Skip to main content

Have you purchased or are you thinking of purchasing Office 365’s Advanced Threat Protection (ATP) for your Office 365 tenant? In Part 1 of this article series, I’m going to show you how to take your first steps into making your mailboxes more secure by reducing the amount of phishing e-mails sent to your users with ATP anti-phishing policies.

In this scenario, I’m assuming you have an Office 365 tenant with Exchange Online, and you’ve already purchased ATP licenses and have assigned them to your users.

ATP anti-phishing works by checking incoming messages for indicators that the message may be phishing. Messages are evaluated by multiple learning models that analyze the message. Office 365 administrators can define policies that protect users from phishing attacks that include impersonation of other users or domains. These policies also define what kind of action should be taken when a phishing message is detected. If you’d like to read more on how ATP anti-phishing works, Microsoft has written a good article here.

Office 365 does have a default anti-phishing policy configured out-of-the-box; however, it offers basic protection against phishing and none of the more advanced protection features to protect your users from impersonation and spoofing attacks.

Creating Your First ATP Anti-Phishing Policy

Instead of modifying the default policy, I’d recommend creating a new anti-phishing policy and apply it to a test user or pilot group. In this article, we’ll be configuring a policy that:

  • Protects all users in the organization under our primary e-mail domain
  • Protects users from impersonated emails
  • Send phishing emails to the quarantine

You can find all three of the ATP policies in Office 365’s Security & Compliance Center under Threat Management and then under Policy.

Imaginet Office 365 Advanced Threat Protection - ATP Anti-Phishing

At the ATP anti-phishing policy page, click on the “Create” button to create a new anti-phishing policy. Give the policy a name and a brief description, and click Next.

Imaginet Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

At the next screen, you’ll need to define who this policy will apply to. This can be a recipient, a group of recipients, or an entire domain in your organization. In this example, we’ll be applying this policy to an entire domain.

Imaginet Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

At the next screen, review your settings, and click “Create this policy”.

Imaginet Office 365 Advanced Threat Protection 101 - ATP Anti-PhishingWe’re not quite done yet. We’ll need to edit this policy to turn on the impersonation and anti-spoofing features. This policy will:

  • Protect users from impersonated emails from our CEO and other C level executives.
  • Protect mail domain.
  • Emails that impersonate users or domains will be sent to the quarantine
  • Enabled safety tips to notify users that an e-mail may contain
  • Advanced phishing threshold set to standard level

Imaginet Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

How Does This Impact My Users and Exchange Online Environment?

This goes without saying, I would recommend testing this policy by applying it to a test user or group first before applying it to the whole organization. As soon as this policy is enabled, it is active. When you go and apply these policies, the whole process is transparent to your users, their Outlook clients and mobile devices will continue to receive and send mail. However, anything detected as a phishing e-mail will be sent to the quarantine since this is what we set the policy to do.

ATP’s anti-phishing engine is quite good at discerning what’s “good” mail and what could be a phishing email, but once in awhile, the occasional e-mail may get flagged as a false positive. This is where you may need to adjust your policy and add trusted senders or trusted domains. I find services that use e-mail notifications tend to trigger false positives more often. For example, our Imaginet incident management system allows me to email users directly from its interface; however, the email uses my name and as the send address, which triggers ATP to think this is a spoof attempt. Adding our incident management system’s mail address as a trusted sender solves this problem.

Threat Management Dashboard is Your Friend

The policy we created is general and could be tweaked further, but wouldn’t it be nice to get some insight into who in your organization is being targeted?

After you’ve enabled your first ATP anti-phishing policy, the Threat Management Dashboard will become a useful tool at your disposal to help you fine tune your policies or implement more policies to help you protect specific user groups or departments in your organization.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

With the threat management dashboard, you’ll be able to get insights like users in your organization who have been targeted with the most phishing e-mails, where are the emails originating from, domains that have been spoofed, and users who have been impersonated.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing
Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

With this kind of information, you’ll be able to stay one step ahead of the bad guys of the internet. I recommend after making your first ATP anti-phishing policy to monitor the dashboard over a few business days, and you’ll be able to determine if you need to implement more policies to cover specific users or groups without worrying about impacting the entire organization with stricter anti-phishing policies.

Reviewing Detected Phishing Messages

I’ve mentioned that users may report the occasional false positive flagged by ATP’s anti-phishing engine. If you do find yourself being notified about false positives or want to review the amount of phishing e-mails detected, you’ll want to head over to the Threat Explorer page under Threat Management.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

Here you’ll be able to view malware threats and phishing threats with handy details like the time it was received and how many recipients received the same e-mail. All of this is displayed in a nice bar graph for you to review.

Under the pretty bar graph, you’ll find the more detailed report of phishing mail detected by ATP. Here you can view time it was received, subject, recipient, sender, sender IP, and status.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

This is where you can apply actions like move to junk, to deleted items, or to a user’s inbox in case it’s a false positive.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Anti-Phishing

Coming Up Next

Next, in Part 2 of this Office 365 Advanced Threat Protection 101 article series, we will explore Office 365’s ATP Safe Attachment Policies that check to see if email attachments or files are malicious and helps to protect your organization. And as always, if you need help with your Office 365 environment but not sure where to start, Imaginet is here to help. Our Imaginet certified Office 365 experts can help you get started with any of your Office 365 initiatives. To find out more, schedule your free consultation call with Imaginet today.


Proceed to Part 2


Imaginet is your trusted technology partner who turns your business innovation ideas into reality. 20+ years | 1200+ satisfied customers | 2500+ successful engagements. Primary services include Web Application Development, Mobile App Development, and SharePoint consulting services, with additional specialties in Power BI & Business Intelligence, Office 365, Azure, Visual Studio, TFS, & VSTS, Skype for Business, and more. Located in the United States (Dallas, TX) and Canada (Winnipeg, MB) with services offered worldwide. Contact us today at or 1-800-989-6022.

Roy Polvorosa

Roy Polvorosa is an Imaginet Infrastructure Specialist that focuses on deploying and supporting Microsoft technologies. During his time at Imaginet, Roy has focused his infrastructure skills towards SharePoint, Office 365, and Azure cloud offerings. Roy has rich experience deploying and supporting clients that have multiple sites and a variety of support needs. Roy further extends his knowledge by supporting Imaginet internal developers and their variety of database and application servers needed to support 20+ simultaneous development projects.

Let‘s Talk.

Let's talk!