How to configure Advanced Threat Protection (ATP) part 1: anti-phishingAlex Fields
In a previous post, I covered some of the basic anti-spam/anti-malware protections included with Office 365/Exchange Online. Today I want to explore an add-on subscription called Advanced Threat Protection (ATP), which leverages some fancy pants machine learning and other advanced AI-like tech to detect zero-day and other advanced threats. The product comes bundled with Microsoft 365 Business by default, which thrills me to no end since you have to go all the way to E5 in the Enterprise licensing track to get it, but again it is also available as an add-on ($2.00 USD/user/month) to any other Exchange Online or Office 365 subscription/bundle. I recommend it for all my customers nowadays.
Note: ATP also applies to content beyond just Exchange Online–with capabilities of protecting content across Office 365 apps such as SharePoint and OneDrive also.
The first feature we will explore is the new Anti-Phishing measures, which you can configure from the 365 Admin portal > Admin centers > Security & Compliance. Estimated time to complete: 15-20 minutes.
Find Threat management > Policy from the left menu. Choose ATP anti-phishing.
Simply choose to + Create a new policy.
Give it a name and Next.
You have to add a condition, for how this policy is applied. I normally apply this policy to the entire domain, but you can also use group membership, or some combination of a group/domain and exceptions. After completing the conditions, choose Next.
Now you basically Create this policy, so that you can go back and actually edit the individual settings. Seems backwards I know.
First Edit the Impersonation settings. You can only choose up to 60 users to this, they recommend focusing on key roles such as CEO, CFO, etc. Since I’m Chief Awesome Sauce here at ITProMentor.com, I added myself to this list.
This is self-explanatory, you can choose which domains to include.
Now you can begin to choose some actions. In this example I am choosing Quarantine, but you may prefer to redirect this message to an administrator, for example. Check out the Turn on impersonation safety tips link on this page, also.
These notifications can help warn users if impersonation is suspected.
Here is where the machine learning comes in–Mailbox intelligence will figure out what mail flow patterns are “typical” in the org, and then applies this learning to look for anomalies. If that’s too Big Brother for you, leave it off. I’ll leave it on for a while and report back my findings.
It is also possible to exclude certain senders and domains from this policy–like a whitelist. If you have the same added to your anti-spam policies, etc.–doesn’t matter, you have to add them here also.
Now you can just review the settings and Save.
Next edit the Spoof settings of the policy. They have this action set to Junk mail folder by default, but I prefer Quarantine. Choose Save.
Last you can edit the Advanced settings. There are four different levels of aggressiveness. It is on 1 (Standard) by default, but I am going to test 2 (Aggressive).
If you like, you can review your settings for the policy again.
That concludes the review of this first feature set within Advanced Threat Protection (ATP). Of course, there are some more basic anti-phishing/anti-impersonation things you can do with standard Exchange mail flow rules, for example, but we’ll cover those options another time. These are a bit more serious, and use some more complicated technology to increase the intelligence behind the detection techniques. Security is all about layers, after all. This is a good one to have.