Home
Microsoft

A Brief History of Office 365 Advanced Threat Protection

October is National Cyber Security Awareness month.  In celebration of this month, we wanted to share some highlights on the remarkable growth and maturity of Office 365 Advanced Threat Protection (Office ATP) from when the service first launched in June of 2015.  As many of you know, Office ATP offers security from today's most sophisticated unknown threats, including 0-day threats, targeted attacks, and other advanced forms of malware and Office ATP provides protection for your entire Office 365 ecosystem.  As we shared with you recently, Office 365 ATP now protects more Office 365 users than all its competitors combined. We are very proud that our customers rely on our ability to protect their end users and we'd like to share with you how we have improved the capabilities of Office 365 Advanced Threat Protection since inception and the focus we have moving forward.

 

Malware Catch Effectiveness

As you can imagine, the most important aspect of any advanced security service is its ability to catch malware.  Over the last two years, there has been an explosion in both the volume and sophistication of advanced, targeted threats aimed at enterprises.  According to Verizon's 2017 Data Breach Investigations Report, nearly 2/3 of all malware that is installed arrives in the form of an email attachment.  Additionally, the US Computer Engineering Readiness Team (US-CERT) reported an average of 4000 daily ransomware attempts in 2016.  This growing threat of ransomware is expected to cost an excess of $5 billion in 2017.  Clearly, cyber threats continue to pose serious harm to businesses, so the challenge remains offering a solution that not only secures users from the threats of today but can also continue to improve, withstand, and mitigate the evolving threats of tomorrow.  Despite the increasing number of threats and their growing sophistication, Office 365 ATP's malware catch effectiveness has continued to improve since inception.  Currently, less than 0.1% of malware ever reaches an end user mailbox and we are excited to report these results even as we secure more mailboxes than all our competitors.  Not only do we see more threats, but we also stop more threats than any other advanced security vendor.

 

Office 365 Advanced Threat Protection Improving Malware Catch Rate Since InceptionOffice 365 Advanced Threat Protection Improving Malware Catch Rate Since Inception

While most vendors would be happy to simply share this catch rate, we wanted to share some of the work that has gone on since 2015 to help get us to this level of accuracy.  In 2015, we made several enhancements to the Anti-Virus (AV) engines which are used by Office ATP.  Every email that enters Office 365 goes through several filters before they land in your end user's inbox, and our AV engines are a critical part of this mailflow, so the enhancements made in 2015 significantly improved our catch rate as we moved into 2016.  Last year, we received enough feedback to know that Office ATP is very important for our customers and their businesses and that we needed to continue making enhancements to the service to ensure customers were getting the best protection possible.  When we launched ATP, we used sandboxing technology, heuristics, and several different AV engines (our own as well as the best 3rd party engines within the industry) and reputation lists. We have made several improvements to our sandboxing technologies including advances in sandboxing evasion detection and avoidance that has markedly improved our ability to stop novel malware.  We also regularly update our AV engines and reputation lists to ensure customers always have the best of breed combination of tools to stop malware.

 

Also, this year we have seen a surge in advanced phishing campaigns and as such, focused our efforts to further enhancing our existing anti-phish capabilities.  With ATP's Safe Links, customers were already protected against sophisticated phishing attacks.  However, we realized that further protection could be possible through integration across our platforms. Through the Microsoft Intelligent Security Graph, Windows and Office 365 now share signal.  With this integration, we have exponentially increased the number of phish links and websites that Office 365 Safe Links can now flag as malicious. Deeper integration with Bing and Edge also now enable us to effectively block any site that has been flagged the search engine and browser service respectively.  In the coming weeks, Safe Links will also gain the ability to block links from intra-org emails, protecting your organization from any potentially compromised user account.  Through the course of this year, we'll also enhance ATP's phish detection by leveraging our sandboxing technology on links.  Additionally, we'll be releasing new capabilities for spoof and impersonation detection (both personal and brand) as we round out this calendar year.  You can gain more insight into how Microsoft and Office ATP helps stop advanced phishing campaigns in our recently released whitepaper.

 

Empowering Productivity

While the primary goal of Office ATP has been to ensure users are protected from advanced threats, Office 365 was built to enable user productivity.  Security solutions that adversely impact productivity ultimately slow down the pace of business.  When Office ATP was first launched with the Safe Attachment feature, customers asked us to focus on reducing the latency of email delivery for emails with attachments.  To help end users remain productive, we launched the Dynamic Delivery feature in early 2017.  However, we continued to focus on lowering actual latency times by working closely across our engineering teams.  This strong collaboration between different teams help to incrementally reduce the latency times.  Today, we're proud to announce that our average latency times for scanning email attachments is around 60 seconds.  We are confident that this average latency time is on par or better than anything available in industry.  Only a concerted effort across multiple engineering groups enabled us to quickly and effectively reduce our latency times in a few short months.  We often claim that integration is one of our advantages and differentiators and this rapid reduction with latency times is a manifestation of how we integrate the knowledge across our different engineering teams to help enable customer requirements.  For users who still need to work on attachments immediately on email arrival, we have also launched Document Preview.  This is a feature enhancement to Safe Attachments which allows users to view the attached document while it is being scanned.  The user can not only view the document, but they are also able to interact/make edits to the document.  With Dynamic Delivery and Document Preview, we have effectively removed any potential impact on productivity which may be caused by latency of scanned attachments.

 

ATP's Rapid Reduction in Scanning LatencyATP's Rapid Reduction in Scanning Latency

 

 

Rich Feature Set

While these blogs primarily focus on security and compliance for Office 365, it is important to remember that Office 365 is only part of a much broader security focus at Microsoft.  In fact, Microsoft has been heavily investing in security for many years, and hopefully you can take a few moments to see some of our efforts documented on the Microsoft Secure page.  Also check out is this video to gain insight on:

 

  • How the Microsoft Cyber Defense Operations Center teams protect, detect, and respond to threats on our platform
  • How the Microsoft Digital Crimes Unit serves to fight malware, reduce digital risk, and protect vulnerable populations
  • How Microsoft uses the intelligence gained from these operations to help improve security for our customers

What you should note is that this infrastructure supports all security services and that this infrastructure continues to grow as Microsoft invests even more heavily in both time and technology to ensure that your organization and users always remain secure even as the threat landscape evolves.  We also demonstrate this at the service level where you can see the rapid increase in features that have been added to Office 365 ATP since launch.  You will continue to see this level of focus and effort as we bring more features online in the coming months and further enhance the existing features. We are committed to providing the most effective advanced security service for Office 365 to our customers.

 

ATP's Growing Set of FeaturesATP's Growing Set of Features

 

We hope that you have had the opportunity to try Office 365 Advanced Threat Protection for your organization.  If you have not yet tried Office ATP reach out to your account rep to learn more or simply start a free Office 365 E5 trial today and begin securing your organization from today's most sophisticated threats.

2 Comments
Occasional Contributor

Safe Links was recently enabled on my Outlook.com account, which greatly took me by surprise. Unfortunately, with it you can no longer see real URLs in any non-MS links in your incoming emails, as they're heavily obscured behind an astoundingly lengthy URL of MS's own.

 

Unfortunately, there's no way to disable this feature, as I'm sure there is in 365.

New Contributor

One thing we have noticed is that if Office 365 ATP takes ages to detonate and check an attachment (15 mins plus is not uncommon here; we're an engineering company that deals with big PDFs and Office files all the time, often with big hairy macros embedded), it takes roughly the same time again if the recipient then forwards it to someone new. Perhaps EOP or ATP could record a checksum, and then ATP could say "Ah, I just processed exactly that file within that last few hours, no point doing it again so soon". Or would that open up a new risk (timestamp-based malware behaviour perhaps)?