Advanced Threat Protection is a licensing “add-in” to any 365 platform hosting cloud mailboxes, recently re-branded to “Microsoft Defender ATP”, that provides an email filtering service to protect your organization against unknown malware and viruses including safeguarding features to protect against harmful links and attachments.

There’s a long list of protocols and services offered by ATP (Advanced Threat Protection), and we’d like to expand the most impactful in this blog.

Licensing (cost)

First and foremost, let’s get the bit you’re all looking for out of the way. Currently, an ATP license costs £1.50 on a per user per month basis. HOWEVER, after speaking with a Microsoft support engineer, we’ve confirmed that as of right now only a single ATP license is required as it covers an entire organization, not just the user it’s applied to. Therefore you’re currently able to protect an unlimited number of 365 mailboxes for as little as £1.50 paid monthly directly to Microsoft. We’re unsure how long this will be viable for as all written materials for this service suggest application on a per-mailbox basis, not across your entire organization under a single subscription.

Safe Attachments

This element of the ATP solution if enabled, will scan email attachments for malicious content. Bear with me while I get a little technical, but they achieve this by reviewing every email your organization receives. If no virus/malware signature is detected in the header of the email it sends the email to a virtual sandbox where the email attachment content is unpacked and executed, then machine learning analyses any activity post content execution. If malicious content is found, the email is deferred. If the email is clean, it is delivered as expected.

All of this happens in a matter of seconds, but it still takes a few moments to perform these checks so you should expect a minor delay when receiving emails. But what’s a few seconds delay when compared to the hours/days/weeks of downtime you may suffer if a virus gets through and is opened? If the postponement bothers you, a setting “Dynamic Delivery” can be enabled, which allows emails to go through to your organization, but the attachments are withdrawn while being checked.

The ATP, Safe Attachments policy, allows you to extend the file checking to SharePoint, OneDrive and Teams too, so if any malicious files are uploaded to any of those platforms, the same check and block will apply, preventing users from downloading the files.

Safe Links

Working similarly to Safe Attachments, Safe Links in ATP will test links included in emails your organization receives to ensure they do not take you to malicious sites.

Here comes the technical bit; The email is received by 365, and Safe Links rewrites the URL to divert to a test site owned by Microsoft which tests the link for you, checking for malicious content.

The links in emails received by your organization appear as usual, even when a user mouse-overs the link. The divert is applied at the point of being clicked. If a website is deemed unsafe users are presented with a warning screen instead of the intended website which has a big red banner advising the link is unsafe.


This feature of ATP will detect impersonation attempts of any domains you have registered against your 365 platforms. The technical bit behind this is quite lengthy so to summarize, machine learning and advanced impersonation-detection algorithms are deployed to avert these phishing attacks.

Depending on how your policies are configured, emails will do one of the following:

  • Redirect to custom-defined email addresses
  • Move message to recipient’s junk email folder
  • Quarantine the message
  • Deliver the message but insert another email address to the BCC line
  • Delete the message before delivery
  • Take no action

Whitelisting’s can be added to this policy, preventing known trusted domains and subdomains should any incorrectly be flagged as impersonating.

Other ATP Functions

Real-Time Reports – If you have a desire to see just how much ATP is protecting your business, reports can be generated or monitoring in a live environment (365 admin rights required).

Threat Investigation (Real-Time Detections) – This “widget” allows authorized 365 admins to review real-time detection views of malware, submission and phishing attempts.

Attack Simulator – This feature is only available in the ATP Plan 2 subscription but allows a 365 admin to simulate some templated attack scenarios, helping you identify which users in your organization may need further training in email security. The four strategies available are:

  • Spear Phishing (credential harvest – tries to convince a user to click a URL)
  • Spear Phishing (attachment – tries to convince a user to open an attachment)
  • Brute Force Password (dictionary attack – uses a large dictionary file of passwords against a user’s account hoping one of them will work)
  • Password Spray Attack (a single password is used against all users in the organization)


In closing, 365’s ATP offers some robust email filtering services, all of which typically cost vast amounts more than the starting fee of £1.50 per license. If you’re already using a third party mail filter and are considering alternatives, are unsure if you’ve got email filtration in place, or have just opted not to have an email filter configured at all, due to third party licensing or configuration costs, now is the time to consider enabling ATP. Cyber Security isn’t optional anymore; without it, you’re a painted target and easy pickings for the malicious entities of the internet.

Please don’t leave it to chance, don’t settle for sub-par overpriced third party solutions, and don’t assume you have the right cybersecurity in place, take the time to check with your IT department or IT service provider. If there’s anything CFC can do to help do reach out to us, we’re here to help. For what we do today, secures your business for tomorrow.