We purchased over 3600 licenses for Microsoft Advanced Threat Protection with the hopes of protecting our accounts. In particular for if a malicious link were passed between our internal accounts we would be protected with Safelinks. I worked with Microsoft support for two weeks because all testing failed to rewrite the URL. Now I was just told by support and I Quote them saying in Ticket SRX14129695481:
The ATP Safe links is only applied for inbound traffic from external senders to internal recipients. ATP safe link will not re-write the internal emails. This is by design.
Why not have a method to protect within? It seems the perimeter is the only protection by design.
So if an account becomes compromised and becomes a source of Malware you are not protected.
Very interesting, this feature is actually coming to ATP soon!
First I found a mention of internal safe links from Ignite last year:
"Many users have relied on the time of click protection of Safe Links to protect end users from sophisticated threats in the form of links in emails. Now Safe Links can be enabled for internal emails to protect users from malicious links being sent within the organization."
Good news, it's on the roadmap too, the release is not that far off by the looks of it!
Office 365 ATP Safe Links for Intra-Org Emails
Office 365 Advanced Threat Protection Safe Links for internal emails will enable time of click protection and functionality of Safe Links for intra-org emails. This will protect end users from malicious links in emails that are sent between users in the same organization.
Cian If you have it, please do a quick and easy test. Send a test account or Co-Worker within the same Federation a message and add a few URL's. Let us know if when the recipient gets the message, when you hover the mouse over the URL, it should show a re-written URL to safelinks. Or if a link is blocked in the configuration, if you click it, it should give you a Website Blocked Page. I would really love to use this but I was told it only checks at the perimeter not within the federation domain. David