July 24, 2018

Over the last several months, we have made many advancements to Office 365 Advanced Threat Protection (ATP).  Due to our impressive malware catch effectiveness, threat actors have altered attack methods to bypass security capabilities leading to an increase in phishing campaigns.  To this end, we have enhanced our anti-phish capabilities.  Recently we improved the admin experience in Office 365.  Now we combine both the advancements in our anti-phish capabilities and admin experience, to deliver powerful new tools that further upgrade our ability to mitigate phishing campaigns.


Enhancements to the Office 365 ATP anti-phishing policy

Office 365 ATP customers will now benefit from a default anti-phishing policy providing visibility into the advanced anti-phishing features enabled for the organization.  We’re excited to deliver this as customers often ask for a single view where they can fine-tune the anti-phishing protections applied across all users within the organization.  Admins can also continue to create new or user existing custom anti-phishing policies configured for specific users, groups, or domains within the organization.  The custom policies created will take precedence over the default policy for the scoped users.


Customer feedback also led us to increase coverage of our anti-impersonation rule to 60 users and we simplified the spoof protection configurations within the ATP anti-phishing policy.

 anti-phishing default policy settings.pngFigure 1 – ATP anti-phishing default policy settingsanti-phishing impersonation policy settings.pngFigure 2 – ATP anti-phishing impersonation settings


Empowering admins with anti-phishing insights

We recently added a set of in-depth insights to the Security & Compliance Center and now we are excited to announce a new set of anti-phishing insights. These insights provide real-time detections for spoofing, domain and user impersonation, capabilities to manage true and false positives, and include what-if scenarios for fine-tuning and improving protection from these features.


  • Spoof Intelligence insights allow admins to review senders spoofing external domains, providing rich information about the sender and inline management of the spoof safe sender list. If spoof protection is not enabled, admins can review spoofed messages that would have been detected if protection was turned on (what-if analysis), turn on the protection, and manage the spoof safe sender list proactively.
  • Domain and User Impersonation insights allow admins to review senders attempting to impersonate domains that you own, your custom protected domains, and protected users within your organization. You can also review impersonation messages that would have been detected if protection was turned on (what-if analysis), turn on impersonation protection, and proactively manage the safe domain and safe sender list before enforcing any action.

 Spoof Intelligence Widget.pngFigure 3 – Spoof Intelligence insight widget

Spoof Intelligence Flyout.pngFigure


Explorer, Real-time reports and Office 365 management API will now include phish and URL detections

Earlier this year, we released real-time reports for malware, phish and user-reported messages for Office 365 ATP customers. We are now excited to extend email phishing views in Real-time reports and Explorer experiences to include additional phishing detection details including the detection technology that resulted in the phish detection. These views are enriched with additional details on URLs.  This includes URLs included in messages, filtering based on URL information, display of URL information in the graph/pivot, and Safe Links time-of-click data on allowed/blocked clicks from messages.  Threat Intelligence customers will also get URL data in the ‘all email view’, enabling analysis on URLs for delivered mail, supporting security analysis for missed phish, data loss, and other security investigations.   We have also enriched phish detection events in the Office 365 management API.  The schema will now include email phish and URL click events. We believe these enhanced views are critical to powering security investigation and remediation scenarios across advanced phishing attack vectors.


URL Detection.pngFigure 5 – URL domain and URL clicks view

 Threat Protection Images_Blog (3).pngFigure 6 – Phish detection technology and URL click verdicts

Send Your Feedback

We hope you try these new features and provide feedback.  Your feedback enables us to continue improving and adding features that continue making ATP the premiere advanced security service for Office 365.  If you have not tried Office 365 Advanced Threat Protection, you should begin a free Office 365 E5 trial today and start securing your organization from today’s threat landscape.

You May Also Like…