Have you purchased or are you thinking of purchasing Office 365’s Advanced Threat Protection (ATP) for your Office 365 tenant? In Part 1 of this article series, I’m going to show you how to take your first steps into making your mailboxes more secure by reducing the amount of phishing e-mails sent to your users with ATP anti-phishing policies.
In this scenario, I’m assuming you have an Office 365 tenant with Exchange Online, and you’ve already purchased ATP licenses and have assigned them to your users.
ATP anti-phishing works by checking incoming messages for indicators that the message may be phishing. Messages are evaluated by multiple learning models that analyze the message. Office 365 administrators can define policies that protect users from phishing attacks that include impersonation of other users or domains. These policies also define what kind of action should be taken when a phishing message is detected. If you’d like to read more on how ATP anti-phishing works, Microsoft has written a good article here.
Office 365 does have a default anti-phishing policy configured out-of-the-box; however, it offers basic protection against phishing and none of the more advanced protection features to protect your users from impersonation and spoofing attacks.
Creating Your First ATP Anti-Phishing Policy
Instead of modifying the default policy, I’d recommend creating a new anti-phishing policy and apply it to a test user or pilot group. In this article, we’ll be configuring a policy that:
- Protects all users in the organization under our primary e-mail domain
- Protects users from impersonated emails
- Send phishing emails to the quarantine
You can find all three of the ATP policies in Office 365’s Security & Compliance Center under Threat Management and then under Policy.
At the ATP anti-phishing policy page, click on the “Create” button to create a new anti-phishing policy. Give the policy a name and a brief description, and click Next.
At the next screen, you’ll need to define who this policy will apply to. This can be a recipient, a group of recipients, or an entire domain in your organization. In this example, we’ll be applying this policy to an entire domain.
At the next screen, review your settings, and click “Create this policy”.
With the threat management dashboard, you’ll be able to get insights like users in your organization who have been targeted with the most phishing e-mails, where are the emails originating from, domains that have been spoofed, and users who have been impersonated.
With this kind of information, you’ll be able to stay one step ahead of the bad guys of the internet. I recommend after making your first ATP anti-phishing policy to monitor the dashboard over a few business days, and you’ll be able to determine if you need to implement more policies to cover specific users or groups without worrying about impacting the entire organization with stricter anti-phishing policies.
Reviewing Detected Phishing Messages
I’ve mentioned that users may report the occasional false positive flagged by ATP’s anti-phishing engine. If you do find yourself being notified about false positives or want to review the amount of phishing e-mails detected, you’ll want to head over to the Threat Explorer page under Threat Management.
Here you’ll be able to view malware threats and phishing threats with handy details like the time it was received and how many recipients received the same e-mail. All of this is displayed in a nice bar graph for you to review.
Under the pretty bar graph, you’ll find the more detailed report of phishing mail detected by ATP. Here you can view time it was received, subject, recipient, sender, sender IP, and status.
This is where you can apply actions like move to junk, to deleted items, or to a user’s inbox in case it’s a false positive.
Coming Up Next
Next, in Part 2 of this Office 365 Advanced Threat Protection 101 article series, we will explore Office 365’s ATP Safe Attachment Policies that check to see if email attachments or files are malicious and helps to protect your organization. And as always, if you need help with your Office 365 environment but not sure where to start, Imaginet is here to help. Our Imaginet certified Office 365 experts can help you get started with any of your Office 365 initiatives. To find out more, schedule your free consultation call with Imaginet today.
Imaginet is your trusted technology partner who turns your business innovation ideas into reality. 20+ years | 1200+ satisfied customers | 2500+ successful engagements. Primary services include Web Application Development, Mobile App Development, and SharePoint consulting services, with additional specialties in Power BI & Business Intelligence, Office 365, Azure, Visual Studio, TFS, & VSTS, Skype for Business, and more. Located in the United States (Dallas, TX) and Canada (Winnipeg, MB) with services offered worldwide. Contact us today at firstname.lastname@example.org or 1-800-989-6022.