Microsoft 365 Security: Securing email with Advanced Threat Protection

We covered the basic security options that are available to all M365 plans here. This is the equivalent of locking your doors at night, a good idea, but not enough if you have someone that really wants to get into your house. Unfortunately there is no equivalent of a “safe” neighborhood on the Internet, if you are utilizing email you will eventually be targeted for a break-in!

The biggest attack vector for breaking in is email. Phishing attempts, malware, and spoofing are all very common ways for attackers to get your users to give up valuable data or passwords. Once they have this information they usually continue to attack from inside your organization, except now they have a legitimate email account to use which is not good.

Microsoft has a number of additional services that can be used to further secure your email. The names of the services have changed and evolved over the years and today it is called Office 365 Advanced Threat Protection (ATP). Specifically we are talking about ATP Plan 1, which is included in the Microsoft 365 Business Premium subscription. Let’s review the three areas that ATP can increase your email security.

Safe Attachments and Links

Even after reading our post on how NOT to use email, we find that email continues to be the primary means of communication and file sharing used in most organizations. If that’s going to be the case, let’s make sure we have the most protection we can!

A safe attachments policy configured in Microsoft 365 will scan all incoming attachments in real-time before they are actually delivered to a users mailbox. The biggest issue here is that most organizations do not properly turn on this feature, as it is not enabled by default, even if you have the ATP features available! Does not good to have an alarm if you don’t turn it on!

Safe links work very similar to safe attachments, and must also be enabled as there is no default policy for this. Safe links will scan all incoming web links (URLs) in email messages to detect malware, phishing or other unsafe sites. We have found this to be one of the most effective safeguards to protect end users from attacks.


The email from the head of sales to provide the latest sales numbers is so routine you don’t even think about it. Until you notice that there was an extra letter in that email domain. Now the sales numbers are out there on the Internet, not good. The FROM address in an email is quite easy to fake, the same as writing a different return address on an envelope that you physically mail. Unlike physical mail, there ARE ways to detect phishing and return sender spoofing attempts.

The Anti-Phishing policies provide the ability to protect specific users in your organization from these types of attacks. Typically all executive and HR groups would need to be included in these policies. Once configured it’s important to monitor the policies to find the right level of protection needed. This is more art than science, but experience helps here!

Authenticated email domains

The basic setup of most email domains is incorrect, or at least not complete. Every email domain you utilize should have a proper SPF, DKIM, and DMARC record published. These are basic DNS protections that are utilized by all large email providers (including Microsoft 365) to validate incoming email. If these are not setup correctly the likelihood of your email messages being classified as spam or malware increases significantly.

Correctly setting up email services requires experience. Sign up for Microsoft 365 and changing an MX record is only the FIRST step in this process. It is important to find a technology partner that has significant experience with the Microsoft 365 services and can correctly enable and secure your environment.