ATP and scanning Links

%3CLINGO-SUB%20id%3D%22lingo-sub-238351%22%20slang%3D%22en-US%22%3EATP%20and%20scanning%20Links%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238351%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20if%20ATP%20is%20clicking%20the%20URL%20even%20before%20it%20delivered%20to%20user's%20inbox%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eas%20per%20this%20article%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foffice-365-atp-safe-links-dd6a1fef-ec4a-4cf4-a25a-bb591c5811e3%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foffice-365-atp-safe-links-dd6a1fef-ec4a-4cf4-a25a-bb591c5811e3%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EATP%20checks%20for%20URL%20only%20when%20it%20was%20clicked.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ewe%20just%20want%20to%20make%20sure%20that%20URL's%20in%20emails%20are%20not%20clicked%20even%20before%20it%20delivered%20to%20a%20mailbox.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Edoes%20EOP%20has%20that%20capability%20to%20inspect%20the%20URL%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-238351%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-239225%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20scanning%20Links%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239225%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vinod%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EATP%20does%20not%20automatically%20opens%20the%20link%20and%20check%20for%20it.%20ATP%20checks%20every%20time%20the%20user%20clicks%20on%20the%20link.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMalicious%20links%20are%20dynamically%20blocked%20while%20good%20links%20can%20be%20accessed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobin%20Nishad%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238659%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20scanning%20Links%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238659%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%40Deleted%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20am%20not%20fully%20sure%20I%20follow%20your%20ask.%20Or%20at%20least%20I%20think%20I%20do%2C%20but%20with%20how%20the%20software%20works%2C%20a%20%22pre%20scan%22%20would%20not%20violate%20your%20security%2Fpropriataryness%20anymore%20than%20how%20the%20software%20works.%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20speak%20to%20the%20experience%20using%20ATP%20so%20you%20get%20an%20understanding%20of%20the%20software%2C%20and%20that%20may%20help%20to%20answer%20your%20question.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20get%20a%20hyperlink%20that%20is%20enclosed%20in%20an%20email%20to%20a%20user%20account%20that%20has%20ATP%20running%2C%20the%20hyperlink%20still%20appears%20in%20the%20email%20itself.%20However%20if%20you%20were%20to%20hover%20over%20the%20link%2C%20you%20would%20actually%20see%20it%20re-directs%20to%20a%20protection.outlook.com%20address.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20reason%20it%20does%20not%20%22click%20a%20link%20beforehand%22%20is%20that%20it%20would%20be%20inefficient%20and%20easily%20by-passable%20as%20bad%20actors%20could%20easily%20just%20change%20a%20malicious%20link%20later%20on%20to%20bypass%20that%20system.%20Instead%2C%20anytime%20a%20user%20clicks%20on%20a%20link%20that%20has%20been%20sent%20through%20email%20that%20had%20ATP%20turns%20on%2C%20it%20instead%20re-directs%20them%20to%20a%20secure%20microsoft%20site%2C%20that%20opens%20the%20URL%20on%20the%20back%20end.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAssuming%20everything%20checks%20out%20(IE%20there%20is%20no%20malicious%20code%20there)%20it%20then%20merges%20the%20connection%20and%20you%20are%20on%20your%20way.%3CBR%20%2F%3EIf%20when%20it%20opens%20the%20link%20on%20their%20back%20end%2C%20their%20system%20detects%20malicious%20code%2Fmalware%2Fviruses%2Fetc%2C%20it%20will%20terminate%20the%20connection%2C%20and%20tell%20you%20it%20will%20no%20open%20the%20connection%20because%20of%20malicious%20code.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EMicrosoft%20does%20not%20care%20at%20all%20about%20what%20is%20in%20the%20link%2Fwhat%20it%20says%2Fetc.%20They%20only%20care%20if%20there%20is%20actively%20bad%20code%2Fattacks%20that%20come%20from%20that%20address.%20If%20the%20answer%20to%20that%20is%20no%2C%20you%20go%20on%20about%20your%20day%20like%20normal.%20If%20it%20is%20yes%2C%20it%20protects%20your%20users%2C%20and%20does%20so%20in%20real%20time%20as%20to%20always%20have%20that%20protect%2C%20not%20just%20on%20the%20initial%20scan.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20this%20helps%20to%20address%20your%20concerns%2For%20at%20least%20give%20you%20the%20information%20you%20need.%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Does anyone know if ATP is clicking the URL even before it delivered to user's inbox?

 

as per this article https://support.office.com/en-us/article/office-365-atp-safe-links-dd6a1fef-ec4a-4cf4-a25a-bb591c581...

 

ATP checks for URL only when it was clicked. 

 

we just want to make sure that URL's in emails are not clicked even before it delivered to a mailbox.

 

does EOP has that capability to inspect the URL?

 

 

2 Replies
Highlighted

Hey @Deleted,


I am not fully sure I follow your ask. Or at least I think I do, but with how the software works, a "pre scan" would not violate your security/propriataryness anymore than how the software works.

Let me speak to the experience using ATP so you get an understanding of the software, and that may help to answer your question.

 

When you get a hyperlink that is enclosed in an email to a user account that has ATP running, the hyperlink still appears in the email itself. However if you were to hover over the link, you would actually see it re-directs to a protection.outlook.com address.

The reason it does not "click a link beforehand" is that it would be inefficient and easily by-passable as bad actors could easily just change a malicious link later on to bypass that system. Instead, anytime a user clicks on a link that has been sent through email that had ATP turns on, it instead re-directs them to a secure microsoft site, that opens the URL on the back end.

 

Assuming everything checks out (IE there is no malicious code there) it then merges the connection and you are on your way.
If when it opens the link on their back end, their system detects malicious code/malware/viruses/etc, it will terminate the connection, and tell you it will no open the connection because of malicious code.

Microsoft does not care at all about what is in the link/what it says/etc. They only care if there is actively bad code/attacks that come from that address. If the answer to that is no, you go on about your day like normal. If it is yes, it protects your users, and does so in real time as to always have that protect, not just on the initial scan.

 

Hopefully this helps to address your concerns/or at least give you the information you need.

Adam

Highlighted

Hi Vinod

 

ATP does not automatically opens the link and check for it. ATP checks every time the user clicks on the link. 

 

Malicious links are dynamically blocked while good links can be accessed.

 

Thanks

 

Robin Nishad