Advanced threat protection for safe attachments and safe links

Exchange Online

Applies to: Exchange Online, Exchange Online Protection

Topic Last Modified: 2017-02-17

Advanced threat protection (ATP) in Exchange Online Protection (EOP) helps you prevent zero-day malware attacks in your email environment. ATP provides a way for you to create policies in the Exchange admin center (EAC) that help ensure your users access only links in emails or attachments to emails that are identified as not malicious. If you already use EOP to help combat malware in your email messaging environment, adding ATP will provide more-effective protection than ever before against attacks propagated by unsafe links and unsafe attachments.

You can set up separate policies for ATP to check either links or attachments or both. Each policy can be applied to a specific set of users. Learn how to do this at Set up a safe attachments policy in ATP and Set up a safe links policy in ATP. You can also create individualized policies within the safe links and safe attachments settings so that subgroups of users can have custom protection settings.

ATP complements existing EOP anti-malware scanning. Only those attachments that successfully pass anti-malware scanning are affected by your safe attachments or safe links policies.

Email delivery - If a safe attachments policy uses a Monitor, Block, or Replace action, email with an attachment won't be delivered until the attachment can be detonated. The safe attachments feature will launch a unique hypervisor environment to open the attachment. For a safe attachments policy, the Dynamic Delivery option keeps you productive during this scan time by delivering messages with a placeholder attachment, which notifies the recipient that the real attachment is being scanned, all without any lag time. The recipient can read and respond to the message even while the attachment is being scanned. If the attachment is harmless, it's seamlessly reattached to the message so that the recipient can access it. If it's malicious, ATP filters out the attachment.

Web browsing - If a link points to a website recognized as not malicious, Safe links adds very little latency to loading the target page. If the link points to a website recognized as malicious, the user is routed to a warning page and has to go through it (if clickthrough is enabled) in order to continue on to the site.

After a change is made to an ATP policy, it can take up to 30 minutes for that change to propagate to every server.

ATP is included in the E5 subscription. If you don’t have an E5 subscription, in order to begin using the safeguards provided by ATP technology along with your Exchange Online service, you need to purchase a separate subscription for ATP. You can order ATP through the Microsoft Online Subscription Program.

Safe attachments is a feature in EOP that opens every unknown attachment of a supported file type in a special hypervisor environment and helps detect malicious activity. It is designed to help detect malicious attachments even before anti-virus signatures are available. Learn how to turn on safe attachments for your users at Set up a safe attachments policy in ATP.

Safe attachments will detonate attachments that are common targets for malicious content, such as Office documents, PDFs, executable file types, and Flash files.

Safe links is a feature in EOP that helps prevent users from following links in email that link to web sites recognized as malicious. Here’s how safe links identifies links in a message:

  • For messages in HTML, safe links identifies any link that uses the href attribute.

  • For messages in plain text, safe links uses custom logic to identify any text resembling a URL.

Safe links also includes an advanced reporting capability that allows you to determine who has followed a malicious link. This helps EOP customers apply faster remediation for issues that are detected. Learn how to turn on safe links for your users at Set up a safe links policy in ATP.

Your safe links policy can be enabled to log which recipients are following links that have been protected by safe links. If tracking URLs is also enabled, this information can be found in the Exchange admin center by choosing mail flow > URL trace. You can sort the URL trace report by date range, recipients, and specific URLs.

When a safe links policy is applied and users follow a suspect link, users are shown a webpage informing them that the link they are trying to follow is malicious. If the recipient’s safe links policy has been configured to allow the user to go through, that user is given the option to continue to the site.

You can keep track of each message and attachment that is routed to safe attachments after a policy is applied. To find out the status of such messages, go to the Exchange admin center and choose mail flow > message trace. The message trace details have information for each message and attachment. For detailed information about how to run a message trace, see Run a Message Trace and View Results.