MS-500 Microsoft 365 Security Administration Topic: ATP (Advance Threat Protection)
December 16, 2022

1. Introduction to ATP (Advanced Threat Protection)

Is ATP advanced threat protection available? So this is a feature that is tied to your organisational assets in Microsoft 365 that is going to be monitoring your email, monitoring for malicious links, and monitoring for malicious documents, and it’s going to use various different systems to do that. One of the things it’s going to use, obviously, is policies. Policies is a technology that we’ve used extensively throughout the Microsoft 365 environment. You’ve seen that numerous times throughout our previous lessons and lectures, and it provides us with a way to implement different rules and restrictions that are put in place that we are wanting to use to analyses the types of things users are utilizing in their environment. Whatever documents they open, whether they are attached to emails or they are attempting to share these documents with other users, they are clicking links and visiting various websites, and all of this we may wish to police.

So Policies is going to provide us with tools in Microsoft 365 to do that. We can implement ATP policies that are going to analyse the places people are going, the things they’re opening, the links they’re clicking via email, or the documents they’re looking at via email. And it generates a nice report for us to see what’s going on and investigate a little bit of what’s going on in our environment. Of course, the reports go right along with the investigative tools we’ll talk about a little bit later involving being able to find out what it is that people are doing. One of the really nice things about this is that it also works in conjunction with Exchange Online as well. And so it provides a way for us to not only deal with things like SharePoint and OneDrive, our Office 365, but also email. If you think about it, one of the most common ways that malicious code gets into our environment is via email. People are clicking links, being phished by phishing links, and receiving attachment files that they’re opening that have malware on them.

And, of course, Exchange Online. Exchange Online has this thing called EOP. Exchange online security Exchange Online Protection is monitoring certain aspects of email. It is going through the process of scanning, looking at all that, and looking for keywords and things like that. However, this ATP event threat protection really goes the extra mile. Okay? The two primary things that you get with it are safe attachments and safe links. So with safe attachments, the ATP Advanced Threat Protection is going to, when an email comes in, for example, that’s got an attachment to it, actually open it in a virtual container environment and analyse the actual attachment to see what it’s trying to do. It examines whether the attachment is attempting to modify DLL files, whether the attachment is attempting to access system-specific files and drivers, and whether it is possibly a root kit. A root kit is a type of malware that tries to gain admin privileges, and it analyses what it does. It’s almost like a little explosive chamber, this virtual container that it uses.

So this piece of malware could explode and try to take over, but it’s essentially in a virtual sandbox, essentially.It’s in quarantine, so it can’t really do any damage. And this is a really great way for our enterprise to watch out for what is known as a “zero-day threat.” A zero-day threat involves new types of malware that our virus scanners have never heard of or that maybe our operating systems don’t have patches for yet. And so ATP can try and execute those attachments to make sure that they’re not going to damage the user’s operating system. Another thing we have is ATP-safe links. Safe links is a feature that works similarly to safe attachments. It actually will when an email comes in that has a link associated with it; that link can be analyzed, it can be executed in a virtual container using a browser, and it looks to see where it’s going. It looks for known phishing websites.

If the website tries to execute some code, it will execute the code and see what happens in that little virtual container before the email can be sent. The other thing that’s great about both of these safe attachments and safe links is that if it does find something, there are a couple of things it can do. One thing it can do is obviously go ahead and send an email and say, “Hey, this attachment is malware; can’t you run it?” Or this link connects to malware, and you can’t run it. You can also have a copy of that email sent to an administrator, who could then further investigate it. This is good, especially in a situation where maybe you’re afraid ATP could flag something as malware when it’s actually something legitimate.

You could have it go to an inbox where an administrator could further test things, and that would go for both the attachment and safe links. So it gives us some control. If we want to moderate things a little bit, we have the ability to moderate things and test all of this out. Another thing that can happen is we can have a safe link that displays a message that says, “Hey, this is possibly an infected link; go there at your own risk.” We can either proceed with caution or we can flat out refuse to allow that if we don’t want to. If we’d rather just block it, we can do so completely. So we definitely have a measure of control when we implement ATP-safe links. And again, it works really well with Microsoft Exchange Online. Now, this is not only for email; this works in conjunction with SharePoint, it works with OneDrive, it works with teams at your office, and it uses 365 applications. That is, because you are dealing with things outside the cloud, your ATP policies can take effect. All right?

And this is a huge step forward for anti-phishing, okay? Phishing is one of the most common ways that users are duped into doing and opening things in your environment. Now, another thing you get is some investigative tools. One of the really nifty little tools that they give you access to is called Threat Explorer. Threat Explorer gives you a real-time look at the different threats that have been detected throughout the environment. So it kind of breaks it down into different types of malware. It tells you the IP addresses that have access to that or have tried to open that. You can look at your users and see who your risky users are in your environment that are opening these. You can see what email addresses are being attacked through Exchange. Maybe there’s a lot of malware coming in through a certain email account or email address. This is a great way for us to kind of hone in on our troublemakers in our environment, or maybe the people that are targeted in our environment more often than others. Now we also have the ATP attack simulator.

This is a really awesome tool that Microsoft gives us access to that lets us try out phishing attacks against our users. As you can see, you can draught your own email there, send emails to your users, and track who clicks on and opens those emails. I was talking to a guy one time, and he told me that he had implemented this in his company. And he said in the beginning, lots of people were clicking the links and opening up the infected malware, which really wasn’t infected; it was really just a test to see who was opening it. And he was saying that in the beginning, lots of people were doing it. And then what his company did was implement a policy called mandatory weekend training. So basically, their employees would have to go to mandatory training on the weekend if they clicked the link. He said that as soon as they implemented that policy, immediately, people stopped clicking those links because nobody wants to go to mandatory weekend training, right? So anyway, you can implement the ATP attack simulator and send out these emails and get a good idea of, again, who your troublemakers are, who the people are that are actually opening up these attachments or clicking on these links, and all that fun stuff.

2. Demonstration on configuring and creating ATP Safe Attachments and Safe Links

In this demonstration, I’m going to walk you through the process of looking at ATP. We’re going to talk about advanced threat protection policies. We’ll take a glimpse of the safe links policy, safe attachments, and all that good stuff. So, to begin, we are on Admin, Microsoft Off. I’m going to click “Show All,” and we’re going to go to the Security Compliance Center. So we’re going to click on Security and load up the Security Compliance Center. Now in this case, we’re going to be under threat management here. So we’re going to drop down this little threat management area, and we’re going to click on Policies. Notice some of the stuff I was mentioning in my slide presentation earlier: techSimulator, Explorer, all that good stuff. But here we are in the policy area for threat management. And a couple of things here stand right out at you: the safe attachments and safe links. We’ll take a look at the safe attachments policy right now. So here are some safe attachments.

And if I wanted to turn this on for SharePoint OneDrive teams, I could check this box here. Okay. Right here, it says to help people stay protected or stay safe when trusting an open file outside a protected viewing office. You could turn that on as well. This is a five-licence-based feature, though. Now down here it says “protect email attachments.” I’m going to click the little plus sign here, and I could give it a name or give it a description. All right. From there, you’re going to get a warning option. It is stated here that Monitor replacement block actions may result in significant delays in email delivery. Now, that’s something I did want to clarify. Anytime you implement ATP, it can slow things down because obviously the email is having to be checked. And as I mentioned in my introduction to this, I talked about how this is going to open in a virtual container, and of course that is going to slow things down. It must be tested and validated against the operating system.

It’s got to make sure there’s not going to be any damage done. So this virtual container is going to slow things down a bit. So you kind of have to know that going into this. Okay, so look at your options. Here. You have a monitor. So Monitor is going to go ahead and continue to deliver the message. Even if it detects malware, it’s just going to send an alert. It will show up as a message for us administrators to look at. Obviously, this is not a popular option in most cases, but it is good if you’re worried about things getting stopped that are legitimate. Now, blocking is a fairly obvious one. I’m just going to flat-out block it. If it’s got some sort of malware and it’s detected as being malicious, it’s just going to get blocked. You have been replaced. So this is going to replace the attachment. So it’ll go ahead and continue to deliver it, but it’s going to basically replace that attachment and display a message that says, “Hey, the attachment has been replaced, and you could have it replaced.” The PDF file with the title “This file” was infected. So you can’t open it, and if you want to further investigate it, please email this administrator.

You could put a document in place for that, and then you would have dynamic delivery. Dynamic delivery is going to deliver the message without the attachment. This is a really great feature because it means that the user will get the email, and it’ll basically say, “Hey, here’s the email.” But then your email has an attachment, and currently it’s going through the process of scanning it, so it doesn’t actually allow the person to access the attachment until it’s done scanning it and checking it and all that. Okay, so that’s a great feature because at least the email gets delivered very quickly. This option here is “redirect attachments on detection.” This is great. If you want to have a catch-all inbox for an admin who is going to get a copy of all of these attachments, you can go ahead and set that up here.

You can specify an email address for an admin that’s going to do that. So maybe I want to get a copy of all these malicious attachments so that I can further investigate. That’s a great way to do that. Okay, so this is how you would set up a safe attachment. Let’s take a look at safe links now. So we’re going to go back over to policy and click on ATP-safe links. This is where I want to put my hands. Now we’ve got a default policy here that represents the entire organization. Although if we wanted to, we could create a policy and tie it to specific users. Okay, I’m going to go ahead and edit the default policy because I want it to affect the entire organization. So I’m going to click this little pencil symbol here, and then at that point, I’m going to put in the URLs that I want to look for. Now keep in mind that you can use wildcards for this. So maybe I’m looking for a link from a website called I could put a star in front of that, which is basically going to say everything that has “we are going to hack” on the end of it. We’re going to hack you even if I didn’t want to. That includes anything that has or will hack you in anywhere.

OK, I could add that if I wanted to be explicit. This is something I like to say. If this was, let’s say, a type of scenario that you got on the exam, you would want to do it exactly like they tell you to. If they don’t tell you to put stars, you wouldn’t put stars, and you wouldn’t put wildcards. So if they were to tell you, “Hey, we just want you to block the URL called “,” then that’s what you would do.” When you put that in, you would click the plus sign. And now you’ve added that as an indication that you want to block something. You definitely just want to flat-out block it. You’re not going to allow it; it’s not going to be scanned; it’s just going to get blocked immediately if there is a link tied to that domain name. Okay, so a pretty straightforward idea there. You’re just putting in a domain name there, an URL, or whatever you want to block; you can use wildcards. Pretty straightforward. So it says settings that apply to content accept email right here. So these settings don’t apply to email messages. If you want to apply them to email, create a safe link policy for email recipients.

So right here it says, “Use safe links in Office 365.” Applications for these applications selected above do not track when users click safe links. Okay? So anything that’s safe, it’s not going to actually track it, but anything that’s not safe, they click on it. Obviously, it’s going to keep track of those. Then it says, “Do not let users click through safe links to the original URL.” So what happens is if a link pops up that a user wants to open, we can prevent them entirely from being able to click through because what will happen is they’ll get a warning message, and it is possible for them to pass through and open that link anyway. So if we don’t want to allow that, we can select that checkbox. Now, returning to the section where it states that these settings do not apply to email messages, If you want to apply them to email, create a safe link policy. So where we’re going with this is that if we set up our block policy here, you’ll also have policies that apply to specific users down here. So if you wanted to apply a set of policies to a specific group of users or whatever, you could do that here. All right, specify the name of the safeslink policy here, apply it to the URLs that you want right here, and then you can specify who this is going to go to.

Okay, so that’s where they’re going. Another thing you can do in terms of safe links policy is, when you set up your URLs, if you come down here, it’ll say applied if you wanted it to go to specific groups or specific recipients. You’ll notice this is an “if” statement. So I can drop this down and say, “The recipient is,” and I could specify a specific recipient, a recipient domain, or I could say the recipient is a member of, and I could specify a specific group. Okay? Now in my case, the only thing I wanted todo in this hands on activity is I wanted toadd the policy right here for the entire organization. I wanted to add this domain name. And again, as far as an exam goes, you want to do exactly what they tell you to do. They tell you to add a URL—one URL for the entire organization. That’s all you’ve got to do. If they aren’t telling you to go ahead and add policies to specific users, then don’t. Again, you want to stick to what it is that they tell you to stick to on this, okay? At that point, we added our SafeLinks policy and finished this task. 

3. Stepping through the hands on tutorial for creating an ATP Safe Links Policy

Here we are on portal We’re going to drop the show all ellipses down and click on the Security Center, which is going to take us to the Security and Compliance Center. From there, we’re going to go to Threat Management and then click Policy. And we need to develop a safe link policy. That is what this activity has asked us to do. So we’re going to go ahead and go there. All right? And we are creating this policy for our organization.

So we’re going to click on the little pencil symbol, and then we’re going to be adding the URL, the domain name that was requested that we had, which in this case was that we were going to hack you. We’re going to click the little plus sign. Don’t forget to do that. Click the plus sign. At that point, we’ll click “Save,” then “OK.” And we’ve now officially created our little, simple ATP safe link policy. So creating a safe linking policy is that simple; it doesn’t take long, it’s quick, and it’s simple. Remember, as I said previously, you don’t want to enable or disable anything there that you’re not supposed to. If this were an actual exam scenario, you would want to stick to exactly what it is that they’ve told you to do, which in our case was just to add that one-safe link policy because we are going to hack you.

4. Windows Defender ATP Guard Technologies

So what exactly is the Windows Defender ATP? Okay, so you want to think of it almost like an appliance. Some of you guys may be familiar with something called intrusion detection systems. Intrusion prevention systems And these are appliances that you would purchase, and you’d plug them into your network and actually act as alarm systems. Intrusion detection attempts to find threats and then alert somebody. You’ve also got what’s called intrusion prevention, which is an appliance that actually tries to prevent a threat. Well, imagine not just going out and buying one device and plugging it in—it’s supposed to police everything. But imagine if all of your Windows 10 devices could actually act as little alarm systems and try to stop threats that are occurring against those machines. So this is exactly what Windows Defender ATP is. And these services are built into Windows Ten and can be controlled through your cloud services.

Now, in this course, they do expect to have a little bit of an understanding of this. They don’t really get into all the configurations, but it does give you a good understanding of what is going on here. All right, so we have threat and vulnerability management. This is a part of your Windows vendor ATP where it’s trying to detect threats, figure out what the vulnerabilities are that are out there, maybe on a system, and then try to close out those threats. So this is working in conjunction with the Microsoft security services where they’ve got—they’ve actually got thousands across the world—thousands of security personnel that work for Microsoft that are actually monitoring for threats. And they can update the database very quickly, so the ATP threat database gets updated. This can benefit the environment by allowing you to learn about threats as they occur. OK, this is also to try to lower the attack surface. The attack surface is all the entryways into getting into your environment and accessing things that people shouldn’t. You have what’s called NextGen protection. You may have heard of a NextGen firewall. All that means is that we can do intrusion detection and intrusion prevention, and on top of all of our normal firewall capabilities that Windows Defender already has, we have endpoint detection in response.

That involves being able to control our endpoints with malware protection, and all that involves Windows Defender antivirus. We have automated investigation and remediation procedures in place. We have the ability to investigate the threats and then attempt to remediate those threats using our cloud services. And lastly, we have the Microsoft threat experts. These are the guys that I was talking about. There are thousands of them. Actually, I wanted to say 3000 and something people; the last time I checked, Microsoft said they had over 3000 security personnel monitoring threats around the world. OK, so what does this bring to the table? It provides us with a centralised system for monitoring all of our Windows 10 devices and attempting to protect them from various threats. So let’s go deeper and talk about some of the other pieces of all this. The next piece of this that we have is called Windows Defender Application Guard.

Now Windows Defender Application Guard is going to try to protect your Windows 10 environment from apps that get installed. These could be malicious apps that could attempt to install malware, any kind of virus, worm, rootkit, or any of those types of malware, malicious code.Windows Tender Application Guard is going to try to prevent that. One of the ways it’s going to do that is It will attempt to isolate whatever it is and cut off its ability to make changes. The other thing it’s going to try to do is get you to use the Edge Web browser, because the Edge Web browser has the ability to run everything in a virtualized container based on a hypervisor. And this is going to make it so that if an application runs and tries to gain admin privileges, it’s going to block it from being able to do that. Okay, the Windows Defender Application Guard is another feature that can be controlled through your cloud services and is supported by Windows 10. Something else we’ve got is called Windows Defender. Credential guard. Okay, so maybe you’ve heard of attacks where hackers actually gained access to the password database on your computer. So in Windows, you have a service called Lisa, the local security authority, and Lisa manages a file on your hard drive called Sam on a domain controller. It’s actually the NTDs, which is the active directory database. Either way, what if a hacker somehow got a copy of the database file that had your passwords on it?

They could attempt to do things like brute-force attacks and all that. now, in the past. Another type of attack we had to worry about was somebody walking up to your computer and taking a USB flash drive, maybe with something like Kali Linux on it or some other operating system that can just ignore Windows security plugging. That flash drive is rebooting your computer, possibly in Kali Linux, and then simply blanking out your password. Okay, you can actually do that if you don’t know how to do it. Look it up on YouTube. There are a million videos on how to actually reset a Windows password using something like Kali Linux. So this is going to protect you from that threat. Windows Defender Credential Guard is actually going to be containerized using Hyper-V. It’s going to be containerized, almost like a virtual machine, that’s going to contain the sensitive information for your operating system, such as your password and all that. It will also protect you from keyloggers gaining access to your password. So this is another very powerful capability that we get with Windows 10.

We also have Windows Defender Exploit Guard. So this is all about looking at the exploits. We were talking about ATP and how it can learn about the different threats and all that. Well, this is all part of that. So as the Microsoft security teams are updating the different threats and discovering different exploits, those exploits go out there into a database that we find out about through this database. And if we’re communicating with the cloud services, then ExploitGuard is learning about those and can stop a lot of the different types of exploits that come out there, and it helps us monitor the different exploits. If a new exploit is discovered, it helps us monitor it and can also send information to Microsoft’s security team so they can learn from it and release it to the rest of the world. OK, so you get a lot of stuff with this. This is a very powerful capability. We get Windows 10, which has a lot of great features that we could utilise to help secure our environments. You.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!