Enriching the Admin Experience For Office 365 Advanced Threat Protection

Enriching the Admin Experience For Office 365 Advanced Threat Protection

Empowering Admins with Insights

The Office 365 Security and Compliance Center already provides access to malware trends, real-time reports, and granular threat details. Microsoft is now adding organizational insights such as anomalous behavior or repeat policy offenders. These insights are presented both in the reports and in the threat dashboard, correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential problems. The recommendations are generally remediation actions empowering admins to proactively secure their organization. The insights are holistic and cover both information and threat protection.


Threat Protection Insights include:

  • Policy or end user configurations (e.g. transport or mail flow rules, custom policy settings, junk mail folder settings) that can be improved to block delivery of malware, phish, or spam.
  • Policies and configurations enhancing protection for users targeted by malware and phishing campaigns in an organization.

Figure 1.. Threat protection insights in the Security dashboard in the Security and Compliance Center

Soon Microsoft will release an enhanced Threat Protection status trending report, offering a single view with drill downs into malicious emails identified within the organization, including detection details for malware and phish.


Figure 2. Threat protection status report with email malware and phish detections in the Security and Compliance Center

 Information Protection Insights include:

  • Views into users who violate large volumes of Office 365 Data Loss Prevention (DLP) policies
  • Anomaly insights showing unusual trends in your DLP policy violations

Microsoft is also introducing a new report of DLP policy matches on a per item level enabling easier identification of documents or emails which violate policies.


Figure 3. DLP incident report with information protection insights embedded in the Security and Compliance Center

Enhanced Admin Quarantine

Admins can now view, release, delete, and report false positive quarantined messages in Office 365.  Quarantine for the Office 365 Security and Compliance Center (SCC) is enriched with a more in-depth investigation and analysis experience including:

  • Enhanced search and filtering capabilities for messages in quarantine.
  • In line actions for message download and release to any recipient, supporting security investigation and analysis workflows in the organization.
  • Restricting the ability to view, download, release, delete, and report phishing messages in quarantine to admins (due to rise in phishing campaigns)

Figure 4. Download quarantined messages (left) and release quarantined messages to recipients (right)

Microsoft recently announced the extension of Office 365 Advanced Threat Protection (ATP) to protect files in SharePoint Online, OneDrive for Busi... and they’re excited to now extend quarantine capabilities to files stored in these applications. This includes download, release, report and delete features in quarantine.

  • ‘Release’ removes the end user block on the file
  • ‘Delete’ removes the file from quarantine; however, the file is still blocked in SharePoint Online, OneDrive for Business and Microsoft Teams and must be deleted from the respective document libraries in these services to preserve content specific audited activities

Figure 5. Malicious files detected by Office 365 ATP with actions to release, report, download and delete the files from quarantine

Now admins can create policies to send filtered messages to quarantine when they were identified as spam, bulk, phish, or when they match a mail flow rule. By default, Office 365 sends phishing messages and messages containing malware directly to quarantine. Other filtered messages are sent to users' Junk Email folder unless the policy specifies sending them to quarantine.