Office ATP P2

Since the beginning of February 2019, Microsoft is dividing Office ATP features into P1 and P2. Everything that was called “Threat Intelligence” before goes now into Office ATP P2. In this article, I give a brief overview of Office ATP P1 and P2 features and go deep into an exciting P2 feature called “Attack Simulator”.

But let’s start with P1. To be honest, I was underestimating the value of Office ATP for a while. But in the meanwhile (while I was not watching), Microsoft added more and more functionality to mitigate the most common attack vectors:

  • Email
    • Links in Body & Attachments (Fat Client & OWA)
  • Links in Documents
    • Office on Windows, iOS, Android
    • Links in Team Conversations
  • Files in
    • OneDrive
    • SharePoint
    • Teams

So, you say, you have Exchange Online and SharePoint Online and those services are using Anti-Virus anyway, so why would you need Office ATP?

ATP goes a step further: Whenever you read “link” in the above bullet list, Office ATP is replacing this “link” with a link that is pointing to Microsoft servers. That means, when your users click on this link to e.g. download a file, this file goes through all the Office ATP intelligence. So even if the link was Ok during e.g. delivery of the Email but the attackers changed the document on the server-side in the meanwhile (and after the initial scan), Office ATP will recognize that. This is called: Safe Links.

With Safe Attachments on the other hand, Microsoft is even detonating your attachments! They will take the attachment to a virtual environment and watch how it behaves in order to decide if it is malicious.

How this looks like for example in Teams was recently described by ‘Matt Soseman’: https://blogs.technet.microsoft.com/skypehybridguy/2019/02/18/microsoft-teams-protect-against-phishing-malware/

Looking deeper into P1 features

The services improved over time. E.g. with “native link rendering” Microsoft displays the original link in the hover-window instead of the Safe-Link to not confuse users:


Pic01: hover text

You must look into the status bar in order to see the “real” URL:


Pic02: Status bar

Of course, all those techniques are not the holy grail. As always: somebody finds an exploit (e.g. “baseStriker” in Safe Links) and Microsoft closes that gap afterwards.

It is also important to note that not all content on SharePoint goes through Office ATP. Instead ATP is using a smart algorithm that takes guest and sharing activity under consideration. So, whenever there is “external” activity with files, it will act.

Now, lets shift gears and talk about Office ATP P2 features

There are several features available here: with ‘threat tracker’ you get informed about the latest threats and their details. On the ‘threat dashboard’ you get reports about malware, spam and phishing happened in your tenant. With ‘Explorer’ you get a powerful tool to hunt for threats in your environment.

You can integrate Windows Defender ATP here to find out to which machines a certain Email was delivered.

But let’s now come to the feature we will look closer at: Attack Simulator

Next to ‘Safe Links’ and ‘Safe Attachments’, making users aware of not clicking on a link from a suspicious looking Email and not opening that attachment is maybe the most important mitigation. Office ATP P2 helps you with Attack Simulator to increase awareness at your users. You have three ‘attack campaigns’ (more to come):

  • Spear Phishing
  • Brute Force
  • Password Spray

Let’s start a Spear Phishing Attack:

With this Spear Phishing Attack, we try to ‘steal’ credentials from the user by placing a link into an Email that we send and make them to click on the link and provide their credentials.


Pic03: Launch Attack

Provide a name:


Pic04: Give it a name

Select people from your organization (you cannot use this against external users):


Pic05: Specify your targeted users

Provide Display-Name and From Email Address. This is what your targeted users will see in their Email clients. You can choose Login Server URL from a dropdown list. Microsoft will monitor logins to these pages for you and report on it. You can also configure (optionally) a custom landing page. This page will be displayed, after the user logs in. Finally, specify a Subject:


Pic06: Provide Details of the attack

Don’t be afraid: Microsoft does not track the credentials your users provide, nor do they check if they are correct (I never put in the real passwords in my tests and always was passed through to the landing page).

Then we have an Email Body Editor including a HTML source code editor. There are two variables you can use in the HTML body:

  • ${username}
  • ${loginserverurl}


Pic07: compose your poisoned Email

Together with the source code editor we can create a hyperlink in the Email, that does not make the original URL visible at the first glance (as you can see above):


Pic08: HTML view on the mail

That’s it, you get the final question if you really want to proceed. If you say ‘finish’ the attack fires:


Pic09: fire your attack

Now let’s see how this looks on the user’s side (here in OWA):


Pic10: user’s view in their inbox

When the user clicks on the mail she gets prompted by the well known Microsoft login dialogue (notice that chrome already thinks this is a ‘not secure’ site):


Pic11: user gets prompted

Whatever credentials you provide, you get forwarded to the specified landing page:


Pic12: Custom landing page

Back in Attack Simulator you can look on the report of your attack:


Pic13: Report of the attack results

As you can see, we targeted one user with our attack and had one successful attempt (well, I would say it was not successful, because the user clicked on the link, but that’s another story). You can download a CSV of all users and the description of their behavior.

The other available attacks run real password attacks against your user accounts. Either you provide a password list and see if those passwords are used by the users targeted (Brute Force) or you specify just one password and use it against a broader scope of users (Spray Attack). You then get a similar report as we have already shown:


Pic14: Report of BruteForce attack / Spray attack

Conclusion / A word of caution

I really like the attack simulator. With the available attack types, you can challenge your users and that means you make your environment more secure. But you must handle it with care. You should plan your ‘attacks’ very good and inform instances like ‘workers council’ and ‘data protection’ (and the management). Then I would suggest that you start a campaign for more security. Maybe you launch a specific website with tips and videos to improve user’s behaviors. Then during this campaign, you mention somewhere in your user communication, that you might also challenge them – so you warn them a little bit. Then, when they get ‚caught‘ don’t be mad at them. Explain carefully what happen and how they can improve. Your users are your friends 🙂

When it comes to Safe Links and Safe Attachments, you can easily roll this out in a scoped manner. Just increase the number of targeted users by time. So, you get a good impression of the impact it has.