Keeping Users Safe With Advanced Threat Protection

The Challenge

As hackers around the globe launch increasingly sophisticated attacks, businesses are seeking tools that provide additional protection. Thankfully, Microsoft is a perfect platform for companies looking to boost their security.

The right Microsoft licensing comes with advanced security features as a standard. For example, when you’re looking at buying Microsoft 365 licenses, most Business and Premium plans come with Microsoft’s Advanced Threat Protection (ATP) – a holistic security solution which protects your user identities, endpoints, cloud apps and emails.

The Microsoft Approach

Microsoft 365’s ATP offers three core features to better secure your email:

1. Safe Attachments, which protects against unknown malware and viruses
2. Safe Links, which provides real-time, time-of-click protection against malicious URLs
3. Rich reporting and trace capabilities

Safe Attachments

The Safe Attachments feature is designed to detect malicious PDFs and other attachments, even before your anti-virus picks up on it. Anti-virus programs work by storing a list of known viruses and malware types. This makes it easy for them to pick up on suspicious attachments… but only if they are kept up to date. Because anti-viruses rely on signatures, they are vulnerable to zero-day threats, since it can take some time for the signatures to update. Meanwhile, you could receive an email with an attachment that your anti-virus doesn’t pick up on, leading to your machine becoming infected. This is where the right Microsoft licensing comes in, since if you have ATP, you’ll still be protected.

What are Zero Day Threats and how can you protect against them? Find out in our blog.

All messages and attachments without a known virus/malware signature are routed to a special hypervisor environment, where a behavioral analysis is performed using a variety of machine-learning and analysis techniques to detect malicious intent. Safe Attachments then picks up on attachments that are common carriers of malicious content, such as Office documents, PDFs, executable (EXE) files, and Flash files. If no suspicious activity is detected, the attachment is released for delivery to the mailbox.

Dynamic delivery of Safe Attachments

If you’ve just read about Safe Attachments above, then like me, a warning bell may have started going off in your head. If attachments have to go through a rigmarole of tests before they’re delivered, won’t that mean that all of your emails are going to take forever to come through to your inbox?

The good news is that the Advanced Threat Protection that comes with Microsoft licensing also includes Dynamic Delivery. What this means is that the body of emails are delivered instantly. When an email has an attachment, a placeholder attachment is assigned to it, which will only be downloaded when you choose to click on it. This gives Microsoft ATP time to scan the attachment and ensure its safety, without any unnecessary delays. This is also a useful security feature. Since Outlook has the option to automatically open emails when you click on them, it means that if you find an email that seems like phishing, but haven’t physically opened the attachment or clicked on the link within, your machine will remain protected, since the attachment isn’t downloaded until you choose to open it.

And if the attachment goes through the scan and comes back as being safe, it automatically gets reattached to the email it’s meant for, and the placeholder gets removed. It truly is a win-win for all involved.

Safe Links

Safe Links is another useful feature that helps in stopping users from visiting malicious websites when they click them in emails. Attackers sometimes try to hide malicious URLs within seemingly safe links, redirecting users to unsafe sites through a forwarding service after the message has been received. The ATP Safe Links feature proactively protects your staff by sending a warning if the link that they are clicking seems to be redirecting to an unexpected site. And Advanced Threat Protection will show this warning every time people try to click on the link, dynamically blocking unsafe contents, while safe links remain perfectly accessible.

URL Detonation

URL Detonation provides deeper protection against malicious URLs. Not only does ATP check a list of malicious URLs when a user clicks on a link, but Office 365 ATP will also perform real-time behavioural malware analysis in a sandbox environment against malicious attachments at destination URLs. For example, if an email includes a link to a Word document on a web server, the document is downloaded into Microsoft’s sandbox environment and opened as if it were an attachment, rather than redirecting to a webpage.

Rich reporting

While rich reporting may be a feature that few users will ever know about, it’s a security feature that is hugely helpful to IT teams. The advanced reporting makes it easy for the team or external IT company who is managing your systems to find out who clicked on a malicious link, which makes it easier in turn to secure your systems in the case of malware.

The report also shows detailed data, such as the date of the email, the sender, recipient, ID and subject, giving IT teams critical insights into who is getting targeted in your business and the types of threats being faced. But, more than that, reporting and message tracing allow them to fully investigate messages that have been blocked due to unknown viruses or malware, while the URL trace capability enables tracking of individual malicious links in the messages that have been clicked.  Microsoft even delves into details of why ATP flagged an email as a threat, identifying threats caught by ATP which would have been missed without ATP (identifying advanced threats specifically), and granular details on scan times for emails with attachments.  ATP reporting ultimately offers proactive email protection.

How can you get advanced threat protection?