Microsoft's Exchange Online Protection provides basic spam and malware protection for Office 365 and/or on-premises Exchange environments. The new Exchange Online Advanced Threat Protection aims to go further, protecting against more sophisticated attacks (like spear phishing).
To do so, it provides the following features:
- Protection against unknown malware. It does this using a feature called Safe Attachments that takes messages and attachments that appear suspicious and routing them to a hypervisor VM environment (a sandbox "detonation chamber") to open and ensure all is good before sending it to the intended recipient.
- Real-time, time-of-click protection against malicious URLs. To handle URLs that may be initially harmless but later become harmful, a feature called Safe Links tries to check links when a user clicks them, not only when the email is received. It blocks the links based on URL reputation lists that get updated several times a day.
- Rich reporting and URL trace capabilities. These provide increased analytical data and insight.
Obviously, any improvement in security features is welcome when it comes to Office 365. Likewise, any enhancements to Exchange Online Protection are appreciated.
But I have some concerns around the new Advanced Threat Protection features.
For one, they aren't free. They cost $2 per user per month. To keep costs down, you could limit their use to executives and other high-value targets in your business, though that has risks. You should look at competing tools that might be cheaper, more effective, or both, though that raises integration issues.
On the technical side, I'm not a huge fan of sandboxing as your first and only option for handling attachments.
One reason is that the delay in receiving email because of the sandboxing takes too long in some cases. Microsoft says the expected delay is four to five minutes, but can as many as 30 minutes (when it times out).
Plus, there's already malware that knows it's running in a virtual or sandboxed environment and remains dormant until it reaches the user. A sophisticated attack will avoid Microsoft's sandbox-based detector.
Of course the sandbox-based detector may not recognize the exploit that the particular malware is using, creating a false sense of security. More likely, it will identify an attachment as containing malware that does not -- that's already an issue in such tools.
There are other approaches. For example, Mimecast converts suspect attachments into reading formats, such as from Word to PDF, to eliminate any malware without the delays that sandbox-based detection can bring. If the user wants the original file, such as for editing, it then goes through a sandbox-based detector for analysis and, after the delay required for that assessment, is sent to the user if it passes
The point is that a third-party tool might do the job better, so you should evaluate them first.