Office 365 Advanced Threat Protection

Yesterday I was prepping a little for an upcoming conference that a colleague (Ben Miller Cloud Security Dude) and I will be speaking at,  I thought I’d share a very short article on how office 365 Advanced threat protection works. For now, I’ll just cover pretty basic stuff like attachments. I’ll go into more detail later and cover address re-writing and other topics.

So here is an email trace I just performed.


So a message comes in and I have ‘dynamic delivery’ set (I’ll cover this in more detail in another article), but basically means that exchange online will deliver the message immediately BUT the attachment will only become available AFTER it tests it in a ‘sandbox’. How does Microsoft do that? They spin up a virtual machine and run the attachment there and then detonate (Microsoft term) it or sends it on to meet up with the message after a series of other steps (e.g. address rewrite).

So the user receiving the email will get this when they first get an email and click on the attachment before testing is done.

ATP scanATP scan2


The process only takes a few minutes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s