Previously, in Part 1 of this Office 365 Advanced Threat Protection 101 article series, we explored how to take your first steps into making your mailboxes more secure by reducing the amount of phishing e-mails sent to your users with ATP Anti-Phishing policies. 
Now in Part 2, we will explore ATP Safe Attachments, which checks to see if email attachments or files are malicious and protects your organization according to the ATP Safe Attachments policy configured by you, the Office 365 administrator.
In this article, we’ll discuss how to create an ATP Safe Attachment policy and how to enable ATP protection to files in Microsoft SharePoint Online, OneDrive for Business, and Microsoft Teams. Note that I won’t be going into detail of how ATP Safe Attachments works in this article, as Microsoft has already made a great article here.
In this scenario, I’m assuming you have an Office 365 tenant with Exchange Online, and you’ve already purchased ATP licenses and have assigned them to your users.
Enabling SharePoint, OneDrive, and Microsoft Teams Protection
Similar to my previous article on ATP Anti-Phishing Policies, we’ll want to head over to the Office 365 Security & Compliance Center, then go Threat Management, then go to Policy in the side navigation bar. Then click on the ATP Safe Attachments tile.
At the Safe Attachments policy page, the first thing you want to do is turn on ATP for SharePoint, One Drive, and Teams. This will just add another layer of protection in case a malicious file is shared in one of these services.
Creating Your First ATP Safe Attachments Policy
In this scenario, we’ll be creating an ATP Safe Attachments Policy that:
- Applies to the archive.imaginet.com mail domain
- Delivers the message immediately and scans the attachment. If attachment contains malware, send it to the quarantine.
At the Safe Attachments Policy Page, click the create button to create a new policy. When the new window pops up, specify your Policy Name and Description.
In this next section, we’ll be selecting the malware response, this part of the policy tells ATP what you want to do with an attachment that has been scanned and found to contain malware. Your options are:
Microsoft warns that Monitor, Block, and Replace may result in email delivery delays. In this scenario, I’ll be selecting the Dynamic Delivery option. I’ll go into detail how this will affect your users in the next section.
You’ll find that you can redirect an attachment to another user, although I don’t see myself or team reviewing these attachments individually. I’ll leave this unchecked.
Then specify who this policy will apply to. In this scenario, I’ll be applying this policy to archive.imaginet.com.
Review your changes, and click Save to create the policy. Microsoft mentions that this may take up to 30 minutes to affect.
How Does This Impact My Users?
In the real world, you may want to test this policy by applying it to a test user or pilot group before applying it to the entire organization.
The policy we just created uses Dynamic Delivery which according to Microsoft does not cause email delivery delays since the message is sent to the recipient right away, and a place holder file is attached until the attachment is scanned. While the file is scanned, users can preview the file safely in safe mode. This preview feature supports most PDFS and office files. If an attachment contains malware, it’s sent to the quarantine. This allows users to receive the email message right away and preview the message safely while it is being scanned.
You may be wondering: what if an attachment was sent to the quarantine by mistake due to a false positive? Well, being an Office 365 administrator, you should be familiar with the Exchange Online quarantine by now. Here you’ll be able to review the message and determine for yourself if the message is a false positive, and if it is, you’ll be able to release it back to the user.
Coming Up Next
Next, in Part 3 of this Office 365 Advanced Threat Protection 101 article series, we will explore Office 365’s ATP Safe Links Policies, which can help protect your organization by providing verification of URLS in email messages and Office documents. And as always, if you need help with your Office 365 environment, Imaginet is here for you. Our Imaginet certified Office 365 experts can assist you with any of your Office 365 initiatives. To find out more, schedule your free consultation call with Imaginet today.
=====
Imaginet is your trusted technology partner who turns your business innovation ideas into reality. 20+ years | 1200+ satisfied customers | 2500+ successful engagements. Primary services include Web Application Development, Mobile App Development, and SharePoint consulting services, with additional specialties in Power BI & Business Intelligence, Office 365, Azure, Visual Studio, TFS, & VSTS, Skype for Business, and more. Located in the United States (Dallas, TX) and Canada (Winnipeg, MB) with services offered worldwide. Contact us today at info@archive.imaginet.com or 1-800-989-6022.
