Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Enhanced Reporting, Quarantining, and Safe Links Capabilities for Office 365 EOP and ATP Services

Debraj Ghosh's avatar
Debraj Ghosh
Icon for Microsoft rankMicrosoft
Jun 02, 2017

Office 365 Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) were designed to keep your organization protected against cyber-attacks while supporting end-user productivity. We continue to enhance both EOP and ATP by offering deeper insights and more flexible controls.
This month we are introducing advanced threat reporting, new quarantine capabilities for malware emails, and additional controls to the ATP safe links feature. These features are currently being deployed and would be available for all the users by end of May.

 

Advanced Threat Reporting
Threat Protection Status is a new advanced threat report that visibility into all malicious mails detected and blocked for your organization – both those caught by standard EOP features such as anti-malware engines and Zero-hour auto purge (ZAP), as well as those caught by the advanced protection provided by ATP Safe Attachments and Safe Links. It augments the recently introduced detailed reports in the Security And Compliance Center (SCC) reporting dashboard for ATP safe attachments.  Threat Protection status report could be accessed from this link.

 

Figure 1. Advanced Threat Report - Threat Protection Status

 
The ATP safe attachment section of this report identifies all malicious emails detected by routing attachments to a hypervisor (sandbox) environment where content behavior is analyzed for malicious intent. -It provides the detailed observed behavior from the hypervisor environment, as well as details on Command aand Control (C2C) servers that content interacts with, malicious files downloaded, scripts executed, and system changes to registry or files.

 

Figure 2. ATP Content Behavior Analysis from Sandbox

 

The ATP safe links section of the report identifies mails with malicious URLs that were blocked at the time of click based on the mail’s reputation. As you may know, ATP safe links reroutes URLs at the time of click for validation of the URL reputation. This guards against exploits where attackers redirect URLs to malicious websites after mail is delivered.

 

 

Enhanced Quarantine Capabilities
This month will also see significant feature enhancements to quarantine capabilities, extending support for EOP and providing new support in ATP for emails classified as malware. We are also enhancing the existing quarantine experience by allowing administrators to review and delete emails from quarantine. The new features will be enabled in SCC Quarantine interface which could be accessed from this link.


Now, all emails classified as malware from both EOP and ATP will be quarantined. In the event of a mail getting misclassified as malware and placed in quarantine, admins will have the ability to easily release the email to an end-user, thus preventing any unnecessary disruption to end user productivity. Administrators can understand the details of a mail from Quarantine by double click of a specific message and clicking on the “Preview message”.

 

Figure 3. Malware Quarantine

 

New ATP Safe Links Policy Features

The Safe Links in ATP is getting three new features that can be utilized when creating a Safe Links policy:

 

  • The ability to customize per-tenant block lists for URLs that should be blocked from reaching end-users.  While ATP leverages a very large set of reputation filters, we realize that there are instances when organizations wish to designate a set of URLs to always block, which is now enabled by and this new block list feature.

 

  • Email wildcard blocking for both domains and handles to make it simpler to block a sender without the need to write in each individual email address.

 

  • Increased character limit for URLs, providing greater flexibility of configuration for both the block and allow lists. 

 Figure 3. Safe links Block URL List

Additionally, the Safe Links policy capabilities will now be split between options for the entire organization vs. more customized and segmented recipient lists in the organizaton such as groups, individuals, divisions, etc.  

 

Figure 4. Safe Links Policy for Entire Organization or for Specific Recipients 

We value your feedback, as it helps us continue to improve and enhance our services.  Please check out these new features in EOP/ATP and let us know what you think. If you’re interested in trying ATP, reach out to your account rep, or learn more about ATP here.

 

 

 

Updated May 11, 2021
Version 7.0
  • It would be nice if it were more clear which of the above features were available in EOP as opposed to those that you need to pay the extra ATP dollars for.

  • Reto Krebs's avatar
    Reto Krebs
    Copper Contributor

    Two questions for the current ATP-Features:

    1. To what limit you have increased the character limit for URLs on the default SafeLink-Policy (in the past it was 320 characters)?

    2. What are the requirments to the MS Office Desktop Apps respective their configurstion for a working SafeLink Default Policy within those Apps? -So far I was not been able to block a URL within MS Office 2016 (lastest updates installed, singned in as the licensed user in the appropriate O365-Tenant).

     

    Thanks in advance,

    Reto

  • if we add to the safe link policy whether Microsoft has feature to look the blocked safe links and update their engine. We need to remove the list after some time instead of keeping it all the time.

     

    Whether the page can be customized according to our organization.