Office ATP P2

Since the beginning of February 2019, Microsoft is dividing Office ATP features into P1 and P2. Everything that was called “Threat Intelligence” before goes now into Office ATP P2. In this article, I give a brief overview of Office ATP P1 and P2 features and go deep into an exciting P2 feature called “Attack Simulator”.

But let’s start with P1. To be honest, I was underestimating the value of Office ATP for a while. But in the meanwhile (while I was not watching), Microsoft added more and more functionality to mitigate the most common attack vectors:

  • Email
    • Links in Body & Attachments (Fat Client & OWA)
  • Links in Documents
    • Office on Windows, iOS, Android
    • Links in Team Conversations
  • Files in
    • OneDrive
    • SharePoint
    • Teams

So, you say, you have Exchange Online and SharePoint Online and those services are using Anti-Virus anyway, so why would you need Office ATP?

ATP goes a step further: Whenever you read “link” in the above bullet list, Office ATP is replacing this “link” with a link that is pointing to Microsoft servers. That means, when your users click on this link to e.g. download a file, this file goes through all the Office ATP intelligence. So even if the link was Ok during e.g. delivery of the Email but the attackers changed the document on the server-side in the meanwhile (and after the initial scan), Office ATP will recognize that. This is called: Safe Links.

With Safe Attachments on the other hand, Microsoft is even detonating your attachments! They will take the attachment to a virtual environment and watch how it behaves in order to decide if it is malicious.

How this looks like for example in Teams was recently described by ‘Matt Soseman’:

Looking deeper into P1 features

The services improved over time. E.g. with “native link rendering” Microsoft displays the original link in the hover-window instead of the Safe-Link to not confuse users:

Pic01: hover text

You must look into the status bar in order to see the “real” URL:

Pic02: Status bar

Of course, all those techniques are not the holy grail. As always: somebody finds an exploit (e.g. “baseStriker” in Safe Links) and Microsoft closes that gap afterwards.

It is also important to note that not all content on SharePoint goes through Office ATP. Instead ATP is using a smart algorithm that takes guest and sharing activity under consideration. So, whenever there is “external” activity with files, it will act.

Now, lets shift gears and talk about Office ATP P2 features

There are several features available here: with ‘threat tracker’ you get informed about the latest threats and their details. On the ‘threat dashboard’ you get reports about malware, spam and phishing happened in your tenant. With ‘Explorer’ you get a powerful tool to hunt for threats in your environment.

You can integrate Windows Defender ATP here to find out to which machines a certain Email was delivered.

But let’s now come to the feature we will look closer at: Attack Simulator

Next to ‘Safe Links’ and ‘Safe Attachments’, making users aware of not clicking on a link from a suspicious looking Email and not opening that attachment is maybe the most important mitigation. Office ATP P2 helps you with Attack Simulator to increase awareness at your users. You have three ‘attack campaigns’ (more to come):

  • Spear Phishing
  • Brute Force
  • Password Spray

Let’s start a Spear Phishing Attack:

With this Spear Phishing Attack, we try to ‘steal’ credentials from the user by placing a link into an Email that we send and make them to click on the link and provide their credentials.

Pic03: Launch Attack

Provide a name:

Pic04: Give it a name

Select people from your organization (you cannot use this against external users):

Pic05: Specify your targeted users

Provide Display-Name and From Email Address. This is what your targeted users will see in their Email clients. You can choose Login Server URL from a dropdown list. Microsoft will monitor logins to these pages for you and report on it. You can also configure (optionally) a custom landing page. This page will be displayed, after the user logs in. Finally, specify a Subject:

Pic06: Provide Details of the attack

Don’t be afraid: Microsoft does not track the credentials your users provide, nor do they check if they are correct (I never put in the real passwords in my tests and always was passed through to the landing page).

Then we have an Email Body Editor including a HTML source code editor. There are two variables you can use in the HTML body:

  • ${username}
  • ${loginserverurl}

Pic07: compose your poisoned Email

Together with the source code editor we can create a hyperlink in the Email, that does not make the original URL visible at the first glance (as you can see above):

Pic08: HTML view on the mail

That’s it, you get the final question if you really want to proceed. If you say ‘finish’ the attack fires:

Pic09: fire your attack

Now let’s see how this looks on the user’s side (here in OWA):

Pic10: user’s view in their inbox

When the user clicks on the mail she gets prompted by the well known Microsoft login dialogue (notice that chrome already thinks this is a ‘not secure’ site):

Pic11: user gets prompted

Whatever credentials you provide, you get forwarded to the specified landing page:

Pic12: Custom landing page

Back in Attack Simulator you can look on the report of your attack:

Pic13: Report of the attack results

As you can see, we targeted one user with our attack and had one successful attempt (well, I would say it was not successful, because the user clicked on the link, but that’s another story). You can download a CSV of all users and the description of their behavior.

The other available attacks run real password attacks against your user accounts. Either you provide a password list and see if those passwords are used by the users targeted (Brute Force) or you specify just one password and use it against a broader scope of users (Spray Attack). You then get a similar report as we have already shown:

Pic14: Report of BruteForce attack / Spray attack

Conclusion / A word of caution

I really like the attack simulator. With the available attack types, you can challenge your users and that means you make your environment more secure. But you must handle it with care. You should plan your ‘attacks’ very good and inform instances like ‘workers council’ and ‘data protection’ (and the management). Then I would suggest that you start a campaign for more security. Maybe you launch a specific website with tips and videos to improve user’s behaviors. Then during this campaign, you mention somewhere in your user communication, that you might also challenge them – so you warn them a little bit. Then, when they get ‚caught‘ don’t be mad at them. Explain carefully what happen and how they can improve. Your users are your friends 🙂

When it comes to Safe Links and Safe Attachments, you can easily roll this out in a scoped manner. Just increase the number of targeted users by time. So, you get a good impression of the impact it has.

100% Cloud will never happen!

I like the idea of starting a brand-new blog site by the name of “Empty Datacenter – 100% Cloud” and then writing the first article, indicating that this will never happen.

But this is exactly what happens during the ‘cloud familiarization period’. The WHAT? Exactly.

During my journey from an on-premises driven consultant for Exchange & Active Directory Enterprise Infrastructures to a Cloud Architect focusing on Office 365, Azure AD and Enterprise Mobility, I noticed by my own thoughts and behaviors and by those of my colleagues and customers that “being cloud minded” is not of a binary category.

Most people understand a few core principles of what it means to be 100% cloud minded. So, in my experience, the 100% cloud approach gets deeper and deeper into one’s mind over time.

People (we all) need time to get used to new environments, paradigms and so on. This is what I call the ‘cloud familiarization period’ (and to be honest, I think this period never ends).

In the beginning of this period, it can happen, that an IT colleague is totally familiar with the benefits of Office 365, completely convinced to move all company mailboxes to the cloud and believes in the future of Microsoft Teams. But if you dig deeper, this IT guy does not really believe in the near end of ‘the fileserver’. He neither believes in empty datacenter halls because ‘our SAP* servers will never go to the cloud during my career’ (* it does not have to be SAP, but you get the idea).

So, in my opinion, when talking about 100% cloud, you should have an empty datacenter as a vision in mind. That means, after moving all the Microsoft Infrastructure to the cloud, your IT infrastructure could look like this:



The main message of this picture is: move as much to the cloud as possible now and consider the rest (your on-prem DC) also as a cloud. But let’s proceed step by step.

First, to move the “basic” Microsoft environment means to move:

Mail & File



  • Local Mail to Exchange Online
    • Considered as a no-brainer
  • User file servers to ‘SharePoint’
    • With the term “user file servers”, I want to exclude data that is still processed from local apps and so on. To move everything from local fileservers (and SharePoint servers) to OneDrive, Teams, SharePoint Online (and Groups) is technically not hard, but you must work hard regarding change management and user adoption.
  • Comment on Teams
    • As we all know, Teams is the successor of Skype for Business. It is quite easy to use Teams for chat, group-chat, audio calls and conferences. It’s getting a bit harder, if you also move the telephony services to Teams, at least in an enterprise environment. Using which feature by which tool must be well thought through.

The Client

Then, following up with the 100% cloud approach, you should move your clients to the cloud:



So, how does this look like from a user perspective? The user receives a new laptop at his desk in the office or at home or where ever you want. He unpacks and starts it and runs into the Out-of-box-experience (OOBE). He types in Username & Password and joins automatically the AAD. The device gets then enrolled into Intune and policy settings are then applied. Intune also installs all user-specific software on the box and after a while, the user can log on to his new machine without IT even touched it. And the best: no on-premises management service was involved. All client management (AAD & Intune etc.) itself is evergreen.

This client loves the freedom of the internet, calls the cloud his home and hates boundaries like Proxy Servers and Firewalls.

Users, on the other hand, love this new client, since it supports collaboration instead of preventing it.

For this new freedom, we need new security concepts. Security concepts that have the global collaboration needs of the users in mind, that also let the users use the tools they need and give them more self-services possibilities to enable them to act fast. With those new security approaches, we also get the chance to improve the overall security of our systems, because we can leverage intelligent cloud solutions that “know” not only our system, but many Microsoft environments from customers all over the world.

The following picture describes the difference between the old and the new security approach:



So, in the new world, we must go away from the perimeter approach towards an entity security approach. Considering certain networks as trust worthier than others does not work in a mobile world where computers bypass the company borders in the pockets of their employees.

When we start to protect all entities in question (Identity, Device, Services, Documents), than we gain both: more security and more mobility.

Microsoft offers here an “defense-in-depth product catalogue”, all hosted or connected in/to the cloud:

  • Identity Security
    • MFA
    • Identity Protection
    • Privileged Identity Management
    • RBAC
    • Monitoring/Auditing/Reporting
  • Device Security
    • Secure Boot & Integrity
    • Bitlocker Harddisk encryption
    • Evergreen patching
    • Hello for Business & Passwordless Sign-Ins
    • Endpoint Protection with Windows Defender
    • Advanced Threat Protection
    • Credential & Exploit Guard
  • Service Security
    • Conditional Access & Compliance
    • Device Health Attestation
  • Document Security
    • Azure Information Protection
    • DLP

By now, we were talking about the “company managed (Win 10) client”. In a 100% cloud approach, we also have to think about connecting other devices, mobile devices and private computers (Windows, Mac & maybe even Linux).

In the upcoming posts we will hear more about the mentioned security solutions and the possibilities for mobile and private devices and we dig deeper into them.

The last boxes in the basement

Now, let’s talk about the apps and services we avoided to talk about until now. There are hundreds of applications in your server rooms besides “Mail”, ” File” and “Collaboration/Communication” services.

A 100% Cloud approach means to move them to the cloud. It’s as simple as that.

This is where the “never gonna happen” mantra starts. And therefore, you must keep your clear vision of a cloud-only IT AND be as pragmatic as necessary. Start a project that goes through all your applications and checks them against a priority list like this one:

  • Do we still need this? (I have seen companies that saved a lot of money by asking this simple question)
  • Is there a SaaS service available for this application?
  • Can we move it to Azure (IaaS)?
  • Can we easily ‘publish’ it by Web Application Proxy? (since it speaks http)
  • Do we have to App-vpn to it?

Taking this list and going through all the apps in the basement, we sometimes call “app feng-shui”.

This list is a priority list from top to bottom and it is not complete, but you can imagine what to do here. The benchmark here is “user experience”. In a 100% cloud approach, you should provide the best possible user experience, regardless of the location of the device connecting to your services, no matter where servers reside, it runs on.

You may have recognized that the ‘last boxes in the basement’ struggle against the 100% cloud approach. But this is not so important. And it should not lead you to the conclusion not to start with it at all!

In fact, this is the point! You must do here, what you can to get as close to the 100% as you could. In addition to “app feng-shui” you should also plan on how to proceed with those apps in one year and later. Maybe you get new possibilities then, since a SaaS version is already under development.


So, that’s it. Your datacenter is (nearly) empty now. As mentioned before, we will dig deeper into many areas mentioned in this blog post in upcoming posts.

I would like to end this post with a list of things you can achieve for you and your company by going 100% cloud:

  • Mobility: from each device and location
  • Evergreen: always up-to-date, for security and for the latest tools and features
  • Collaboration: enable your users to collaborate easily with whom they want without having to use Shadow IT tools
  • Self-services: freedom and agility to the user
  • State of the art security: prepared for modern threats by leveraging cloud intelligence
  • Knowledge sharing: users will be able to share knowledge with community tools.

Is all this easy to achieve? No. Does your company need to change in every cell of its ‘body’? Yes, but I believe it is worth it.

I am really looking forward providing articles here that help you to empty your datacenters and taking full advantage of the 100% cloud approach.