Microsoft 365 Advanced Threat Protection (ATP) is an important layer of protection for email. It works as a sort of safety layer for those harmful elements that manage to trickle through the Exchange Online Protection (EOP) layer. Hence, a proper understanding of the various options of O365 ATP is crucial.


Microsoft 365 ATP Plan 1 and Microsoft 365 ATP Plan 2 are the standalone licenses you can purchase.

Apart from these, the Microsoft 365 E3, Microsoft 365 E5, and Microsoft 365 Business Premium licenses also offer ATP. Do note that every mailbox you wish to protect using ATP will require one license with that feature. A comparison of the different options can be found here.

Roles to manage ATP

You should have one of the following roles in the tenant to create and modify ATP policies:

  • Global Administrator
  • Security Administrator
  • Exchange Online Organization Management

ATP Safe Links

Safe Links shields your tenant from malicious URLs in emails and Office documents. If you want the URLs in emails to be scanned, and if you wish to analyze the malicious URLs that were delivered and clicked on, then Safe Links will have you covered.

Safe Links options

All the emails received by users are scanned by Exchange Online Protection (EOP) in Microsoft 365. Depending on the policy you configure, ATP will come into the picture in one of two ways:

  1. ATP launches the URL in a sandbox environment, scans it, and then delivers it to the user if it's safe.
  2. The email is delivered to the user. Then, when the user clicks the URL in the email, ATP starts scanning it to decide whether it's malicious. This approach is also called "real-time scanning." We will cover the policies in the next section.

Configuring Safe Links policies

There are two sections in the Safe Links policies. The first section is the default policy, which applies to everyone. It can be a bit confusing, since you would see the default policy and then another section where you can configure policies for specific users.

Default policy

The default policy allows you to add the URLs that you want to block for your tenant. You can expect this section to be filled over a period of time as you keep noticing and adding suspicious URLs to the tenant.

The next section in the default policy is Settings that apply to content except email.

Safe Links default policy

Safe Links default policy

Microsoft 365 application: Select this option to ensure that all the URLs in Microsoft 365 apps, such as Word and Excel, will be scanned.

Do not track when users click safe links: If selected, the URL trace report will not display the status of the links that users click. My recommendation is to keep this option unchecked.

Do not let users click through safe links to original URL: Select this option to ensure that users cannot proceed from the warning page to a malicious link. Ideally, this should be selected; however, it may lead to complaints from users.

Policies for specific recipients

There are more settings for email that can be configured via this section.

Safe Links policies that apply to specific users

Safe Links policies that apply to specific users

Select the action for unknown potentially malicious URLs in messages: Microsoft has a list of malicious links accumulated using machine learning algorithms from all the tenants in Microsoft 365. The On option should be selected. This ensures that your environment is protected against all these known URLs.

Select the action for unknown potentially malicious URLs within Microsoft Teams: Enabling this will extend the protection of ATP over to Microsoft Teams as well. Again, the URLs shall be compared with the list Microsoft has for malicious ones from all over the tenants in Office 365.

Apply real-time URL scanning for suspicious links and links that point to files: I would strongly recommend to select this option. It ensures that the URLs are detonated in a sandbox environment to be analyzed.

Wait for URL scanning to complete before delivering the message: If selected, emails are delivered after the URLs in them are scanned. This may sometimes lead to slight delays in email delivery; hence, it's recommended to keep this one unchecked.

Apply safe links to email messages sent within the organization: Safeguard your users from malicious links included in emails exchanged among internal users. I recommend you select this option.

Do not track when users click safe links: You should keep this option unchecked so that you can track the malicious URLs clicked by users.

Do not let users click through safe links to original URL: When users click malicious links, they are presented with a warning and are given the option to access the site or to avoid it. If you wish to adopt an aggressive approach, this setting needs to be checked.

Do not rewrite the following URLs: There may be some URLs that you want to allow in your tenant; add these URLs to this section.

ATP safe attachments

Emails may contain suspicious or malicious attachments. Exchange Online Protection scans all the attachments in emails; however, it is critical to have ATP Safe Attachments as another layer of safety.

Configure Safe Attachments policies

You can choose to edit the default policy or create a new policy.

New Safe Attachments Policy

New Safe Attachments Policy

Safe Attachments unknown malware response

There are multiple options to choose from, as follows:

Off: ATP Safe Attachments is switched off.

Monitor: I have effectively used this to analyze the impact of enabling safe attachments. Enabling it ensures that none of the emails are blocked or modified in production environment; instead they are merely recorded as either safe or malicious. You can always view the reports (discussed below) to decide whether enabling this will cause any major disruption. This approach is especially useful when you just want to see how ATP will behave in your organization. This is sort of a “-whatif” parameter used in PowerShell.

Block: This is an aggressive approach and should be used only if you are confident that all valid users have been allowed in the tenant. Those emails with attachments that are deemed malicious are stopped from being delivered to users. These emails are quarantined in Microsoft 365 and can be released by an admin. Note that the email's sender is blocked on the tenant.

Replace: This approach may fall in the category of being simultaneously cautious and effective. An attachment, if considered malicious, would be removed from the email, and the email would be delivered without it. Users would be notified of this.

Dynamic Delivery: Using ATP Safe Attachments may delay email delivery depending on the policy configured. The dynamic delivery option is a good way to overcome that problem. Emails are delivered to the users; however, a placeholder takes the place of the attachment until it is scanned. The attachment is made available once the scanning is completed in ATP. Malicious attachments are quarantined in Microsoft 365 to be analyzed and, if required, released by admins.

Send the blocked, monitored, or replaced attachment to an email address: All the attachments that have been blocked or replaced can be redirected to a specific mailbox to be analyzed by an admin. You can enter that address here if necessary.

Applied To: Set this option to restrict the scope of ATP to a specific set of users.

ATP anti-phishing

ATP anti-phishing complements Exchange Online Protection in Microsoft 365. ATP uses advanced techniques to further harden your environment's safety. While ATP Safe Links and Safe Attachments provide your users with protection against malicious content sent in the guise of links and attachments, these features don't address the risks of spoofing and impersonation. This is where ATP anti-phishing comes in handy.

How to configure anti-phishing

Again, you would have a default policy; however, you can edit it or create a new one.

The first task is to create a policy and add the users for whom it will be effective.

Create a new ATP anti phishing policy

Create a new ATP anti phishing policy

Once the policy is created, you can edit it.


Impersonation is a major cause of financial loss and several other problems. Here, the attacker will attempt to hoodwink you into believing that they are someone specific and may try to extract information from you for ulterior motives. The advanced settings in ATP ensure that such attempts are thwarted.

Add users to protect: All users who are important and whose accounts you believe may be impersonated must be added here.

Add domains to protect: You can also choose specific domains to protect by adding them here. 

Actions: Here, you will decide the action ATP must take upon finding an impersonated email.

Impersonation Policy Actions Menu

Impersonation Policy Actions Menu

Safety Tips: Enable this option to display warning messages on potentially impersonated emails. This link sheds more light on this topic and its three types.

Mailbox Intelligence: AI is used to find patterns of user communication with contacts. It will flag any senders trying to spoof any of the frequent contacts.

Mailbox intelligence-based impersonation protection: As per Microsoft, this option uses better techniques than Exchange Online Protection (EOP) to reduce false positives when detecting impersonation, when compared with. There are various actions it may take upon detecting an impersonated email.

Trusted senders and domains: Add senders and domains that can bypass all the policies.


If the sender's 'From' address is different when compared with the domain of the email source, the email is considered a spoof.

Spoof Intelligence: There may be external senders or domains that need to spoof your domain for legitimate reasons. You can enable this setting in ATP; however, there are other settings that can be enabled via the anti-spam settings. We will not delve deeper into this, since it is out of the scope of this article. See this link to learn more about it.

Unauthenticated Sender: If a sender fails any of the security mechanisms, such SPF or DKIM, a question mark symbol is displayed beside their name in Outlook; hence, if the policy allows email from this sender to be delivered to users, the users would still be cautious about the email due to the unauthenticated sender feature.

Actions: Select the action to be taken with spoofed email.

Spoof policy Actions menu

Spoof policy Actions menu

Advanced settings

Here, you can control the behavior of ATP anti-phishing. There are four levels of response, namely, standard, aggressive, very aggressive, and most aggressive.

Advanced phishing thresholds

Advanced phishing thresholds

The recommended level is standard. Using higher levels is necessary only when the tenant is under constant security threat or when you are OK with higher levels of false positives.

ATP reports

As an administrator, you should check all the reports regularly after ATP is deployed. This will help to understand the trends so you can take the appropriate action. Reports can be accessed in the Security & Compliance portal. You can view various reports in the Dashboard section.

ATP Reports Dashboard

ATP Reports Dashboard

Several reports are described below.

ATP files types report

This shows the different types of files that ATP was able to detect as harmful or suspicious.

ATP file types report

ATP file types report

You can also click View details table to view the same data in tabular format. These reports can be exported to Excel for further analysis.

ATP message disposition report

Check this report to see which actions ATP took on the emails that were deemed malicious. The tabular view is available and can be exported to Excel.

ATP message disposition report

ATP message disposition report

URL threat protection report

This report displays the email addresses of users who received malicious URLs. It will also indicate whether the users clicked to access the site, depending on your ATP policies.

Subscribe to 4sysops newsletter!


The importance of security is never going to diminish; hence, it's critical for you as administrators to keep abreast with the mechanisms that safeguard your environment. New threats emerge every day; as a result, Microsoft regularly improves the features in Microsoft 365 ATP. I recommend you follow the Microsoft 365 roadmap.

1 Comment
  1. Kevin Taber 3 years ago

    Business Premium has Defender, but not the fancier Defender ATP version.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account