Advanced Threat Protection Issue

Brass Contributor

We purchased over 3600 licenses for Microsoft Advanced Threat Protection with the hopes of protecting our accounts. In particular for if a malicious link were passed between our internal accounts we would be protected with Safelinks.  I worked with Microsoft support for two weeks because all testing failed to rewrite the URL.  Now I was just told by support and I Quote them saying in Ticket SRX14129695481:


The ATP Safe links is only applied for inbound traffic from external senders to internal recipients. ATP safe link will not re-write the internal emails. This is by design.



Why not have a method to protect within? It seems the perimeter is the only protection by design.

So if an account becomes compromised and becomes a source of Malware you are not protected.


  Is the Marketing people aware of this?



4 Replies

Very interesting, this feature is actually coming to ATP soon!


First I found a mention of internal safe links from Ignite last year:


"Many users have relied on the time of click protection of Safe Links to protect end users from sophisticated threats in the form of links in emails. Now Safe Links can be enabled for internal emails to protect users from malicious links being sent within the organization."


Also noted here


Internal Safe Links ATP.png


Good news, it's on the roadmap too, the release is not that far off by the looks of it!


Office 365 ATP Safe Links for Intra-Org Emails


Office 365 Advanced Threat Protection Safe Links for internal emails will enable time of click protection and functionality of Safe Links for intra-org emails. This will protect end users from malicious links in emails that are sent between users in the same organization.


Estimated Release: Q1 CY2018


Feature ID: 20552

If you have it, please do a quick and easy test.
Send a test account or Co-Worker within the same Federation a message and add a few URL's. Let us know if when the recipient gets the message, when you hover the mouse over the URL, it should show a re-written URL to safelinks. Or if a link is blocked in the configuration, if you click it, it should give you a Website Blocked Page.
I would really love to use this but I was told it only checks at the perimeter not within the federation domain.
FYI Update:
I was told by Support that the Safe Links feature will be available Q1 2018 for Internal to internal accounts. referencing the Roadmap in the Link at the end.

Support sent me this info:
We have checked with our advisors again and confirmed that Safe Links does not work internally. As discussed earlier, I have searched and found below article which states that Office 365 ATP Safe Links for Intra-Org Emails is in development.
• Office 365 Roadmap

Here is further confirmation, which answers your question I believe, from the Set up Office 365 ATP Safe Links policies article:


"Beginning in March 2018, ATP Safe Links protection is being extended to apply to email sent between people in an organization."