Office 365 Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) were designed to keep your organization protected against cyber-attacks while supporting end-user productivity. We continue to enhance both EOP and ATP by offering deeper insights and more flexible controls. This month we are introducing advanced threat reporting, new quarantine capabilities for malware emails, and additional controls to the ATP safe links feature. These features are currently being deployed and would be available for all the users by end of May.
Advanced Threat Reporting Threat Protection Status is a new advanced threat report that visibility into all malicious mails detected and blocked for your organization – both those caught by standard EOP features such as anti-malware engines and Zero-hour auto purge (ZAP), as well as those caught by the advanced protection provided by ATP Safe Attachments and Safe Links. It augments the recently introduced detailed reports in the Security And Compliance Center (SCC) reporting dashboard for ATP safe attachments. Threat Protection status report could be accessed from this link.
Figure 1. Advanced Threat Report - Threat Protection Status
The ATP safe attachment section of this report identifies all malicious emails detected by routing attachments to a hypervisor (sandbox) environment where content behavior is analyzed for malicious intent. -It provides the detailed observed behavior from the hypervisor environment, as well as details on Command aand Control (C2C) servers that content interacts with, malicious files downloaded, scripts executed, and system changes to registry or files.
Figure 2. ATP Content Behavior Analysis from Sandbox
The ATP safe links section of the report identifies mails with malicious URLs that were blocked at the time of click based on the mail’s reputation. As you may know, ATP safe links reroutes URLs at the time of click for validation of the URL reputation. This guards against exploits where attackers redirect URLs to malicious websites after mail is delivered.
Enhanced Quarantine Capabilities This month will also see significant feature enhancements to quarantine capabilities, extending support for EOP and providing new support in ATP for emails classified as malware. We are also enhancing the existing quarantine experience by allowing administrators to review and delete emails from quarantine. The new features will be enabled in SCC Quarantine interface which could be accessed from this link.
Now, all emails classified as malware from both EOP and ATP will be quarantined. In the event of a mail getting misclassified as malware and placed in quarantine, admins will have the ability to easily release the email to an end-user, thus preventing any unnecessary disruption to end user productivity. Administrators can understand the details of a mail from Quarantine by double click of a specific message and clicking on the “Preview message”.
Figure 3. Malware Quarantine
New ATP Safe Links Policy Features
The Safe Links in ATP is getting three new features that can be utilized when creating a Safe Links policy:
The ability to customize per-tenant block lists for URLs that should be blocked from reaching end-users. While ATP leverages a very large set of reputation filters, we realize that there are instances when organizations wish to designate a set of URLs to always block, which is now enabled by and this new block list feature.
Email wildcard blocking for both domains and handles to make it simpler to block a sender without the need to write in each individual email address.
Increased character limit for URLs, providing greater flexibility of configuration for both the block and allow lists.
Figure 3. Safe links Block URL List
Additionally, the Safe Links policy capabilities will now be split between options for the entire organization vs. more customized and segmented recipient lists in the organizaton such as groups, individuals, divisions, etc.
Figure 4. Safe Links Policy for Entire Organization or for Specific Recipients
We value your feedback, as it helps us continue to improve and enhance our services. Please check out these new features in EOP/ATP and let us know what you think. If you’re interested in trying ATP, reach out to your account rep, or learn more about ATP here.