With the advent of scammers, spammers, phishers, and other types of baddies, and the complementary rise in anti-malware, anti-spam, domain and sender verification techniques, we're in a perpetual cat-and-mouse game. I've had several customers over the past few weeks ask me about best practices for configuring some of the Advanced Threat Protection (ATP) features.
I've pulled this information together as a compendium (oooh, big word) of some of the tips, tricks, and practices that have helped my customers be successful when configuring the service. Most of this is data you'll find on our support pages (and I've supplied lots of links where I pulled the data from), just to keep me honest. 
While we do provide a pretty good amount of documentation, we tend to do it in little bites scattered all over, which can be frustrating if you're looking for an end-to-end configuration resource. Hopefully, this helps a few folks out.
In this post:
Advanced Threat Protection Safe Attachments
Safe Attachments Options
Configure a Safe Attachments Policy
Safe Attachments Policy For Email Attachments
Safe Attachments Policy for SharePoint, OneDrive, and Teams
Advanced Threat Protection Safe Links
Safe Links Options
Configure a Safe Links Policy
Safe Links policies that apply to the entire organization
Safe Links policies that apply to specific recipients
Advanced Threat Protection Anti-Phishing
Anti-Phishing Options
Configure an Anti-Phishing Policy
Transport Rules
Bypass Safe Attachments Processing
Bypass Safe Links Processing
Lower Phishing Threshold
Tools
O365 ATP Safe Links Decoder
Office 365 Message Header Analyzer
Message Header Analyzer Plug-in for Outlook
Advanced Threat Protection Safe Attachments
Whereas antivirus and anti-malware scanning engines are based on file hashes or signatures, meaning that every file that gets scanned is compared against the fingerprints of known villians, er, viruses. If a new virus or piece of malware is created, it will most likely have a uniquely new file signature that's not included in a database, and therefore, evade detection. (For you extra nerdy folk, you can take stroll down memory lane and remember the first worm, created in 1971 and the first virus, introduced in 1982). In 1986, two brothers released the Brain boot sector virus, affecting IBM-PCs. Since G-Data Antivirus and McAfee VirusScan were both released in 1987, signature-based antivirus has ruled the roost.
Advanced Threat Protection's Safe Attachments technology is designed to be heuristic--investigating behaviors that attachments perform. While something may look like Word document on the outside (because it has a .doc or .docx extension), ATP digs deeper into the attachments to see if they are what they say they are based on how they perform. Using virtual environments and sandboxing, the attachments are detonated--that is, attempted to be run and the behaviors they exhibit observed. Behaviors might include: nothing (which would indicate a benign attachment), embedded code attempting to open up workstation firewall ports, encoded scripting to launch a listener or attach to an external website, or calls to the registry to read or write data.
Safe Attachments Options
What's good for the goose may not be good for the gander, so you may want to review the responses that are available before creating a policy. Here are the options, what they mean, and some further information on deciding which is best. Note that these options only apply for policies configured to Protect email attachments.
| Option | Effect | Use when you want to: |
| Off | Does not scan attachments for malware
Does not delay message delivery |
Turn scanning off for internal senders, scanners, faxes, or smart hosts that will only send known, good attachments
Prevent unnecessary delays in routing internal mail Note: This option is not recommended for most users. It enables you to turn ATP Safe Attachments scanning off for a small group of internal senders. |
| Monitor | Delivers messages with attachments and then tracks what happens with detected malware | See where detected malware goes in your organization. You can view the reports under the Threat management dashboard. |
| Block | Prevents messages with detected malware attachments from proceeding
Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages Blocks future messages and attachments automatically |
Safeguard your organization from repeated attacks using the same malware attachments. |
| Replace | Removes detected malware attachments
Notifies recipients that attachments have been removed Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages |
Raise visibility to recipients that attachments were removed because of detected malware. A text file attachment is included that notifies the user that the attachment was removed. |
| Dynamic Delivery | Delivers messages immediately
Replaces attachments with a placeholder file until scanning is complete, and then reattaches the attachments if no malware is detected Includes attachment previewing capabilities for most PDFs and Office files during scanning Sends messages with detected malware to Quarantine where a security administrator or analyst can review and release (or delete) those messages Learn about dynamic delivery and previewing with ATP Safe Attachments |
Avoid message delays while protecting recipients from malicious files.
Enable recipients to preview attachments in safe mode while scanning is taking place. Note: Dynamic delivery is only available for cloud-hosted mailboxes. If you configure a dynamic delivery policy in a hybrid environment scoped to users that are both on-premises and in-cloud, messages scanned for users in the on-premises environment will be treated as though the they are configured in "Replace" mode, and the message will not be delivered until scanning is complete. Additionally, if a user is covered by a dynamic delivery policy, and they forward a message with the placeholder attachment (before the scanning has been completed), what happens depends on whether or not the recipient is licensed for ATP: If the recipient of a forwarded message is not licensed, the message is forwarded without safe attachments scanning. If the recipient of a forwarded message is licensed, then they will see the attachment preview (per this support article). Finally, there are some scenarios in which dynamic delivery will not work:
|
| Enable redirect | Applies when the Monitor, Block, or Replace option is chosen
Sends attachments to a specified email address where security administrators or analysts can investigate |
Enable security administrators and analysts to research suspicious attachments |
Table data compiled mostly from https://support.office.com/en-us/article/dynamic-delivery-and-previewing-with-office-365-atp-safe-attachments-f16c9928-8e3d-4219-b994-271dc9a16272 and https://support.office.com/en-us/article/Set-up-Office-365-ATP-safe-attachments-policies-078EB946-819A-4E13-8673-FE0C0AD3A775.
While it's possible to create a Safe Attachments policy inside of the Exchange Admin Center (EAC), it's best if you create and manage it in the Security & Compliance Center, since that's the direction we're moving for consolidated management of security policies.
Configure a Safe Attachments Policy
Safe attachments (as well as safe links policies) can be scoped to your entire organization, domains, or smaller subsets of your users. Depending on how your organization functions or how you want to handle mail flow and threats in your environment, you may need to configure one or more policies to meet your requirements.
Safe Attachments Policy For Email Attachments
To create a Safe Attachments Policy in the Security & Compliance Center:
- Navigate to https://protection.office.com.
- In the navigation menu, expand Threat management, and then select Policy.
- Select the ATP Safe Attachments tile.
![]()
- Under Protect email attachments, click the + button to create a new policy.
![]()
- Enter a name for the policy (required), a description (optional), and then select a response method.
![]()
- Scroll down to the bottom of the window.
- Specify settings for Redirect attachment on detection and Applied To. The address specified in the Enable redirect text box should be accessible to your email administrators or security team to review suspicious attachments. You can choose to apply a policy to an individual user, domain, or group. You can specify exceptions based on a user, domain, or group.
![]()
- Click Save when finished.
Safe Attachments Policy For SharePoint, OneDrive, and Teams
The same heuristics engine that drives Safe Attachments for message attachments can now be used against SharePoint, OneDrive, and Teams storage locations. While it doesn't scan all previously stored documents, it does pay attention to documents that you share. Per the product documentation:
Advanced Threat Protection for SharePoint Online, OneDrive for Business, and Microsoft Teams will not scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This is by design. Files are scanned asynchronously, through a process that uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.
Given that, configuring a Safe Attachments policy for SharePoint, OneDrive, and Teams sites is pretty easy.
- Navigate to https://protection.office.com.
- In the navigation menu, expand Threat management, and then select Policy.
- Select the ATP Safe Attachments tile.
![]()
- Under Protect files in SharePoint, OneDrive, and Microsoft Teams, select the checkbox next to Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.
![]()
- Click the Save button at the bottom of the page.
![]()
- Connect to the SharePoint Online with PowerShell. If you do not have the SharePoint Online Management Shell module installed, click here to download and install it. When connecting to SharePoint Online via the management shell, the URL for your tenant is https://<tenantname>-admin.sharepoint.com.
![]()
- Configure the DisallowInfectedFileDownload parameter. The default value is False.
![]()
Per the product documentation, if the Set-SPOTenant cmdlet has the DisallowInfectedFileDownload parameter set to:true (recommended), this happens: false, this happens: All actions, except Delete, are blocked for detected files. People cannot open, move, copy, or share detected files.
A visual cue indicates that a file has been identified as malicious. No one can download the file.
All actions, except Delete and Download, are blocked for detected files. People cannot open, move, copy, or share detected files.
A visual cue indicates a file has been identified as malicious, but people can choose to accept the risk and download the file.
- Use the Set-SPOTenant cmdlet with the -DisallowInfectedFileDownload parameter as appropriate.
Advanced Threat Protection Safe Links
ATP Safe Links is comprised of a few components:
- URL wrapping service for click-time evaluations
- reputation database
- scanning files embedded in hyperlinks using the sandboxing and detonation chamber
- Scanning links embedded in Office documents when opened using Office ProPlus signed in as a user licensed for a Safe Links policy
The URL wrapping service processes links on messages and encapsulates hyperlinks permanently in the delivered messages. The rewritten link persists for the life of the message and will be re-processed and evaluated each time it is clicked, whether it is a few hours, a few days, or years later, and whether or not it exists in the original mailbox or forwarded to new recipients. ATP-protected links are evaluated in real-time against the reputation database.
In addition to rewriting links that have been delivered in email messages, users who have been assigned an ATP license and are opening documents with Office ProPlus applications signed in as the user will also be protected from malicious links inside documents.
Safe Links Options
Before you configure a Safe Links policy (either for the organization or for individual or groups of recipients), you should familiarize yourself with the options available.
| For this policy | This option | Does this |
| Default (once defined, the default policy applies to everyone in the organization) | Block the following URLs | Enables your organization to have a custom list of URLs that are automatically blocked. When users click a URL in this list, they'll be taken to a warning page that explains why the URL is blocked.
See Set up a custom blocked URLs list using ATP Safe Links for more details, such as newly added support for up to three wildcard asterisks (*). |
| Default | Office 365 ProPlus, Office for iOS and Android | When this option is selected, ATP Safe Links protection is applied to URLs in documents that are open in Word 2016, Excel 2016, PowerPoint 2016 on Windows, iOS, or Android devices, or Visio 2016 on Windows, with the user signed into Office 365.
Tip: If you see Office 2016 on Windows, then the feature update has not reached your Office 365 environment yet (and it's coming soon). Until then, ATP Safe Links protection applies to Word 2016, Excel 2016, PowerPoint 2016 or Visio 2016 running on Windows. |
| Default | Don't track when users click ATP Safe Links | When this option is selected, click data for URLs in Word, Excel, PowerPoint, and Visio documents is not stored. |
| Default | Don't let users click through ATP Safe Links to original URL | When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious. |
| A policy created for specific email recipients | Off | Does not scan URLs in email messages.
Enables you to define an exception rule, such as a rule that does not scan URLs in email messages for a specific group of recipients. |
| A policy created for specific email recipients | On | Rewrites URLs to route users through ATP Safe Links protection when the users click URLs in email messages.
Checks a URL when clicked against a list of blocked or malicious URLs. |
| A policy created for specific email recipients | Use Safe Attachments to scan downloadable content | When this option is selected, URLs that point to downloadable content are scanned. |
| A policy created for specific email recipients | Apply Safe Links to messages sent within the organization | This feature is rolling out beginning in March 2018.
When this option is available and selected, ATP Safe Links protection is applied to email messages sent between people in your organization, provided the email accounts are hosted in Office 365. |
| A policy created for specific email recipients | Do not track user clicks | When this option is selected, click data for URLs in email from external senders is not stored.
URL click tracking for links within email messages sent within the organization is currently not supported. |
| A policy created for specific email recipients | Do not allow users to click through to original URL | When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious. |
| A policy created for specific email recipients | Do not rewrite the following URLs | Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning for a specific group of email recipients in your organization.
See Set up a custom "Do not rewrite" URLs list using ATP Safe Links for more details, including recent changes to support for wildcard asterisks (*). |
The preceding table also appears at https://support.office.com/en-us/article/set-up-office-365-atp-safe-links-policies-bdd5372d-775e-4442-9c1b-609627b94b5d.
Configure a Safe Links Policy
You can configure both organization-wide Safe Links settings, as well as policies scoped to individual users or groups of users.
Safe Links policies that apply to the entire organization
- Navigate to https://protection.office.com.
- In the navigation menu, expand Threat management, and then select Policy.
- Select the ATP Safe Links tile.
![]()
- In the Policies that apply to the entire organization section, click the pencil icon to edit the Default policy.
![]()
- Under Settings that apply to content across Office 365, in the Block the following URLs section, add any domains you wish to always block by entering them in the text box and clicking the + button.
![]()
Note: the links added to the organizational policy will apply to all users, regardless of settings in other user-scoped policies. The URLs and domains entered in the Block the following URLs section will apply to Office ProPlus, Office Online / Web Apps, Office for iOS and Android, as well as links that are wrapped via Safe Links. If a domain is later added or removed, the behavior on links that are protected will be updated to reflect the new settings. - Under Settings that apply to content except email, select whether or not you wish to enforce Safe Links policies for Office ProPlus as well as Office for iOS and Android. If you select Do not track when users click safe links, user telemetry data for URLs specified in the blocked domains list will not be collected when links are followed by clicking on a URL in an Office application (besides Outlook). If you select Do not let users click through safe links to the original URL, users will be directed to a warning page when clicking on a blocked link inside an Office document.
- Click Save.
Safe Links policies that apply to specific recipients
To create a Safe Links policy that applies to specific recipients, follow these steps. Keep in mind that each Safe Links policy can apply to an individual user, group of users, or one or more domains. You can specify one or more user selection conditions (such as "is a member of" and "recipient domain is").
- Navigate to https://protection.office.com.
- In the navigation menu, expand Threat management, and then select Policy.
- Select the ATP Safe Links tile.
![]()
- In the Policies that apply to specific recipients section, click the + to create a new policy.
![]()
- Choose whether or not to rewrite links for the group this policy will apply to. If the Select the action for unknown potentially malicious URLs in messages radio button is Off, no further Safe Links configuration options will be available except the recipient selection conditions.
![]()
- Select the appropriate check boxes, referring to this table detailing the operation of the parameters.
- For any URLs that you want to be ignored by Safe Links processing (such as known good URLs), enter them in the Do not rewrite the following URLs box and click the + button.
- Specify a user, domain, or group to which you want to apply the policy. This is a required field.
![]()
- Click Save to complete the policy.
Advanced Threat Protection Anti-Phishing
One of the newer additions to the Advanced Threat Protection family is the configurability of specific anti-phishing policies. Anti-phishing policies protect against emails intended to deceive the recipient in some way (usually by pretending to be a familiar or trusted sender) in order to gain important business or personal data, including service and logon credentials, bank account information, credit card or other information that can be used to further impersonate the user.
Anti-phishing Options
Before configuring an anti-phishing policy, familiarize yourself with the available settings and how they impact the policy and users.
| This setting | Does this | Use when you want to |
| Add users to protect | Defines which email addresses will be protected by the policy. You can add up to 20 internal and external addresses that you want to protect from impersonation. | When you want to ensure that mail from outside your organization isn’t an impersonation of one of the users on the list of users you are protecting. Examples of users you might want to protect are high-level executives, business owners, external board members, and so on.
This list of protected users is different from the list of people to which the policy applies, or rather, for which the policy is enforced. You define the applies to list in the Applied to section of the policy options. For example, if you add Mary Smith <marys@contoso.com> as a user to protect, then apply the policy to the group "All Users". This would ensure that a mail that appeared to impersonate "Mary Smith" sent to a user in the "All Users" group would be acted on by the policy. |
| Add domains to protect | Allows you to choose which domains you want to protect from impersonation. You can specify that the policy include all of your custom domains, a comma-separated list of domains, or a combination of the two. If you choose Automatically include domains that I own, and you later add a domain to your Office 365 organization, this anti-phishing policy will be in place for the new domain. | Whenever you want to ensure that mail from outside your organization isn’t an impersonation of one of the domains defined in your list of verified domains or that of a partner domain. |
| Choose actions | Choose the action to take when Office 365 detects an impersonation attempt against the users and domains you added to the policy. You can choose different actions for users and domains in the same anti-phishing policy. These actions apply to any incoming email that has been identified by Office 365 as impersonating a user account or domain that is under the protection of this anti-phishing policy.
Quarantine message Email will be sent to Office 365 quarantine. When you choose this option, the email is not sent to the original recipient. Redirect message to another email address Email will be sent to the email address you specify. You can specify multiple email addresses. When you choose this option, the email is not sent to the original recipient. Move message to the recipients' Junk email folder Email will be sent to the recipients' Junk email folder. When you choose this option, the email is still sent to the original recipient but is not placed in the recipient's inbox. Deliver the message and add other addresses to the Bcc line Email will be delivered to the original recipient. In addition, the users you identify will be added to the bcc line of the message before it's delivered. When you choose this option, the email is still sent to the original recipient's inbox. Don't apply any action Email will be delivered to the original recipient's inbox. No other action will be taken on the email message. Turn on phishing protection tips Enables anti-phishing safety tips in email. |
When you want to take an action on messages that Office 365 has determined to be an impersonation of a user or domain as defined in the policy. |
| Enable mailbox intelligence | Enables or disables mailbox intelligence for this policy. You can only enable mailbox intelligence for cloud-based accounts, that is, accounts whose mailbox is hosted entirely in Office 365. | When you want to enhance impersonation results for users based on each user's individual sender map. Mailbox intelligence is built around the people you send and receive mail from. This intelligence allows Office 365 to customize the impersonation policy at a user-level in order to better handle false positive results. |
| Add trusted senders and domains | Defines email addresses and domains that will not be considered impersonations by this policy. Messages from the sender email addresses and domains you add as trusted senders and domains won't ever be classified as an impersonation-based attack. As a result, the actions and settings in this policy won't be applied to messages from these senders and domains. | When users interact with domains or users that trigger impersonation but are considered to be safe. For example, if a partner has the same/similar display name or domain name as a user defined on the list. |
| Applied to | Defines the recipients whose incoming email messages will be subject to the rules of the policy. You can create conditions and exceptions for the recipients associated with the policy.
For example, you can create a global policy for your organization by applying the rule to all recipients in your domain. You can also create exception rules, such as a rule that does not scan email messages for a specific group of recipients. |
Each policy must be associated with a set of users, for example users in a particular group or domain. |
Note: The preceding table contains data from https://support.office.com/en-us/article/Set-up-Office-365-ATP-anti-phishing-policies-5a6f2d7f-d998-4f31-b4f5-f7cbf6f38578#phishpolicyoptions.
Configure an Anti-Phishing Policy
Like Safe Links policies, Anti-Phishing policies can be customized and applied to groups or subgroups of users. To configure a policy, follow these steps.
- Navigate to https://protection.office.com.
- In the navigation menu, expand Threat management, and then select Policy.
- Select the ATP anti-phishing tile.
![]()
- Click the + Create button to start the Create a new anti-phishing policy wizard.
![]()
- Enter a name (required) and description (optional) for the policy. As you can see, I was quite creative with mine. Click Next when done.
![]()
- Select conditions under which to apply the policy. In this example, I'm going to choose recipient domain is and select my accepted domain to protect all users with the same policy. Once the domain has been added, click Next.
![]()
![]()
- Click Create this policy to be taken to the policy configuration options.
![]()
- At Edit your policy page, click Edit next to the configuration options you want to edit. In my case, I want to ensure that I protect all the domains in my tenant from impersonation as well as the domain of a trusted partner that I do a lot of business with, as well as apply additional protection or scrutiny to messages purporting to be from a few specific users (such as the Finance lead and payroll). I want to display warnings to the recipients when something seems suspicious. Given all the options I want to manage, I'm going to click the Edit button in the Impersonation section.
![]()
- I'm going to first add the users and addresses I want to protect from being impersonated. So, click Add users to protect. In this case, I'm adding the Finance director (internal) and a payroll email address (external).
![]()
- Click Add domains to protect tab, and then slide the toggle to include all the domains in the tenant, as well as a custom domains. Since I want to protect my organization from being spoofed by one of my partner's domains, I'm going to add their domain as well. Note: Press [Enter] when you're finished entering each domain--clicking Save will take you back to the Edit your policy page. If you do so, you'll just have to click the Edit button again to enter back into the editing screen.
![]()
- Click the Actions tab. In this case, I want messages that appear to be sent my my protected users to go to Quarantine (which will require them to be released). Other messages that appear to be impersonated will get delivered to the user's junk mail.
![]()
- Click the Turn on impersonation safety tips link to expose the Safety tips flyout panel. Toggle all three sliders to on.
![]()
- Click Save to save the flyout options.
- Click Save to save the policy.
- Click Close to complete configuration of the policy.
![]()
Transport Rules
In addition to the general policy configurations, ATP Safe Attachments, ATP Safe Links, and ATP Anti-phishing policies can be further refined with a few transport rule options.
Bypass Safe Attachments Processing
You can configure a transport rule to set an X-header to bypass safe attachments processing, in the event that you want to prevent attachment processing from certain sources that you are certain will only send safe attachments. To configure the transport rule:
- Log into the Office 365 Admin Center, and navigate to the Exchange Admin Center.
- Select Mail Flow.
![]()
- Click the +, and then select Create a new rule.
![]()
- Click on more options… at the bottom of the dialog box. This is necessary to show all fields required to complete the rule.
![]()
- Enter a value for the name, select which messages the rule will apply to (such as applying to a certain sender, IP address range, or domain), and then under *Do the following, select Modify the message properties | Set the message header to this value. Enter X-MS-Exchange-Organization-SkipSafeAttachmentProcessing as the header name, then set the value to 1.
![]()
- Click Save to finish the rule.
Alternately, you can use PowerShell to configure the rule:
New-TransportRule -From @('trusteduser@trusteddomain.com') -SetHeaderName 'X-MS-Exchange-Organization-SkipSafeAttachmentProcessing' -SetHeaderValue '1' -Name 'Bypass Safe Attachments' -StopRuleProcessing:$false -Mode 'Enforce' -Comments '' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'
Bypass Safe Links Processing
Just as you may need to bypass safe attachments processing, you may need to bypass safe sender processing (such as from a trusted network or sender).
- Log into the Office 365 Admin Center, and navigate to the Exchange Admin Center.
- Select Mail Flow.
![]()
- Click the +, and then select Create a new rule.
![]()
- Click on more options… at the bottom of the dialog box. This is necessary to show all fields required to complete the rule.
![]()
- Enter a value for the name, select which messages the rule will apply to (such as applying to a certain sender, IP address range, or domain), and then under *Do the following, select Modify the message properties | Set the message header to this value. Enter X-MS-Exchange-Organization-SkipSafeLinksProcessing as the header name, then set the value to 1.
![]()
- Click Save to finish the rule.
Alternately, you can use PowerShell to configure the rule:
New-TransportRule -From @('trusteduser@trusteddomain.com') -SetHeaderName 'X-MS-Exchange-Organization-SkipSafeLinksProcessing' -SetHeaderValue '1' -Name 'Bypass Safe Links' -StopRuleProcessing:$false -Mode 'Enforce' -Comments '' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'
Lower Phishing Threshold
Depending on the type of phishing messages that you get, it may be desirable to lower the threshold (thereby, increasing sensitivity) for phishing messages. You can do this by creating a transport rule to apply these settings.
- Log into the Office 365 Admin Center, and navigate to the Exchange Admin Center.
- Select Mail Flow.
![]()
- Click the +, and then select Create a new rule.
![]()
- Click on more options… at the bottom of the dialog box. This is necessary to show all fields required to complete the rule.
![]()
- Enter a value for the name, select which messages the rule will apply to. Under Sender condition, select The sender is located..., and then select Outside the organization, and then click OK. Select any additional message selection criteria, such as scoping for internal recipients.
![]()
- Under *Do the following, select Modify the message properties | Set the message header to this value. Enter MS-Exchange-Organization-PhishThresholdLevel as the header name, then set the value to 2. Valid values are 2, 3, and 4 (default).
![]()
- Click Save to complete the rule.
Alternately, you can use PowerShell to configure the rule:
New-TransportRule -FromScope 'NotInOrganization' -SetHeaderName 'MS-Exchange-Organization-PhishThresholdLevel' -SetHeaderValue '2' -Name 'Lower Phishing Threshold for Executives' -StopRuleProcessing:$false -Mode 'Enforce' -Comments ' ' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'
Tools
Should you find yourself in the need to analyze messages that have been processed by ATP or EOP, you can use these tools:
O365 ATP Safe Links Decoder
For messages that have been processed (and subsequently, rewritten) by Safe Links, you can use this decoder to return the original URL. To use it, simply copy a rewritten URL from a processed message and then paste it in the link window. The decoded link will appear below.
Office 365 Message Header Analyzer
Use this tool to evaluate messages that have passed through Office 365. Simply open the message, select File | Properties, copy and paste the headers, and click the Analyze headers button.
Message Header Analyzer Plug-in for Outlook
This plug-in brings the functionality of the Message Header Analyzer into the Outlook client. After installing the plug-in via the Get App button on the home page, select a message in Outlook, and then click the MHA icon on the toolbar.
Whew! That's all the configuration news that's fit to print for now!