Let’s Talk About Office 365 Advanced Threat Protection: Part Two

Medieval-siege

Last time, we reviewed Office 365 Advanced Threat Protection (ATP), an enhancement to Exchange Online Protection focused on protecting end-users from two categories of email delivered threats: zero day compromised attachments and malicious URLs.

Specifically, we discussed ATP’s safe attachments policies, reporting capabilities and the labor-intensive workflow required to confirm that what ATP is telling you is, in fact accurate (i.e., that the attachment is actually malware).

This time, we’ll review ATP’s safe links, which analyzes URLs before you click through, and the PowerShell cmdlets associated with Advanced Threat Protection.

To configure ATP’s safe links, you can go to the Office 365 ECP:

https://outlook.office365.com/ecp

From the menu on the left-hand side of the Exchange admin center interface, choose “advanced threats” –

Exchange-admin-advanced-threats

 

 

 

 

 

 

From the ATP sub-menu, choose “safelinks
ATP-Safelinks

 

 

In our example, we’re using the default Safe Links Policy; to edit its properties, click the pencil icon (a common design theme in the Office 365 admin interface):

ATP-safelinks-3

 

 

 

The first setting option is “general” –

Safelinks-general-setting

 

 

 

Note that both the Name and Description fields are labels and can be changed.

The real action starts with “settings” –

Safelinks-settings-detail

 

 

 

 

Let’s walk through the options you see above.

Configuration Options

  • On or Off are self-explanatory
  • When the setting is On, potentially malicious URLs are rewritten to https://na01/safelinks.protection.outlook.com/?=url to analyze here).
  • If “Do not track user clicks” is selected, ATP will not record user click-through attempts (which means no reporting data on this action)
  • If “Do not allow users to click through to original URL” is selected, end-users will not be able to reach the original URL via the link embedded within their email

Above I mentioned that if the “Do not track user clicks” option is selected, ATP won’t gather reporting data.  But what if it is selected?

Reporting

To access safe links reporting, choose the “mail flow” option from the Exchange Admin Center interface:

safe-links-reporting

This works the same as other Office 365 mail flow reporting widgets. As you can see, you can choose the date and time range for your output.  You can also choose to search for an individual’s results by using the ‘recipient’ option (not shown but on the page if you look towards the bottom). It’s also possible to search for a specific URL.

safelinks-search-by-person-or-url

To demonstrate a search, let’s click ‘search” (not shown in the screenshot but at the bottom of the interface, as usual) and gather a broad report:

safelinks-link-listing

The recipient addresses have been obscured for obvious reasons.

By clicking on one of the line items, it’s possible to view greater detail:

safelinks-detail

This gives you the ability to analyze safe links’ actions more closely for a particular user.

I know that I mentioned PowerShell cmdlets at the top; we’ll tackle that in the next post.

Published by

D. Roberto

No one can know everything...but I come close! Actually, this project is an enhanced version of the notes I take everyday to sharpen my skills and deepen my understanding. Hopefully, it can be of some benefit to my fellow specialists around the world.