Office 365 Advanced Threat Protection

Yesterday I was prepping a little for an upcoming conference that a colleague (Ben Miller Cloud Security Dude) and I will be speaking at,  I thought I’d share a very short article on how office 365 Advanced threat protection works. For now, I’ll just cover pretty basic stuff like attachments. I’ll go into more detail later and cover address re-writing and other topics.

So here is an email trace I just performed.

Trace

So a message comes in and I have ‘dynamic delivery’ set (I’ll cover this in more detail in another article), but basically means that exchange online will deliver the message immediately BUT the attachment will only become available AFTER it tests it in a ‘sandbox’. How does Microsoft do that? They spin up a virtual machine and run the attachment there and then detonate (Microsoft term) it or sends it on to meet up with the message after a series of other steps (e.g. address rewrite).

So the user receiving the email will get this when they first get an email and click on the attachment before testing is done.

ATP scanATP scan2

 

The process only takes a few minutes.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s