomed to fulfilling that role more or less in isolation from other IT roles (with interaction, as needed with teams who need messaging services) expects to continue along that track.

But the movement of this workload to the cloud makes that nearly impossible.

Cloud services, such as Office 365, operate on a scale not achievable for most enterprises and take advantage of computing fabrics (in the case of Office 365, the Microsoft Graph) that turn discrete technologies – such as SharePoint, messaging and cloud storage, into aspects of a unified collaboration framework.

This represents a powerful change to the IT function which alters the demands placed on IT professionals:

  • Solutions: a focus on solutions over pure technical prowess
  • Flexibility: a willingness to cross technology boundaries that follow the data flow throughout your cloud platform
  • Communication: assuming an ‘evangelist’ role in your organization, promoting workflow modernization via cloud services

You find solutions by listening, seeking to mate technology to an organization’s needs instead of trying to bend people and their work process, to the constraints of a technology. In the cloud era, failure to do this leads to the use of ‘shadow’ and ‘credit card’ IT as teams work around central IT obstacles by adopting cloud technologies independently of company strategy.

You achieve flexibility by leaving your silo (dev, operations, messaging, database, etc.) and developing a broad, cross-functional body of expertise that is built on an understanding of a platform, thinking of the service in utility terms.

You develop an effective communication strategy by understanding that, a key part of your responsibility during this moment of transition from exclusively on-premises technology methods to hybrid or all-in cloud adoption, is to explain the benefits and provide guidance.

These skills have always been important, but in the cloud era, they have achieved a critical importance not seen for quite some time.  As an IT professional, your success will be measured more and more by your strength in these areas, even above your (surely solid) technical chops.