Prevent Zero-day Malware in Email with Office 365 Advanced Threat Protection

By Todd Bey| October 27, 2017

Microsoft’s Advanced Threat Protection (ATP) is a cloud-hosted add-on to Office 365 (Exchange Online) that helps prevent zero-day malware, Advanced Targeted Attacks and phishing attacks in your email environment. It is included in Office 365 and can be added on to most any subscription plan including E1 and E3.

Protection Against Advanced Targeted Attacks

Advanced Targeted Attacks are stereotypically types of hazards that enter into an organization and seek to execute some sort of malicious event in a stealth fashion. The Advanced Targeted Attack will often target vulnerabilities in an organization's email traffic using spear phishing or zero-day viruses, as well as embed malware onto websites that an organization's users will likely visit in order to launch an attack.

Traditional solutions like signature-based anti-virus might catch the known threats but cannot protect against unknown zero-day threats. This is where ATP comes in to protect email.

How Advanced Threat Protection Works

ATP is comprised of three components which supplement the existing spam filtering features:

  • Safe Attachments processes attachments in a sandbox environment to look for signs of malicious behavior such as encryption local files or phoning home to a remote server. Emails with attachments sent to the sandbox will have a delivery delay of about 5 minutes to account for the scan. A whitelist and other rules can be set up to minimize the impact if your business requires low latency communication for certain critical business processes.
  • Safe Links is a “time of click” processing method. Each link sent to a user is wrapped in a Safe Links URL. When the user clicks on the link, the Safe Links check is activated via a cloud service which checks the up-to-the-second reputation of the link. If the link is safe, the user is redirected to the URL transparently. If found to be malicious, the user will see a block page and be denied access.
  • Click Trace keeps a record of every user who has clicked on a Safe Link-wrapped URL for additional protection, visibility, and forensics.

Safe Attachments and Safe Links integrates with the included Office 365 spam and malware filtering systems such as signature-checking and heuristics.

If mail is delivered that is later determined to be malicious, Microsoft uses its “ZAP” feature (Zero-hour Auto Purge) to remove the email from an Office 365 mailbox even after being delivered. Microsoft leverages heuristics across all its tenants to continually learn about new malicious behaviors. This feature is included in the base Exchange Online license (for example, E1 and E3).

Is The Cloud Really Secure?

The cloud is as secure, if not more secure, than traditional on-premises methods. Cloud vendors like Microsoft are uniquely positioned to respond to these new and evolving threats using first-party systems. They have the team that built the hypervisor and sandbox used to do the detection. They have the Windows engineers that built the operating system that's trying to be attacked. They also leverage the people that protect Microsoft itself from malware. And so they are able to provide rapid, unique response because Microsoft has the full end-to-end coverage and visibility.

If you want to prevent zero-day malware in your organization, contact BDO Digital's security practice to discuss the best zero-day defense for your business.

Teams security and compliance demo