Skip to main content

Office 365 ATP Is Half-Off by Default: Turning On Safe Attachments and Safe Links

Nick Ross4 min read
Implementing Office 365 Advanced Threat Protection

TL;DR

  • As of June 2018, Office 365 ATP Safe Attachments and Safe Links are not enabled by default, so buying the license does not protect anyone until you build the policies.
  • Safe Attachments detonates email attachments in a sandbox before delivery; Dynamic Delivery is the only action that does not slow mail flow.
  • Safe Links rewrites and re-checks URLs at click time, so a link that was clean at delivery is still scanned when the user clicks it.
  • ATP is included in Office 365 Enterprise E5 and Microsoft 365 Business, or available as a $2 MSRP add-on to other plans.
  • Spoof intelligence and mailbox intelligence flag senders impersonating your domain or your users' frequent contacts.

Most teams assume that assigning an Office 365 Advanced Threat Protection license is the same as being protected. It is not. As of June 2018, the two features that do the heavy lifting, Safe Attachments and Safe Links, are switched off until someone builds the policies by hand. This guide covers what ATP actually does, what it costs to license, and the exact clicks to enable the protection you have already paid for.

Office 365 Advanced Threat Protection overview

What does Office 365 ATP actually protect against?

ATP hardens your tenant against the attacks that get past standard spam filtering: weaponized attachments, malicious links, and senders impersonating people your users trust.

Safe Attachments

When a Safe Attachments policy is in place and someone covered by that policy views their email in Office 365, their attachments are checked and the appropriate action is taken based on your policy. Depending on how the policy is defined, people keep working without ever knowing they were sent malicious files. Beginning in March 2018, ATP protection is being extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams.

Spoof intelligence

Spoof intelligence lets you review every sender spoofing your own domains or external domains. Each spoofed user is shown on a separate row, so you can allow or block per user. Mailbox intelligence analyzes your cloud users' mail-flow patterns to learn who they communicate with most, which makes it easier to catch an attacker impersonating one of those frequent contacts.

Advanced reporting

The Security and Compliance Center ships with reports on malware, phishing, spam, and more, so you can see how your policies are performing.

ATP reporting in the Security and Compliance Center

What licenses include ATP, and what does it cost?

As of June 2018, ATP is included in the following subscriptions:

  • Office 365 Enterprise E5, $35 MSRP
  • Office 365 Enterprise E5 Government, $35 MSRP
  • ATP Add-On, $2 MSRP
  • Microsoft 365 Business, $20 MSRP

If a client is on a plan that does not include ATP, the $2 add-on is the cheapest path to coverage.

Turning on Safe Attachments, step by step

Safe Attachments and Safe Links are not on by default, so this is where the real work happens.

Open the policy area

In the Security and Compliance Center, go to Threat Management > Policy.

Threat Management Policy menu in the Security and Compliance Center

Open ATP Safe Attachments

Click the ATP Safe Attachments icon.

ATP Safe Attachments icon on the policy page

Extend protection to apps

Check the box next to "Turn on ATP for SharePoint, OneDrive, and Microsoft Teams."

Checkbox to turn on ATP for SharePoint, OneDrive, and Microsoft Teams

Create a new policy

Click the + icon to set up a new policy.

Plus icon to create a new Safe Attachments policy

Choose the malware action

You select what happens when malware is detected. The options are Off, Monitor, Block, Replace, and Dynamic Delivery. Every option except Dynamic Delivery slows mail flow while the scan runs. Dynamic Delivery sends the mail immediately and replaces the attachment with a placeholder until the scan is complete. For a more detailed explanation of these options, follow the Microsoft support article (opens in new tab).

Safe Attachments action options Off, Monitor, Block, Replace, Dynamic Delivery

Set redirect and scope

You can redirect the attachment to another mailbox, such as an admin or quarantine mailbox. You can also scope the policy to specific groups or domains.

Redirect and scoping options for the Safe Attachments policy

Open the policy area

In the Security and Compliance Center, go to Threat Management > Policy.

Threat Management Policy menu

Click the ATP Safe Links icon.

ATP Safe Links icon on the policy page

Check the default policy first

Click the Default policy to see its settings. By default, nothing is turned on.

Default Safe Links policy with nothing enabled
Default Safe Links policy settings detail

Add a wildcard so URLs get scanned

The first thing to do is add an asterisk as a wildcard, so URLs start getting scanned for malicious content.

Adding an asterisk wildcard to scan all URLs

Check the box for using Safe Links in Office 365 ProPlus and Office for iOS and Android.

Checkbox enabling Safe Links in Office 365 ProPlus and mobile Office apps

Scroll down and create a new Safe Links policy.

Option to create a new Safe Links policy

Customize the policy

Give the policy a name. We recommend checking all of the fields, but customize to fit the organization's needs.

Customizing the Safe Links policy fields

Whitelist and scope

You can whitelist certain URLs and define the domains, groups, or users the policy applies to.

Whitelisting URLs and scoping the Safe Links policy

Review the summary

After you click save, you can review a summary on the right-hand side.

Safe Links policy summary panel

Once the policy is in place, ATP Safe Links checks the URL a user clicks before opening the website. The URL is identified as blocked, malicious, or safe.

Safe Links checking a URL at click time

If the URL is on the whitelist for a policy that applies to the user, the website opens. If the URL is on the organization's custom blocked list, or is determined to be malicious, a warning page opens instead.

Safe Links warning page for a blocked URL
Safe Links warning page detail

If the URL goes to a downloadable file and your Safe Links policies are configured to scan such content, the file is checked. If the URL is determined to be safe, the website opens.

Safe Links scanning a downloadable file
Safe Links allowing a safe website to open

The pattern across both features is the same: the license is the easy part, and the protection only exists once the policies are built and enabled. That gap, between a feature being owned and a feature being on, is exactly where tenants drift out of compliance over time.

Frequently asked questions

Is Office 365 ATP turned on as soon as I assign the license?

No. As of June 2018 the license entitles you to the feature, but Safe Attachments and Safe Links policies are not created or enabled by default. You have to build them in the Security and Compliance Center before any protection applies.

Which Safe Attachments action should I choose?

The options are Off, Monitor, Block, Replace, and Dynamic Delivery. Every option except Dynamic Delivery delays mail flow while the attachment is scanned. Dynamic Delivery sends the message immediately with a placeholder attachment, then swaps in the real file once the scan finishes.

What licenses include ATP?

As of June 2018: Office 365 Enterprise E5 ($35 MSRP), Office 365 Enterprise E5 Government ($35 MSRP), and Microsoft 365 Business ($20 MSRP) include it. Other plans can add the ATP Add-On for $2 MSRP.

Find the ATP policies that were never switched on

CloudCapsule checks whether Safe Attachments, Safe Links, and 250+ other controls are actually enabled across every tenant you manage, in 60 seconds. Buying the license is not the same as turning it on.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading