Office 365 Advanced Threat Protection

by Rupert Davey
April 2019

If you’re getting junk email, phishing attacks and general spam, there’s an excellent value Microsoft subscription that could help nicely: Advanced Threat Protection!

Office 365 Advanced Threat Protection Plan 1

In addition to your main Office 365 licence, you can get an "Office 365 Advanced Threat Protection Plan 1” licence (aka Office 365 ATP Plan 1). The ATP Plan 1 licence allows us to enable a bunch of extra security features, one of these features is named “Anti-Phishing”. Phishing is a technique used by the bad guys to get info from you. There’s more information about phishing on the Microsoft site.

Here’s some background reading for the ATP anti-phishing capabilities in Office 365. Have a read of the "Learn about ATP anti-phishing policy options" section. Where a specific attempt is made to impersonate an email address, that email will be redirected to the Junk Folder; other processing options are available.

ATP Plan 1 also adds hyperlink checking and additional attachment scanning. The link checking is pretty good and the tech behind the attachment scanning if cool, this feature needs careful evaluation before roll out.

Costs & getting it

Office 365 ATP is £ 1.51 per user per month and I’d recommend getting it for key users, senior staff and people in Finance; but if you can, all users.  It's an add-on for existing mail enabled Office 365 subscriptions, so Hosted Exchange Plan 1, Business Essentials and Business Premium are all fair game!

ATP Plan 1 and Plan 2 are included in some higher level Office 365 subscriptions such as Office 365 E5; if you have it, turn it on!

It’s fantastic value for money, try it out on one or two users and then roll it out!

ATP Anti-phishing config

Now it's signed off and you've assigned a couple of licences, the geeky bit.  Sorry.

We're only going to cover the anti-phishing stuff as that's the most tricky.

Head over to and sign in with an admin account, expand Admin centers and open Compliance.

Right, this is where the magic starts.  If you've got the new interface, you'll need to go via More resources and then Office 365 security & compliance center.  I know... they don't make this easy!

On the left will be Threat management under which you'll find Policy.  The bits we're interested in is ATP anti-phishing but ATP safe attachments and ATP Safe Links will both now be shown too.

Couple of gotchas here.  The Default policy button give you all the options you need, but it's then not obvious to other admins that anything is setup and you can't re-order.  So we tend to leave this alone and go straight for +Create.

Name your policy and describe it for other admins then Next.  Now, on +Add a condition go for The recipient domain is then choose, then add and pick your domain(s).  This means that users added in the future don't need special config. Next out and get to Create this policy.

Now, you're presented with a bunch of options.

Next to Impersonation, click edit.  Turn on Add users to protect. The TL;DR is this: add key staff.  Otherwise, have a read of the "Add users to protect" section under the "Learn about ATP anti-phishing policy options" on the Set up Office 365 ATP anti-phishing and anti-phishing policies page for more info.  Click Save when done.

Under Add domains to protect turn on Automatically include the domains I own then Save.  In Actions we go with Move messages to the recipients' Junk Email folders but other options are listed; we do this for both drop downs.  Top tip: Click on Turn on impersonation safety tips and turn them all on!

Save out and head to Mailbox intelligence, make sure this is enabled.  Save out. 

You should be back on the Edit you policy menu.  Top tip: scroll down a tiny bit and you'll see Advanced settings, jump in there and go from Standard to Aggressive.  Save out.

Under Threat management, have a look Dashboards and check out the impact.