Office 365 Advanced Threat Protection 101: ATP
(Anti Phishing Policies)
Have you purchased or are you thinking of purchasing Office 365’s Advanced Threat Protection (ATP) for your Office 365 tenant? In Part 1 of this article series, I’m going to show you how to take your first steps into making your mailboxes more secure by reducing the amount of phishing e-mails sent to your users with ATP anti-phishing policies.
In this scenario, I’m assuming you have an Office 365 tenant with Exchange Online, and you’ve already purchased ATP licenses and have assigned them to your users.
ATP anti-phishing works by checking incoming messages for indicators that the message may be phishing. Messages are evaluated by multiple learning models that analyze the message. Office 365 administrators can define policies that protect users from phishing attacks that include impersonation of other users or domains. These policies also define what kind of action should be taken when a phishing message is detected. If you’d like to read more on how ATP anti-phishing works, Microsoft has written a good article here.
Office 365 does have a default anti-phishing policy configured out-of-the-box; however, it offers basic protection against phishing and none of the more advanced protection features to protect your users from impersonation and spoofing attacks.
Creating Your First ATP Anti-Phishing Policy
Instead of modifying the default policy, I’d recommend creating a new anti-phishing policy and applying it to a test user or pilot group. In this article, we’ll be configuring a policy that:
- Protects all users in the organization under our primary e-mail domain
- Protects users from impersonated emails
- Send phishing emails to the quarantine
You can find all three of the ATP policies in Office 365’s Security & Compliance Center under Threat Management and then under Policy.
At the ATP anti-phishing policy page, click on the “Create” button to create a new anti-phishing policy. Give the policy a name and a brief description, and click Next.
At the next screen, you’ll need to define who this policy will apply to. This can be a recipient, a group of recipients, or an entire domain in your organization. In this example, we’ll be applying this policy to an entire domain.
At the next screen, review your settings, and click “Create this policy”.
With the threat management dashboard, you’ll be able to get insights like users in your organization who have been targeted with the most phishing e-mails, where are the emails originating from, domains that have been spoofed, and users who have been impersonated.
With this kind of information, you’ll be able to stay one step ahead of the bad guys of the internet. I recommend after making your first ATP anti-phishing policy to monitor the dashboard over a few business days, and you’ll be able to determine if you need to implement more policies to cover specific users or groups without worrying about impacting the entire organization with stricter anti-phishing policies.
Reviewing Detected Phishing Messages
I’ve mentioned that users may report the occasional false positive flagged by ATP’s anti-phishing engine. If you do find yourself being notified about false positives or want to review the amount of phishing e-mails detected, you’ll want to head over to the Threat Explorer page under Threat Management.
Here you’ll be able to view malware threats and phishing threats with handy details like the time it was received and how many recipients received the same e-mail. All of this is displayed in a nice bar graph for you to review.
Under the pretty bar graph, you’ll find the more detailed report of phishing mail detected by ATP. Here you can view time it was received, subject, recipient, sender, sender IP, and status.
This is where you can apply actions like move to junk, to deleted items, or to a user’s inbox in case it’s a false positive.
Coming Up Next in Threat Protection
Next, in Part 2 of this Office 365 Advanced Threat Protection 101 article series, we will explore Office 365’s ATP Safe Attachment Policies that check to see if email attachments or files are malicious and help to protect your organization. And as always, if you need help with your Office 365 environment but not sure where to start, Imaginet is here to help. Our Imaginet-certified Office 365 experts can help you get started with any of your Office 365 initiatives. To find out more, schedule your free consultation call with Imaginet today.
Thank you for reading this post! If you enjoyed it, I encourage you to check out some of our other content on this blog. We have a range of articles on various topics that I think you’ll find interesting. Don’t forget to subscribe to our newsletter to stay updated with all of the latest information on Imaginet’s recent successful projects
discover more
Load SharePoint Items into Power Apps Without Delegation Limitations
Load SharePoint Items into Power Apps Without Delegation Limitations February 13, 2025 Loading large datasets into Power Apps galleries or data tables can be a significant challenge in app development,…
Top 3 Beginner Tips for Developing Canvas Power Apps
Top 3 Beginner Tips for Developing Canvas Power Apps February 13, 2025 Canvas Power Apps is a handy tool from Microsoft that lets you build custom business apps without needing…
Clean Data, Clear Decisions: How to Optimize Data Quality
Clean Data, Clear Decisions: How to Optimize Data Quality February 6, 2025 Last week, I sat down with one of our data experts, Olena Shevchenko, to get her thoughts on…
Let’s build something amazing together
From concept to handoff, we’d love to learn more about what you are working on.
Send us a message below or call us at 1-800-989-6022.