How to configure Advanced Threat Protection (ATP) part 2: safe attachmentsAlex Fields
In the previous post, we introduced ATP and one of its key features, anti-phishing polices. ATP is an advanced security product from Microsoft, which is included with Microsoft 365 Business, Office 365 E5, or as a separate add-on to any other subscription, for $2.00/user/month (USD). Today we will explore another feature called safe attachments. Safe attachments will essentially launch any downloadable attachment or content and execute it in a virtual machine (what they call ‘detonating’), before allowing it to go on to the end user. This sandbox environment is looking for behaviors that are unusual or abnormal, and which could represent malware. This is beyond virus scanning, folks–it is looking for zero-day threats–stuff without signatures.
WARNING: enabling this feature will cause noticeable delays in delivery of certain content/attachments. In some cases, I have seen some email messages delayed by up to 10 minutes. This is because Microsoft has to launch the attachment and perform heuristics on it before you can receive it as an end-user.
Return to the Security & Compliance Center to set it up. From Threat management > Policy choose ATP safe attachments. Estimated time to complete: 10 minutes.
Here you can start by checking the box for Turn on ATP for SharePoint, OneDrive and Microsoft Teams, but again–be forewarned. There are performance impacts to this. Now go ahead and click the + plus button to add a new policy.
First choose whether to simply Monitor this policy, straight up Block detected malware, or Replace (remove the attachment but deliver the message body without the attachment). Last option, which is newer, is Dynamic Delivery, which is basically picking Replace and delivering the message right away, but only reattaching the content if it passes the scan. This can help with those delivery delays I mentioned, but again attachments can be delayed.
No matter what you pick here, you are also going to want to elect some administrator-monitored address to which content that is flagged or stripped can be redirected. Set your conditions (e.g. domain, group, etc.) and Save the policy.
If using the Dynamic Delivery option, you may receive a warning stating that this option applies to Office 365 hosted mailboxes only (not hybrid on-premises otherwise). After you have reviewed the settings, Save again on this page.
And that is the whole config. Next time we will look at the last piece to the ATP puzzle–safe links.