Advanced Threat Protection Application Guard ATP mdatp Office 365 ProPlus Safe Attachments Safe Documents windows 10 Office ATP Safe Documents.
February 24, 2020.
No Comments on Office ATP Safe Documents .
This is a new feature in Office 365 Advanced Threat Protection Plan 2 in addition to Safe Attachments.
Safe Documents at the time of writing is only available in US based Office 365 tenants and only used by Office 365 ProPlus 2002 Monthly Channel (Targeted) builds (build 12527.20092) and later.
When a user receives an Office document from an external source the document is marked as such and can only be opened in “ protected mode ”.
This stops editing and printing, but also ( more important ly) stops macros and the like running as well.
This reduction in functionality of editing and printing is enough for the user to often just take the document out of protected mode and impact your network.
When the document is emailed to the user.
Office 365 ATP Safe Attachments (a Plan 1 feature) will process the document
but if the document is obtained another way, such as via a download link or copied onto a local file share, but is an externally sourced document, then the Safe Attachments vector of protection over email no longer applies.
This is where this new feature of Safe Documents comes into play.
The entire document is uploaded to Microsoft’s datacentre and processed as if it where an attachment in email being processed via Safe Attachments .
An EU/UK datacentre version of this feature will come in due course.
What now happens is that the document is scanned in the cloud for “maliciousness” and the user is allowed to open the file and turn off “ protected mode ” only if the document is considered safe.
If the document is considered malicious then the user is not allowed to take the document out of “protected mode”.
This functionality was announced at Microsoft Ignite in November 2019 and is now in early preview at the time of writing this article.
Future updates to this functionality will include the ability to open “protected mode” documents in a virtual machine automatically so that if the document does go rogue then closing the document results in closing the virtual machine and the removal of the impact, as all the changes were confined to the virtual machine.
This feature is due Summer 2020 and is known as Application Guard for Office ProPlus.
Application Guard will be included in subscriptions that include Windows 10 E5 (Windows 10 + Microsoft Defender Advanced Threat Protection).
More info: https://techcommunity.microsoft.com/t5/office-365-blog/new-functionality-to-make-it-easier-to-customize-manage-and/ba-p/1003047 and https://www.microsoft.com/security/blog/2020/02/12/building-on-secure-productivity/ and the documentation at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-docs app password ATP Authentication Azure Azure Active Directory Azure AD Azure Information Protection AzureAD conditional access EM+S email enterprise mobility + security management mcm mcsm MFA modern authentication multi-factor auth Multi-Factor Authentication sspr MFA and End User Impacts.
August 14, 2019.
7 Comments on MFA and End User Impacts
This article will look at the various different MFA settings found in Azure AD (which controls MFA for Office 365 and other SaaS services) and how those decisions impact users.
There is lots on the internet on enabling MFA
and lots on what that looks like for the user – but nothing I could see that directly laid out all the options and the impact of each option.
The options that the admin can set that I will cover in this article are: Default settings for the MFA registration service.
The enhanced registration service (now depreciated).
The refreshed enhanced registration service (MFA and Self-Service Password Reset registration combined).
The general impact to the user is that the user needs to provide a second factor to login.
In this article I will not detail the above registration for each of the second factors and only cover the general process of registration – your exact experience on registration will depend upon what second factors (app notifications, app code, phone call and text message) you choose to implement.
This article will look mainly at the different between having no MFA and what happens from the users perspective as the admin turns on a requirement to have MFA.
The various options that the admin can use to enable MFA are as follows: Office 365 MFA (aka the legacy method) that is available to all users with or without a licence.
Azure AD Conditional Access and setting a rule that requires MFA (when the user is not registered).
Azure AD Premium 2 licence and MFA Registration (register without requiring MFA to be enabled).
Azure AD Free fixed Conditional Access rules (MFA for all users) which is in preview at the time of writing (Aug 2019).
Terminology and Settings.
This article refers back to a series of different settings in each of the following sections.
To make the article avoid repeating itself, this section outlines each of the general settings, what I mean by the description I use and where I turn that setting on or off.
Office 365 MFA – This is the legacy MFA options set via https://admin.microsoft.com > User Management > Multi-Factor Authentication.
This user experience turns on or off MFA for users regardless of app or location (unlike Conditional Access) and has settings for the different second factor methods (for example you can disable SMS from here).
Conditional Access Based MFA – This is where you set rules for accessing cloud apps based on the user, the location, the risk (P2 licence required), the device (domain joined or compliant), the location (IP), the device risk (MDATP licence required), compliance (Intune required) etc.
If you rule requires MFA and the logging in user passes the requirements for this rule (and is not otherwise blocked) then this is what I call Conditional Access Based MFA.
This is set in https://portal.azure.com > Azure Active Directory > Enterprise Applications > Conditional Access Azure AD Premium 2 MFA Registration – This is where you can get users to register before you turn on MFA via either of the above routes.
Without the P2 licence you turn on MFA and at the next login the user needs to register
With P2 you can turn on registration at login without forcing MFA
You would then enable MFA later or you can have registration at next login (and defer that by 14 days) so that the user registers even if they never hit an endpoint that the need to do MFA on.
For example, MFA when external and the user never works remotely.
Therefore they will never have to do MFA and therefore never be required to register – which P2 licence you can get them to register independent of the requirement to do MFA.
You access these settings via https://portal.azure.com > Azure AD Identity Protection > MFA Registration Self Service Password Reset Registration – This is shown if the user is in scope for SSPR and SSPR is enabled.
This is not MFA registration – but if the user is in scope they will be asked to register for this as well.
This therefore can result in two registrations at next login – one for SSPR and one for MFA.
We will show this below, .
But it is best if you move to the combined MFA/SSPR registration wizard mentioned below
Enhanced Registration (Depreciated) – This was the new registration wizard in 2018 and have been replaced by the next option.
If you still have users on this option you will see it, otherwise the option to enable this older wizard is now removed.
This is accessed via https://portal.azure.com > Azure AD > User Settings > Manage user features preview Combined MFA and SSPR Registration – This is the current recommended MFA registration process and it includes self-service password reset registration as well.
You should aim to move your settings to this.
All the new MFA reporting and insights are based on this process.
This is accessed via https://portal.azure.com > Azure AD > User Settings > Manage user features preview.
Note that if you still have users on the previous “Enhanced Registration” shown above then this one is listed as “enhanced”.
If not – if only one slider is shown – it is the new registration process.
You can enable this for a group of users (for pilot) or all users: Office 365 MFA + Original Registration.
This is not recommended to be used any more – use the Azure AD Free Conditional Access rules for all users or all admins instead.
But for completion of the process to show all the options, .
You select a user(s) in the Office 365 MFA page and click Enable
In the below screenshot we can see that Cameron White is enabled for MFA
This means that it has been turned on for him, but he has not yet gone through the registration wizard: The video below shows the first run experience of this user – they login and are prompted to register for MFA.
They register using the legacy experience and are then granted access to the application.
OFFICE 365 MFA + LEGACY REGISTRATION Office 365 MFA + Enhanced Registration
For this scenario I have a user called Brian Johnson.
He has been enabled for MFA as above (Office 365 method) but additionally has been added to a group that is configured to support the new MFA+SSPR combined registration process.
Brian is not enabled for SSPR.
The video shows the user experience.
Note that the user needs a valid licence to be able to use this experience.
If they do not have any licences they will get the old experience: VIDEO OFFICE 365 MFA + ENHANCED REGISTRATION Conditional Access MFA.
The following video looks at the experience of two users who are enforced for MFA via Conditional Access.
The login will trigger the registration for MFA as neither user is already registered.
The first user (Christie) gets the old registration wizard and the second (Debra) gets the new registration wizard.
The Conditional Access settings are basic – MFA in all circumstances for our two users: CONDITIONAL ACCESS WITH OLD AND NEW REGISTRATION Impact of SSPR on MFA Registration and User Sign-In.
When users are set up to register their password reset security methods and MFA, but using the old registration wizard the user needs to do two sets of registration.
Again, it is recommended that the combined registration process is used instead of this process.
For this demostration, we are enabling SSPR for our test users.
One with the old registration wizard and one with the new one: SSPR WITH AND WITHOUT COMBINED REGISTRATION Adding SSPR To Already Registered Users.
Once a user has registered for MFA (old or new registration) it might come a time where you enable SSPR for them after that (and not at the time of original registration).
In this scenario the users that registered with the old registration wizard are asked to register for SSPR, but users who went through the new wizard – though they did not specifically register for SSPR – there is enough details already available for them to use the service (as long as app notifications and codes is enabled for SSPR).
If SSPR is left on the default of SMS and Email, then the new registration wizard does not have your alternative email and so SSPR is unavailable to you.
The user process and flow is shown in the next video: ENABLE SSPR AFTER REGISTRATION Azure AD Identity Protection and MFA Registration.
The Azure AD Premium 2 licensed feature called Identity Protection contains the ability to request that the user registers for MFA (and SSPR if via the new combined registration wizard) even if the user is not required to perform MFA for login – all our previous registrations only required registration because the user needed to do MFA.
You can ask users to pre-register via https://aka.ms/mfasetup but Identity Protection adds this functionality with a 14 day option to defer.
The video shows the settings and the user experience: Azure AD IDENTITY PROTECTION WITH AND WITHOUT NEW REGISTRATION Azure AD Free Conditional Access for All Users.
Early Q2 2019 Microsoft rolled out new baseline policies for Azure AD Conditional Access.
These are available even without the Azure AD P1 licence needed for Conditional Access – but as they are licence free they are heavily restricted – they apply to all users and need MFA if sign-in is risky.
So though they do not require MFA on all logins (unlike the O365 MFA legacy settings) they do require registration.
But they offer a 14 day deferral process if the user is not ready to register.
But unlike Azure AD Identity Protection mentioned above, you cannot do this for some users – it is enabled for all users upon enabling the rule.
Lets see the settings and the user experience in the video.
The video will also enable the “all admins” baseline policy as well, as that should always be turned on.
BASELINE POLICY FOR ALL USERS WITH REGISTRATION Tags MFA.
Advanced Threat Protection ATP dynamic delivery Office 365 Advanced Threat Protection preview Office 365 Advance Threat Protection Attachment Preview.
November 7, 2017.
No Comments on Office 365 Advance Threat Protection Attachment Preview
It is now possible to preview attachments that Advanced Threat Protection (ATP) is currently in the process of checking.
This was enabled on my tenant recently and so will come to all tenants soon.
It was mentioned at Microsoft Ignite 2017.
It looks like this.
You get the email with the standard ATP attachment saying your email is being scanned.
For this email you need to have Dynamic Delivery enabled for ATP, which means you need your mailbox in Office 365.
If you are on-premises or not dynamic delivery then there is no preview function as you do not know that the email is on its way to you for you to preview.
Open the email whilst it is still an ATP Preview alert, and be quick at doing this, at ATP’s attachment scanning 99th percentile is under 3 minutes and the average scanning time for an ATP attachment is 1 minute.
Inside the email you will see: Click the preview link and the attachment opens in your browser, rendered by Office Online viewers (which do more than just Office documents) Advanced Threat Protection ATP EOP malware Safe Attachments Safe Links Security and Compliance Center Threat Management Unexpected Security and Compliance Center Changes.
September 16, 2017.
No Comments on Unexpected Security and Compliance Center Changes.
In the last few days the layout of the Security and Compliance Center with regard to the Threat Management section appears to have changed.
In the middle of the week just gone, and for a long while previously, you could access Mail Filtering, Anti-malware, and DKIM from Security and Compliance > Threat Management and see these items as entries on a menu: For example, Advanced Threats For example, Mail Filtering But in the last two days there has rolled out across a number of tenants without any notice a change to the Threat Management menus.
Now all you see if Review and Policy.
The below picture shows the Review area: Policy area: This contains the previous menu items such as anti-malware, ATP Safe Links etc.
Depending upon your licences, this will appear different.
For example the below is what an EOP only tenant would see from today: Advanced Threat Protection ATP malware Office Office 365 ProPlus Proof Of Concept Safe Attachments Safe Links How To Run an Advanced Threat Protection Proof of Concept.
August 14, 2017.
No Comments on How To Run an Advanced Threat Protection Proof of Concept.
I put the following post together as I was asked this question from Microsoft themselves.
This post covers what you need to put in place, and how you can test some of it (as testing the blocking of malware involves sending malware first!) First, lets take a look at the Advanced Threat Protection steps for a proof of concept (PoC), and then later we will look at the new Office Smart Links feature.
You need to put the following in place: Exchange Online Protection managed tenant.
That is MX to EOP is required for simple PoC.
Hybrid with MX on-premises and then mail flow to cloud is possible for an advanced PoC, but here it depends upon what the customer has in-front of on-premises.
If this is the case, then a simple PoC with a new email namespace and MX to EOP is recommended before transitioning to protecting their actual mailbox.
Create ATP rules in wizard in Exchange Control Panel for both Safe Attachments and Safe Links.
PowerShell is pointless for this, as there is not a lot to do, and there are more steps if do it via PowerShell.
Enable ATP for a selected mailbox(es) and not an entire domain.
Mailboxes can be cloud or on-premises.
Enable Smart Links for same mailboxes.
Mailboxes can be cloud or on-premises.
Do not enable Smart Links for Office documents (as this is a global setting) (see later).
Check if org has rules to block .exe attachments.
If they do then exe’s will be blocked by this rule and not processed by ATP.
I have sent the.
NET Framework installer .exe in email before to test this.
But at any given day or time the rules could change as to what is blocked or not.
I used to have a “fake macro virus” document (see below), but OneDrive’s built in AV started detecting it and now I do not have the file anymore.
The doc I used to test with had an autorun macro that set a regkey that included the words “I download stuff and drop files” or something like that.
It might be possible to create your own document, but watch out for AV software and the like blocking it and/or deleting it, or it being filtered out before it arrives at the target mailbox.
I did say above this PoC is quite hard to do when trying to send malware for detection!.
For SafeLinks, send an email from external that contains a URL with www.spamlink.contoso.com in it.
The link will be rewritten.
Some common links are never rewritten (I think www.google.com falls into this category) and you can whitelist URLs as well company wide.
So if you whitelist a URL, send an email from the internet containing that link.
That is a useful addition to the PoC as well.
ATP now quarantines (or at least its coming soon) the failed attachments, so include that on a demo.
I have found that forwarding failed attachments to another mailbox (like a shared mailbox) is a bit temperamental – hasn’t for at least a year in one of my tenants but does in another tenant.
If users are on-premises (EOP before an on-premises mailbox) then do not enable dynamic delivery.
If PoC mailboxes are both on-premises and cloud then create two ATP rule sets, one rule for each type of mailbox, and enable dynamic delivery for cloud mailboxes only.
Dynamic delivery sends the message without attachment to the cloud mailbox and later writes the attachment into the message body.
This works in the cloud as Microsoft manage ATP and Mailbox.
It cannot work on-premises as Office 365 cannot write the modified message into Exchange Server at a later time.
Dynamic delivers the body but not the attachment instantly.
Attachment, if safe, follows later (7 or so minutes I tend to find).
I understand an option to view the content of the attachment in a web browser but not the attachment is coming, but I have not seen that yet) – suspect the link to this will be inside the “pending attachment notification” in the dynamic email, but am guessing at this.
Do not dynamic deliver to on-premises mailboxes.
Demo that internal emails do not SafeLink rewrite and attachments are not processed.
That is, send an email between two internal mailboxes and show that it is not processed.
In hybrid mode, if the connectors to the cloud are set up correctly then internal email from on-premises to cloud should not rewrite links.
External emails are marked as such when they arrive on the first Exchange Server and so an external email to on-premises and then via the hybrid connectors to Exchange Online should be processed, as Exchange Online knows it is external!.
Attachments are always scanned when sent between senders, even in hybrid mode (on-premises to cloud) or within two mailboxes the cloud.
Enable ATP for direct attachment links (i.e.
link directly to an exe, pdf etc.).
Then email and click that link.
ATP with a yellow background will popup saying the file needs to be scanned.
After a while (7 minute or so) click the link again and you will get to the file directly.
Safelink URLs are geo based.
So EMEA tenant (or UK tenant) will get emea01.safelinks.protection.outlook.com rewritten URLs.
UK tenants have EOP in EMEA, so the links for UK tenants are the same as EMEA tenants (at this time, not sure if this is changing).
Send emails that are both HTML based and Text based, and use the range of clients that the end customer users to see experiences.
Rewriting text formatted emails appears different than html formatted emails.
SafeLinks for Office Once you/client is happy enable SafeLinks for Office option.
This is a global setting.
Though this only works if you have Office Click-to-Run June 2017 Current Branch and later in use.
For this create a new document that was never emailed: On a Win10 AAD joined machine, save the file anywhere or just create a new Word doc and do not save it.
On a Win10 not AAD or legacy Windows client then save the file to OneDrive for Business sync folders or SharePoint sync folders.
It needs to be saved to these folders to know that it is a cloud document.
Get a demo machine that syncs to multiple tenants and later save a copy of the file OneDrive sync folders for the unprotected tenant.
In this scenario you will see a protected document become unprotected (or visa versa) as you change the folder where it is saved to.
Once you have the file start creating content in it (typing “=Rand(20)” without quotes is a good way to do this in Word) and then start adding some links to the document.
Use the above mentioned test link as well.
Click each link.
If it is safe, then the webpage will open.
If it is not, then the alert page will open, or a dialog will popup saying its not safe (I have seen both behaviours).
Note that links are not rewritten (unlike in the email client, where you cannot be sure what client is in use, so the link needs rewriting).
In Office documents the link is checked at time of click, and only if the document is saved to a cloud location (sync folders included).
Advanced Threat Protection ATP EOP Exchange Online Protection IAmMEC Safe Attachments Safe Links Advanced Threat Protection via PowerShell.
June 1, 2015.
3 Comments on Advanced Threat Protection via PowerShell.
I discussed the newly released Advanced Threat Protection product in Office 365 on my blog, and in this article I want to outline the cmdlets that can be used to set this product up from Remote PowerShell to Office 365.
To connect to Office 365 via PowerShell take a search on your favourite search engine – there are lots and lots of articles on doing this.
Once you have a connection to Exchange Online and you have purchased the Exchange Online Advanced Threat Protection product, you can use PowerShell to do your administration and report gathering.
The cmdlets you can use are for Safe Links are: Disable-SafeLinksRule Enable-SafeLinksRule Get-SafeLinksPolicy Get-SafeLinksRule New-SafeLinksPolicy New-SafeLinksRule Remove-SafeLinksPolicy Remove-SafeLinksRule Set-SafeLinksPolicy Set-SafeLinksRule And the cmdlets you can use for Safe Attachments are: Disable-SafeAttachmentRule Enable-SafeAttachmentRule Get-SafeAttachmentPolicy Get-SafeAttachmentRule New-SafeAttachmentPolicy New-SafeAttachmentRule Remove-SafeAttachmentPolicy Remove-SafeAttachmentRule Set-SafeAttachmentPolicy Set-SafeAttachmentRule And for reporting, you can run Get-AdvancedThreatProtectionTrafficReport to report on the number of attachments blocked and the type of notification sent when looking at Safe Attachments.
Get-UrlTrace does the same report for Safe Links.
The cmdlet *-SafeLinksPolicy and *-SafeAttachmentPolicy controls the policy.
Every rule needs to be associated with a policy and so a policy needs creating first: New-SafeLinksPolicy “Protect C7 Solutions Users” Will create a Safe Link policy with the default settings.
This includes no URL tracking, no click through and is not enabled.
A better start might be New-SafeLinksPolicy “Protect C7 Solutions Users” -TrackClicks $true -IsEnabled $true -AllowClickThrough $false Once a policy is created, a rule can be added to that policy.
The *-SafeLinksRule and *-SafeAttachmentRule cmdlets control this in the shell.
You can only have one rule per policy.
An example cmdlet to create a rule would be: New-SafeLinksRule “Protect C7 Solutions Users” -SafeLinksPolicy “Protect C7 Solutions Users” -RecipientDomainIs “c7solutions.com” -Enabled $true Note that the –SafeLinksPolicy value matches that of the name of the previously created policy when making the rule.
To create a Safe Attachment policy and rule that protect all users by blocking malicious attachments and sending a report to an external mailbox you could use: New-SafeAttachmentPolicy “Protect C7 Solutions Users” -Enable $true -Redirect $true -RedirectAddress [email protected] –Action Block New-SafeAttachmentRule “Protect C7 Solutions Users” -RecipientDomainIs “c7solutions.com” -SafeAttachmentPolicy “Protect C7 Solutions Users” -Enabled $true The other cmdlets are self explanatory with regard to Enable- and Disable- and Set- and Remove-.
The advantage of using PowerShell to administer Safe Links and Safe Attachments is you can set up a policy in a lab and then copy it to a production environment or enable the same policy on many different tenants if you are a Microsoft Partner with customers interested in this advanced protection of their mailbox.
Advanced Threat Protection ATP EOP Exchange Online Protection IAmMEC malware proxy Safe Attachments Safe Links Getting Started with Office 365 Advanced Threat Protection.
June 1, 2015.
10 Comments on Getting Started with Office 365 Advanced Threat Protection
Announced a few months ago, Advanced Threat Protection became generally available on 1st June.
I have been involved with trialling this product during the beta and so I thought I would note down a few thoughts on setting this up and what to expect now that it is publicly available.
Advanced Threat Protection is an add-on product to Exchange Online/Exchange Online Protection with its own subscription, so you will not see these features and products unless you have subscribed.
Once you have subscribed you will get two new features in the Exchange Control Panel for Office 365.
These are the ability to find malware containing attachments before a detection signature for that malware exists (zero-day malware attacks) and the ability to filter all hyperlinks in email via a known malicious links service (filtering against spear-phishing attacks).
The feature to detect zero-day malware is called Safe Attachments and the feature to protect against spear-phishing is known as Safe Links.
Subscribing to Advanced Threat Protection.
After signing into the Office 365 administration portal click Purchase Services on the left hand menu and locate your current Office 365 subscription that contains Exchange Online or Exchange Online Protection (Office 365 Enterprise E3 contains EOP, so you would look for your suite purchase if you did not have a standalone purchase of EOP).
Your current subscriptions will contain the words Already Purchased underneath the item as shown: or In the two screenshots above you can see that you have no Exchange Online Advanced Threat Protection licences purchased.
To add Advanced Threat Protection licences click the Add more link and enter the number of licences you want to purchase.
You do not need to purchases the same number of licences as EOP or Exchange Online mailbox licences as you use the policy below to control who Advanced Threat Protection is available for.
Advanced Threat Protection for volume licence customers is available from August 2015 and for non-profit/educational licences from later in the year.
Once the purchase is confirmed the Advanced Threat’s menu entry appears in the Exchange Administration Console.
Also don’t forget to assign a licence to the appropriate users in the Office 365 portal.
Safe Attachments in Advanced Threat Protection takes any email that meets the conditions of any one of the Safe Attachment policies that you create that also contains an attachment and checks this email for for malicious behaviour as it passes through Exchange Online Protection (EOP).
Before an email is checked by Safe Attachments the attachment has already been scanned for known malware and viruses.
So if the attachment contains malware that was not detected by an existing AV signature or if it is a safe attachment (no malware) then the email is routed to the Safe Attachments component in EOP.
If the email does not contain any attachments it is routed to the users mailbox by way of the other EOP spam filtering features.
Once an email is considered to have cause to be checked by the Safe Attachments component of ATP the individual attachments in the message are placed inside a newly created Windows virtual machine that is spun up in ATP for the purposes of this service.
The attachment is then executed or otherwise run (for example if it is a Word doc, it is opened in Word in the new VM that was created for it).
The VM is then watched for behaviour that is considered to be unsafe.
Examples of unsafe behaviour include setting certain known registry key locations (such as the RunOnce group of keys in Windows) or downloading malicious content from the internet.
If the attachment does not exhibit that behaviour then the email is released and sent on to the user.
If the email does exhibit these actions the email is not sent onward, and optionally a copy of the email in a form of a report is forwarded to an administrators mailbox (where care should be taken on opening the attachment).
The time it takes to spin up a new VM and execute the attachment is in the region of 7 to 10 minutes.
Therefore anyone subject to a Safe Attachments policy will have emails that contain attachments delayed by at least this amount of time.
Of course this delay is necessary to ensure that the recipient is not being sent malware that is currently not detected (zero-day attacks) and the impact of this delay needs to be considered against the benefit of the additional filtering that happens and the impact of that user executing the malware themselves on their own machine.
To protect a user with Safe Attachments you need to create a policy.
This is done in the Exchange Admin Centre in Office 365 and the “advanced threats” area as shown: In the above screenshot I have a single policy created called “Protect Brian Only”.
This would be an example where I wanted to protect those users whom I though where more likely to be subject to zero-day malware attacks – good examples would be highly targets accounts (CEO etc.), IT administrator/help desk accounts and of course the accounts of users who will click anything and so you are often cleaning up their PC.
There is no default policy, so unless a user is protected by a policy that you the administrator create, they are not subject to the Safe Attachments feature.
As Advanced Threat Protection is an additional licence, only those users who are licenced should be included in any policy.
Opening the “Protect Brian Only” example policy above shows me three sets of options.
These are: The first page allows me to edit the name and description.
The second page sets the policy (more on this below) and the final page sets who the policy applies to.
In this example it applies to a single recipient who was selected from the list of users in Office 365, though it could be a list of more than one user or anyone with a given email domain or anyone in an already created group.
The policy setting allows me to do the following: Scan attachment containing emails (with options to not do this scanning, scan and send onward to the user regardless of the result, block the emails containing bad attachments or replace the attachments with a notification but allow the contents of the email to go on through).
Redirect the attachment containing emails to an alternative email address and what address to use.
This is great for seeing what is blocked and acting as a sort of reporting service.
Warning – this email address will get malicious emails sent to it, handle with extreme care.
Finally, in the event of a timeout at EOP/ATP where the attachment cannot be scanned in 30 minutes, check this box to treat the attachment in the same way as malicious emails are treated.
This is the default action.
In the mailbox of the intended recipient, if block or replace is selected in the policy then the user will not see the malicious attachment and therefore cannot accidently execute its contents.
In the mailbox of the email address used for the redirection, you will see messages such as follows: Here you see a report email that contains the email that was detected as malicious.
You can see the To: address (redacted in the graphic above) and that it was not sent to the intended recipient and that it should not be opened.
All in all, its a very simple and inexpensive way to protect the mailboxes of either all staff or those you consider subject to targeted malware such as CEO type staff and the IT department.
Even if you do not redirect emails containing malicious attachments, you can report on the number and type of attachments that are blocked from the reporting console available from the icon on the ATP toolbar.
The following shows a 30 day report for my tenant (which has only a few live mailboxes protected).
For data-points beyond 7 days old it will take a short while for the information on the report to be returned to you and you need to request that report from the provided link.
For data-points under 7 days you can see the information in real-time.
The grey background to report shows where the 7 day period is located.
In the below screenshot the above malware can be see in the report as the single instance of an email that passed AV scanning successfully but was in fact a zero-day attack.
The second screenshot below shows the type of malware attachments that ATP is blocking.
From this we can see that the risk lies in maliciously crafted Excel and Word attachments.
When an email is delivered to the end recipient, any technology that checks the target of any link in the email is prone to one large issue – the web page or attachment on the other side of the hyperlink in the email may be safe and okay to view at the time of delivery, but might not be at the time the user comes to open the email and then click the link.
Being aware of users working, or at least email reading hours, and delivering emails outside this timeframe with links to websites that are okay at the time of delivery means the email passes any web site or download checks done by the email server.
Advanced Threat Protection’s Safe Links feature protects the user by rewriting the hyperlink in the email body so that the link is checked at the point of click and not the point of delivery.
To do this the hyperlink is changed from the target to the Safe Links portal.
Then when the user clicks the link, they are taken to the Safe Links portal and if the site is now on a block list, the user is blocked, but if the target of the link is fine they are sent a browser redirect to the original target.
Note that this is not a proxy server – you do not connect to the target URL through the Safe Links portal, you just visit the Safe Links portal when you click the link and if the target is safe at point of click you are directed via your browser to the target (a client side redirect).
If the target is not safe at point of click then an error page is displayed.
In the following screenshot is an email with a hyperlink in it.
This link was received by me to my Safe Links protected account and it looks link it might be an attempt to download malware to my computer, but I am going to click the link anyway (in second screenshot I am hovering over the hyperlink): You can see from the above screenshot that the hyperlink takes the user first to https://na01.safelinks.protection.outlook.com/?url=targetURL&data=value&sData=otherValue.
The na01 part of the URL will be regionally specific and so might read emea01 or apac01 etc.
When the user clicks the link they go to region.safelinks.protection.outlook.com.
In my case I see the following webpage: Here I am told the page has been classified as malicious.
I also have an option to continue anyway (and I can control if this setting appears for users or not) and an option to close the browser window.
If the hyperlink is not malicious at the point of click then I still go to the Safe Links portal (as it is the portal that checks the link at point of click), but then get redirected to the target URL.
This can be seen in the following screenshot which shows the F12 developer tools enabled in the browser and the network trace screen shown at the bottom of the window: You will see that the first line is the Safe Links portal and this take 0.75 second before being redirected with a HTTP 302 client side redirect to the target URL and then the rest of the objects on the target page (until I paused the trace).
So how do I set this all up.
It is very similar to the Safe Attachments above in that we create a policy, and then any email that contains hyperlinks that is delivered to the end user after that users is added to a policy get rewritten.
First we go to the Advanced Threats area of the Exchange Administration Console: Here you can see an existing policy.
There are no policies by default.
If I create a new policy I need to provide the following: You can see from the screenshot that you need a name for the policy and whether or not a link is rewritten (policies with greater priority take precedence, so if a user is subject to two or more polices then only the higher priority policy takes effect, therefore you can use a policy to turn off link rewriting for a subset of users covered under a lower policy that enabled it for more users).
Also you can disable link tracking and not to allow users to have the option to click through to the target URL.
Link tracking allows you to report who clicked what link and not allowing users to click through disables the “Continue to this website (not recommended)” link on the Safe Links warning page.
You also have the ability to control URL’s that you do not want to rewrite, and rewriting will only happen for FQDN URL’s (that is those with dots in them) and not single name URL’s such as http://intranet. This allows you to bypass redirection for sites you know are safe or are FQDN’s but are internal.
Finally you get to set who the policy applies to.
You do not need to apply the policy to all users if you have not licenced all users, but you can set policy based on who the recipient is, what domain the recipient is in (all users in that domain) or a group (some users).
On the Mail Flow menu in Exchange Control Panel you can view a URL Trace of the links that users have clicked in the past 7 days.
The report shows you the link clicked and if it was blocked or not.
If the click through option is enabled, it will show if that was done as well.
Only users in policies that track clicks will be reported.
As report looks like the following: Further Administration.
To administer your Safe Links and Safe Attachments policy and rules via Remote PowerShell see http://c7solutions.com/2015/06/advanced-threat-protection-via-powershell Select Category 2003 2004 2007 2008 2008 R2 2010 2012 2012 R2 2013 2016 2019 2FA 64 bit AADConnect aadrm AADSync access acdc active directory activesync add-in ADDS ADFS ADFS 2.0 ADFS 3.0 ADFS Connector AdminSDHolder adsiedit Advanced Threat Protection agent AIP android antivirus anycast app password Application Guard archive asterisk asterisknow ATP Authentication autodiscover autodiscover v2 az Azure Azure Active Directory Azure AD Azure Information Protection AzureAD backup baseline bing bios booking bpos branding cafe calendar certificates Chrome citrix Click To Run Click2Run cloud Cloud PBX Clutter cmak compliance conditional access conversation crm cross-forest cyber bullying dell Deployment device device registration dirsync dkim DLP dmarc DNS domain door download draytek DSC duplicate dynamic delivery Dynamics EAS ebs 2008 Edge EM+S email encryption Endpoint Manager enterprise mobility + security Entourage EOP Exchange Online Protection error EWS exchange exchange online Exchange Server EXO ExpressRoute federation FIDO firewall Focused Inbox FOPE Free/Busy GeoDNS Global Catalog GPO Group Policy groups hosting hotfix https hybrid hyper-v IAmMEC IFilter iis illustration install Intune iOS ip iPad iPhone ipsec ipv4 ipv6 iQ.
Suite IRM isa ISA Server 2004 ISA Server 2006 JetNexus journal journaling Kemp kerberos lab licence Live Event load balancer Load Master loadbalancer logo Lync Server mailbox malware management mcafee mcas mcm mcsm mdatp MDM media player MFA microsoft Microsoft 365 Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Microsoft Teams migration Mobile Device Management mobile phones modern authentication monthly channel move msExchDelegateListBL msExchDelegateListLink MSOL multi-factor auth Multi-Factor Authentication MVP MX ndr Netscaler networking NTL OAuth OD4B ODFB off offensive Office Office 365 Office 365 Advanced Threat Protection Office 365 Groups Office 365 ProPlus oledb OneDrive OneDrive For Business openmanage orange organization relationships osma Outlook owa OWA for Devices password paxton pbx permissions PFDAVAdmin phish phishing phone factor pkcs pki places policy powershell pptp preview Proof Of Concept proxy pst PSTN PSTN Conferencing Public Folders recovery remote desktop remote web workplace retention retention policies rms room router rras rtp rules rww Safe Attachments Safe Documents Safe Links Salesforce sbs 2008 SCOM sdk search security Security and Compliance Center self-service password reset semi-annual channel send-on-behalf server administrator server core shared mailbox sharepoint sip Skype For Business Online Skype for Business Server smarthost smartphone sms smtp spam spf spoof spv SQL sql express SSL SSO sspr sstp starttls storage card Stream supervision sync error sysprep Teams TechEd terminal server Terminal Services text message Threat Management TLS tmg token2 transport transport agent ts gateway Uncategorized unif unified messaging update upgrade vc++ vhd virtual pc virtual server virtualisation vista visual studio vm VNet Voicemai voicemail.