Office 365 Advanced Threat Protection 101: ATP
(Anti Phishing Policies)

Have you purchased or are you thinking of purchasing Office 365’s Advanced Threat Protection (ATP) for your Office 365 tenant? In Part 1 of this article series, I’m going to show you how to take your first steps into making your mailboxes more secure by reducing the amount of phishing e-mails sent to your users with ATP anti-phishing policies.

In this scenario, I’m assuming you have an Office 365 tenant with Exchange Online, and you’ve already purchased ATP licenses and have assigned them to your users.

Imaginet Office 365 Advanced Threat Protection - ATP Anti-Phishing

ATP anti-phishing works by checking incoming messages for indicators that the message may be phishing. Messages are evaluated by multiple learning models that analyze the message. Office 365 administrators can define policies that protect users from phishing attacks that include impersonation of other users or domains. These policies also define what kind of action should be taken when a phishing message is detected. If you’d like to read more on how ATP anti-phishing works, Microsoft has written a good article here.

Office 365 does have a default anti-phishing policy configured out-of-the-box; however, it offers basic protection against phishing and none of the more advanced protection features to protect your users from impersonation and spoofing attacks.

Creating Your First ATP Anti-Phishing Policy

Instead of modifying the default policy, I’d recommend creating a new anti-phishing policy and applying it to a test user or pilot group. In this article, we’ll be configuring a policy that:

  • Protects all users in the organization under our primary e-mail domain
  • Protects users from impersonated emails
  • Send phishing emails to the quarantine

You can find all three of the ATP policies in Office 365’s Security & Compliance Center under Threat Management and then under Policy.

Imaginet Office 365 Advanced Threat Protection - ATP Anti-Phishing

At the ATP anti-phishing policy page, click on the “Create” button to create a new anti-phishing policy. Give the policy a name and a brief description, and click Next.

Imaginet Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

At the next screen, you’ll need to define who this policy will apply to. This can be a recipient, a group of recipients, or an entire domain in your organization. In this example, we’ll be applying this policy to an entire domain.

Imaginet Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

At the next screen, review your settings, and click “Create this policy”.

Imaginet Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

With the threat management dashboard, you’ll be able to get insights like users in your organization who have been targeted with the most phishing e-mails, where are the emails originating from, domains that have been spoofed, and users who have been impersonated.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing
Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

With this kind of information, you’ll be able to stay one step ahead of the bad guys of the internet. I recommend after making your first ATP anti-phishing policy to monitor the dashboard over a few business days, and you’ll be able to determine if you need to implement more policies to cover specific users or groups without worrying about impacting the entire organization with stricter anti-phishing policies.

Reviewing Detected Phishing Messages

I’ve mentioned that users may report the occasional false positive flagged by ATP’s anti-phishing engine. If you do find yourself being notified about false positives or want to review the amount of phishing e-mails detected, you’ll want to head over to the Threat Explorer page under Threat Management.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

Here you’ll be able to view malware threats and phishing threats with handy details like the time it was received and how many recipients received the same e-mail. All of this is displayed in a nice bar graph for you to review.

Under the pretty bar graph, you’ll find the more detailed report of phishing mail detected by ATP. Here you can view time it was received, subject, recipient, sender, sender IP, and status.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

This is where you can apply actions like move to junk, to deleted items, or to a user’s inbox in case it’s a false positive.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

Coming Up Next in Threat Protection

Next, in Part 2 of this Office 365 Advanced Threat Protection 101 article series, we will explore Office 365’s ATP Safe Attachment Policies that check to see if email attachments or files are malicious and help to protect your organization. And as always, if you need help with your Office 365 environment but not sure where to start, Imaginet is here to help. Our Imaginet-certified Office 365 experts can help you get started with any of your Office 365 initiatives. To find out more, schedule your free consultation call with Imaginet today.

Thank you for reading this post! If you enjoyed it, I encourage you to check out some of our other content on this blog. We have a range of articles on various topics that I think you’ll find interesting. Don’t forget to subscribe to our newsletter to stay updated with all of the latest information on Imaginet’s recent successful projects

discover more

Industry 4.0

Industry 4.0 – Part 1 – The History 

Industry 4.0 – Part 1 – The History   November 14, 2024 What is Industry 4.0 Industry 4.0 is a term that has been around for about a decade already. Also…

SharePoint Look Book

SharePoint Look Book: A Hidden Design Gem 

SharePoint Look Book: A Hidden Design Gem     November 7, 2024 SharePoint Look Book: A Hidden Design Gem In the world of digital collaboration, SharePoint stands tall in helping organizations enhance…

DevSecOps

DevSecOps: Modern DevOps Practices – Conclusion   

DevSecOps: Modern DevOps Practices – Conclusion    October 31, 2024 DevSecOps: Modern DevOps Practices – Conclusion  DevSecOps rounds out our 3-part blog series on Modern DevOps practices. As a quick recap,…

Let’s build something amazing together

From concept to handoff, we’d love to learn more about what you are working on.
Send us a message below or call us at 1-800-989-6022.