Default Banner

What's New in Office 365 Advanced Threat Protection (ATP)

  • Share This Article
Spread the love

Stay Up To Date With All of the New Features Office 265 has for (ATP) Advanced Threat Protection

Advanced threat protection (ATP) refers to a category of security solutions that defend against sophisticated malware or hacking-based attacks targeting sensitive data. Advanced threat protection solutions can be available as software or as managed services. ATP solutions can differ in approaches and components, but most include some combination of endpoint agents, network devices, email gateways, malware protection systems, and a centralized management console to correlate alerts and manage defenses.

Advanced Threat Protection (ATP) is a crucial component of any modern and comprehensive network security infrastructure. The cyber threat landscape and attack surface areas are increasing in size for businesses around the world. Cybercriminals are using existing and new techniques to probe and penetrate the networks, systems, and applications in organizations of all sizes. Staying informed about emerging threats and attack vectors is a full-time pursuit. Many organizations can’t dedicate the resources required to keep current in this area, or they may find that the demand for skilled cybersecurity professionals makes it hard to recruit the necessary IT staff. Staying fully up to date on all emerging threats also means that experienced IT security professionals have significantly less time to spend on other projects that drive the organization forward.

We are continuing to add new features to Office 365 ATP. To learn more about new features coming to ATP (or Microsoft 365 in general), see the following resources:

Requirements for Office 365 Advanced Threat Protection (ATP)

ATP can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server. For information about the operating systems, web browsers, and languages that are supported by ATP, see the “Supported browsers” and “Supported languages” sections in Exchange admin center in Exchange Online Protection.

Feature availability across Advanced Threat Protection (ATP) plans

Each feature is listed below. When Exchange Online is mentioned, it typically refers to the Office 365 Enterprise service family.

Feature ATP Plan 1 (formerly ATP standalone) ATP Plan 2 (formerly Threat Intelligence standalone) Office 365 Enterprise E5
Configuration, protection, and detection
Safe Attachments Yes Yes Yes
Safe Attachments in Teams Yes Yes Yes
Safe Links Yes Yes Yes
Safe Links in Teams Yes Yes Yes
ATP for SharePoint, OneDrive and Microsoft Teams Yes Yes Yes
Anti-phishing policies Yes Yes Yes
Real-time reports Yes Yes Yes
Automation, investigation, remediation, and education
Threat Trackers No Yes Yes
Threat investigation (advanced threat investigation) Real-time detections Explorer Explorer
Automated incident response No Yes Yes
Attack Simulator No Yes Yes


Want a downloadable list of differences between Office 365 ATP Plan 1 and Plan 2? Get the PDF.

Safe Attachments

ATP Safe Attachments protects against unknown malware and viruses, and provides zero-day protection to safeguard your messaging system. All messages and attachments that don’t have a known virus/malware signature are routed to a special environment where ATP uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.


ATP Safe Attachments scanning takes place in the same region where your Office 365 data resides. For more information about data center geography, see Where is your data located?

Safe Links

The ATP Safe Links feature proactively protects your users from malicious URLs in a message or in an Office document. The protection remains every time they select the link, as malicious links are dynamically blocked while good links can be accessed.

Safe Links is available for URLs in the following apps:

  • Microsoft 365 Apps for enterprise on Windows or Mac
  • Office for the web (Word for the web, Excel for the web, PowerPoint for the web, and OneNote for the web)
  • Word, Excel, PowerPoint, and Visio on Windows, as well as Office apps on iOS and Android devices
  • Microsoft Teams channels and chats
  • How to Enable Advanced Threat Protection


Users must be licensed for ATP*, must be included in ATP Safe Links policies, and must be signed in on their devices for protection to be in place.

* For organization-wide ATP licenses (for example, ATP_ENTERPRISE_FACULTY), you don’t need to assign ATP licenses to individual users.

For more information about ATP Safe Links protection, see How ATP Safe Links works with URLs in Office documents.

ATP for SharePoint, OneDrive, and Microsoft Teams

ATP for SharePoint, OneDrive, and Microsoft Teams helps detect and block files that are identified as malicious in team sites and document libraries. In addition, ATP Safe Links protection is now available in Microsoft Teams channels and chats.

Anti-phishing policies

ATP anti-phishing checks incoming messages for indicators that a message might be a phishing attempt. When users are covered by ATP policies (Safe Attachments, Safe Links, or anti-phishing), incoming messages are evaluated by multiple machine learning models that analyze messages and the appropriate action is taken, based on the configured policies.

Real-time reports

Monitoring capabilities available in the Security & Compliance Center include real-time reports and insights that let your security and compliance administrators focus on high-priority issues, such as security attacks or increased suspicious activity. In addition to highlighting problem areas, smart reports and insights include recommendations and links to view and explore data and also take quick actions.


Explorer (also referred to as Threat Explorer) is a real-time report that lets authorized users identify and analyze recent threats. By default, this report shows data for the past 7 days; however, views can be modified to show data for the past 30 days.

Explorer contains views, such as Malware (for email and content), Submissions, Phish, and All Email. To see how Explorer compares with real-time detections, download this PDF.

For more information about Explorer (in Office 365 Advanced Threat Protection Plan 2) and real-time detections (in Office 365 Advanced Threat Protection Plan 1), see Threat Explorer and real-time detections.

Real-time detections

Real-time detections is a real-time report that lets authorized users identify and analyze recent threats. Similar to Explorer, by default, this report shows data for the past 7 days.

Real-time detections contain views, such as Malware (for email and content), Submissions, and Phish. To see how real-time detections compare with Explorer, download this PDF.

For more information about Explorer (in Office 365 Advanced Threat Protection Plan 2) and real-time detections (in Office 365 Advanced Threat Protection Plan 1), see Threat Explorer (and real-time detections).

Threat Trackers

Threat Trackers are informative widgets and views that provide authorized users with intelligence on cybersecurity issues that might impact your organization.

Automated Incident Response

Automated incident response (AIR) capabilities available in Office 365 ATP Plan 2 enable you to run automated investigation processes in response to well known threats that exist today. By automated certain investigation tasks, your security operations team can operate more efficiently and effectively. Remediation actions, such as deleting malicious email messages, are taken upon approval by your security operations team. To learn more, see How AIR works in Office 365.

Attack Simulator

Attack Simulator lets authorized users run realistic attack scenarios in your organization. Several different kinds of attacks are available, including a display name spear-phishing attack, a password-spray attack, and a brute-force password attack.