Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Staying ahead of modern-day attacks Part 2: Defense-at-Scale approach with Office 365 ATP

Pragya Pandey's avatar
Pragya Pandey
Icon for Microsoft rankMicrosoft
Sep 20, 2018

In part 1 of this series, we reviewed the significant enhancements made to Office 365 Advanced Threat Protection (ATP) in recent months.   In this blog, we’ll delve into the scale of threat signals leveraged by Office 365 ATP and highlight how that scale bolsters our ability to detect and protect against advanced threats quickly and accurately. Our strength of signal is one of the important elements helping Office 365 ATP provide the best security for emails, documents and collaboration. The foundation of Office 365 ATP is the Microsoft Intelligent Security graph which provides 6.5 trillion signals per day.  This number is so large, it is hard to put into perspective but if you could analyze each of the 6.5 trillion signals at one signal per second, it would take roughly 200,000 years to analyze all the signals.  With the power of machine learning, Exchange Online Protection (EOP) and Office 365 ATP do this analysis every day.  Clearly, the information, learning, and intelligence gained from the Intelligent Security Graph is an impressive differentiator for our security services.

 

 

Office 365 ATP leverages these signals to detect malicious content faster and more accurately than any other service.  We often reference the 400 billion emails analyzed by Office 365 every month which translates to more than 150,000 emails analyzed every second. Analyzing these emails provides trillions of signals that help our threat protection engines discern the good from the bad at a granular level, making the service agile and effective. Office 365 ATP has continued to improve even while the volume and sophistication of threats continues to escalate.  Our approach to security has been so effective, currently, Office ATP has a malware catch rate greater than 99.9%. The rich data set helps fine tune our machine learning algorithms so that we can constantly enhance coverage for unknown and emerging threats in-real time.

 

Figure 1. Leveraging Machine Learning Models to identify phish lures

 

Early detection of malicious content

Because of the volume of data analyzed every day; Office 365 ATP has better visibility into potential malware and phishing. The service can quickly identify suspicious content to protect users from a variety of malware and phishing attacks. For example, this malicious link was caught by Office 365 ATP only a few mins after it was launched. This phishing campaign tries to gather email account details of the recipients.

 

Figure 2. HTML page mimicking email sign-in page

 

Note that while other engines had not yet detected the attack, Office 365 ATP flagged the URL as malicious early enough to protect users from clicking on it.

 

Figure 3. No engine detected the malicious URL per VirusTotal

In another example, attackers were trying to trick users to provide their credentials. This type of phishing vector is rampant because gaining access to emails provides opportunities for attackers to access sensitive data or compromise other accounts owned by the victim.

 

Figure 4. HTML page mimicking sign-in page for OneDrive



 

 In this instance also, Office 365 ATP flagged it as malicious before any other engine was able to detect it.

 

Figure 5. No engine detected the malicious URL per VirusTotal

 

Flagging suspicious content among a sea of legitimate content

Of the 400 billion emails analyzed by our threat protection engines monthly EOP and Office 365 ATP flag around 600 million email messages as malicious. That means only 0.0015% of all the emails analyzed are bad. Finding such a small fraction of malicious content among a sea of legitimate emails requires our engines to be smart and accurate. Office 365 ATP acquires that intelligence by learning from the huge amount of data that the Intelligent Security Graph provides. Such precision and granularity are also critical in accurately flagging malicious content and reducing false positives.

The detonation technology used to inspect attachments and links for malicious content also generates huge number of unique signals that can used to train our machine learning algorithms. These signals are shared across our services to improve the overall security posture and enhance their protection and detection capabilities.

 

Figure 6. Classifying unknown threats using detonation, heuristics, and machine learning

 

The strength of signals that Office 365 ATP leverages makes it a powerful engine that provides intelligent detection and industry-leading protection against advanced attacks.

 

Experience Office 365 ATP 

If you’re attending Microsoft Ignite, please join us to learn more.

 

If you have not tried Office 365 ATP for your organization yet please begin a free Office 365 E5 Trial today and start securing your organization from the modern threat landscape.

Updated May 11, 2021
Version 9.0
  • wroot's avatar
    wroot
    Silver Contributor

    Just to think, such immense amount of time and processing power is dedicated not to do some achievement in science, but to.. filter email.

  • Pragya Pandey Thanks for the overview above. Re this line: "Of the 400 billion emails analyzed by our threat protection engines monthly EOP and Office 365 ATP flag around 600 million email messages as malicious. That means only 0.0015% of all the emails analyzed are bad." Can you please clarify whether you are saying:

    1. Microsoft analyses 400 billion emails each month using EOP and ATP, and of these, only 600 million are malicious (according to EOP and ATP); OR
    2. Microsoft analyses 400 billion emails each month for threats, and after doing this analysis, EOP and ATP then separately flag 600 million as malicious.

    Secondly, for the threats that EOP and ATP do not capture, do you recursively re-calculate the threat error catch rate? e.g., for the phishing emails that are delivered to my Office 365 tenants, are they included in the 0.0015% rate noted above?

  • Pragya Pandey Thinking about this overnight ... what I conclude from reading the above is that if ATP and EOP can only identify 0.0015% of emails as being malicious (600 million out of 400 billion), then aren't the two services fundamentally broken and ineffective? This would explain why so many malicious emails are still delivered to user inboxes - ATP and EOP just can't see them, because by implication, your analysis of the email stream says that 99.9985% of all emails are not malicious.

     

    What am I not seeing in what you're trying to say?