Office 365 ATP Is Half-Off by Default: Turning On Safe Attachments and Safe Links

TL;DR
- As of June 2018, Office 365 ATP Safe Attachments and Safe Links are not enabled by default, so buying the license does not protect anyone until you build the policies.
- Safe Attachments detonates email attachments in a sandbox before delivery; Dynamic Delivery is the only action that does not slow mail flow.
- Safe Links rewrites and re-checks URLs at click time, so a link that was clean at delivery is still scanned when the user clicks it.
- ATP is included in Office 365 Enterprise E5 and Microsoft 365 Business, or available as a $2 MSRP add-on to other plans.
- Spoof intelligence and mailbox intelligence flag senders impersonating your domain or your users' frequent contacts.
Most teams assume that assigning an Office 365 Advanced Threat Protection license is the same as being protected. It is not. As of June 2018, the two features that do the heavy lifting, Safe Attachments and Safe Links, are switched off until someone builds the policies by hand. This guide covers what ATP actually does, what it costs to license, and the exact clicks to enable the protection you have already paid for.

What does Office 365 ATP actually protect against?
ATP hardens your tenant against the attacks that get past standard spam filtering: weaponized attachments, malicious links, and senders impersonating people your users trust.
Safe Attachments
When a Safe Attachments policy is in place and someone covered by that policy views their email in Office 365, their attachments are checked and the appropriate action is taken based on your policy. Depending on how the policy is defined, people keep working without ever knowing they were sent malicious files. Beginning in March 2018, ATP protection is being extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams.
Spoof intelligence
Spoof intelligence lets you review every sender spoofing your own domains or external domains. Each spoofed user is shown on a separate row, so you can allow or block per user. Mailbox intelligence analyzes your cloud users' mail-flow patterns to learn who they communicate with most, which makes it easier to catch an attacker impersonating one of those frequent contacts.
Advanced reporting
The Security and Compliance Center ships with reports on malware, phishing, spam, and more, so you can see how your policies are performing.

What licenses include ATP, and what does it cost?
As of June 2018, ATP is included in the following subscriptions:
- Office 365 Enterprise E5, $35 MSRP
- Office 365 Enterprise E5 Government, $35 MSRP
- ATP Add-On, $2 MSRP
- Microsoft 365 Business, $20 MSRP
If a client is on a plan that does not include ATP, the $2 add-on is the cheapest path to coverage.
Turning on Safe Attachments, step by step
Safe Attachments and Safe Links are not on by default, so this is where the real work happens.
Open the policy area
In the Security and Compliance Center, go to Threat Management > Policy.

Open ATP Safe Attachments
Click the ATP Safe Attachments icon.

Extend protection to apps
Check the box next to "Turn on ATP for SharePoint, OneDrive, and Microsoft Teams."

Create a new policy
Click the + icon to set up a new policy.

Choose the malware action
You select what happens when malware is detected. The options are Off, Monitor, Block, Replace, and Dynamic Delivery. Every option except Dynamic Delivery slows mail flow while the scan runs. Dynamic Delivery sends the mail immediately and replaces the attachment with a placeholder until the scan is complete. For a more detailed explanation of these options, follow the Microsoft support article (opens in new tab).

Set redirect and scope
You can redirect the attachment to another mailbox, such as an admin or quarantine mailbox. You can also scope the policy to specific groups or domains.

Turning on Safe Links, step by step
Open the policy area
In the Security and Compliance Center, go to Threat Management > Policy.

Open ATP Safe Links
Click the ATP Safe Links icon.

Check the default policy first
Click the Default policy to see its settings. By default, nothing is turned on.


Add a wildcard so URLs get scanned
The first thing to do is add an asterisk as a wildcard, so URLs start getting scanned for malicious content.

Extend Safe Links to Office apps
Check the box for using Safe Links in Office 365 ProPlus and Office for iOS and Android.

Create a new Safe Links policy
Scroll down and create a new Safe Links policy.

Customize the policy
Give the policy a name. We recommend checking all of the fields, but customize to fit the organization's needs.

Whitelist and scope
You can whitelist certain URLs and define the domains, groups, or users the policy applies to.

Review the summary
After you click save, you can review a summary on the right-hand side.

What users see once Safe Links is live
Once the policy is in place, ATP Safe Links checks the URL a user clicks before opening the website. The URL is identified as blocked, malicious, or safe.

If the URL is on the whitelist for a policy that applies to the user, the website opens. If the URL is on the organization's custom blocked list, or is determined to be malicious, a warning page opens instead.


If the URL goes to a downloadable file and your Safe Links policies are configured to scan such content, the file is checked. If the URL is determined to be safe, the website opens.


The pattern across both features is the same: the license is the easy part, and the protection only exists once the policies are built and enabled. That gap, between a feature being owned and a feature being on, is exactly where tenants drift out of compliance over time.
Frequently asked questions
Is Office 365 ATP turned on as soon as I assign the license?
No. As of June 2018 the license entitles you to the feature, but Safe Attachments and Safe Links policies are not created or enabled by default. You have to build them in the Security and Compliance Center before any protection applies.
Which Safe Attachments action should I choose?
The options are Off, Monitor, Block, Replace, and Dynamic Delivery. Every option except Dynamic Delivery delays mail flow while the attachment is scanned. Dynamic Delivery sends the message immediately with a placeholder attachment, then swaps in the real file once the scan finishes.
What licenses include ATP?
As of June 2018: Office 365 Enterprise E5 ($35 MSRP), Office 365 Enterprise E5 Government ($35 MSRP), and Microsoft 365 Business ($20 MSRP) include it. Other plans can add the ATP Add-On for $2 MSRP.
Find the ATP policies that were never switched on
CloudCapsule checks whether Safe Attachments, Safe Links, and 250+ other controls are actually enabled across every tenant you manage, in 60 seconds. Buying the license is not the same as turning it on.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


