Office 365

Evolving Office 365 Advanced Threat Protection with URL Detonation and Dynamic Delivery

Share on Facebook Share on Twitter Share on Linkedin Share via OneNote Share via Email Print

We built Office 365 Advanced Threat Protection to provide nearly unparalleled email security with little impact on productivity. Advanced Threat Protection defends your organization from today’s growing and evolving advanced threats with powerful safeguards like Safe Links, which provides time-of-click protection to help prevent users from opening or accessing malicious links, and Safe Attachments, which protects users from opening malicious email attachments. Today, we’re pleased to announce availability of two new capabilities—URL Detonation and Dynamic Delivery—which improve the security Advanced Threat Protection provides while keeping people productive.

General availability of URL Detonation

URL Detonation helps prevent your users from being compromised by files linked to malicious URLs.

Advanced Threat Protection with URL Detonation and Dynamic Delivery 1

Email with malicious link to PDF file. 

When a user receives an email, Advanced Threat Protection analyzes the URLs for malicious behavior. This new capability is in addition to the URL reputation checks that Advanced Threat Protection already does. If the user clicks a link during the scan, the message “This link is being scanned” is displayed. If the link is identified as malicious after the scan, a pop-window opens notifying the user that the file is malicious and warns the user against opening it.

Advanced Threat Protection with URL Detonation and Dynamic Delivery 2

Link scan in progress notification (left). Malicious link notification (right).

IT admins can configure a SafeLink policy that turns on the URL trace to track user clicks, which is especially useful for instances when users can bypass the warning and click through to blocked pages. This enables them to appropriately focus on remediation efforts for impacted users while not disrupting the work of unaffected users.

Advanced Threat Protection with URL Detonation and Dynamic Delivery 3

URL trace of user activity.

Public preview of Dynamic Delivery

Since introducing Safe Attachments, we have greatly reduced the time it takes to scan emails containing attachments. While any malware solution requires some small amount time to scan suspicious attachments, Advanced Threat Protection enables you to remain productive during this scan time. Now, with Dynamic Delivery, recipients can read and respond to the email while the attachment is being scanned. Dynamic Delivery delivers emails to the recipient’s inbox along with a “placeholder” attachment notifying the user that the real attachment is being scanned—all with minimal lag time.

Advanced Threat Protection with URL Detonation and Dynamic Delivery 4

Users can read the email body while the attachment is scanned in a Safe Attachments sandbox.

If a user clicks the placeholder attachment, they see a message showing the progress of the scan. If the attachment is harmless, it seamlessly re-attaches to the email so the user can access it. If it is malicious, Office 365 Advanced Threat Protection will filter out the attachment.

Advanced Threat Protection with URL Detonation and Dynamic Delivery 5

The scan progress page displayed when a user clicks an attachment undergoing a scan.

How to enable URL Detonation and Dynamic Delivery

URL Detonation can be enabled through the policy controls in the Safe Links admin window under settings. To enable URL Detonation, select the On radio button and then select the Use Safe Attachments to scan downloadable content checkbox.

Advanced Threat Protection with URL Detonation and Dynamic Delivery 6

Admin control window for Safe Links policy. Both Linked Content Detection and Dynamic Email Delivery (through Safe Attachments) are enabled.

Dynamic Delivery can be activated through the policy controls from the Safe Attachments admin control window under Settings. Simply select the Dynamic Delivery radio button.

Advanced Threat Protection with URL Detonation and Dynamic Delivery 7

Admin control window for Safe Attachments policy with Dynamic Delivery activated.

How to get started with Advanced Threat Protection

To learn how to turn on the new Advanced Threat Protection capabilities in the Office 365 Security & Compliance Center, watch this Office Mechanics video. If you don’t yet have Advanced Threat Protection, sign up for a trial of Office 365 E5, which provides advanced security and compliance capabilities including Advanced Threat Protection.

We’re continuously trying to improve your experience on Office 365, so be sure to let us know what you think of these Advanced Threat Protection feature enhancements!

  1. are these features confined to web interface? Are they available to Outlook thick client?

  2. We have E3 plan. Can we buy ATP as an Add-On Product? or is it bundled only with E5?

    • Hello Vinod,

      Looks like ATP is available as an add-on product. Below is copied from this link:

      “How to buy Office 365 Advanced Threat Protection

      You can add Advanced Threat Protection to the following Exchange and Office 365 subscription plans: Exchange Online Plan 1, Exchange Online Plan 2, Exchange Online Kiosk, Exchange Online Protection, Office 365 Business Essentials, Office 365 Business Premium, Office 365 Enterprise E1, Office 365 Enterprise E2, Office 365 Enterprise E3, Office 365 Enterprise E4, Office 365 Enterprise K1, Office 365 Enterprise K2, Office 365 Education. To add Advanced Threat Protection to your subscription, contact your volume licensing reseller.”

  3. this article is very unclear about where you enable these settings? please clarify, is this in the 365 admin centre ( & where?) or OWA, or Outlook 2016, or group policy?

    • ATP policies are configured in the Exchange Admin Center under Advanced Threats.

    • You access Safe Links and Safe Attachments via the Security & Compliance Center. To get there, either log in to or go to your Office 365 Admin Console, and on the bottom left expand Admin Centers, and select “Security & Compliance”.

      Inside the S&C admin center, Safe Links and Safe Attachments are under “Threat Management”. Note that they will probably only appear if someone in your tenant either has an enterprise E5 license or if you’ve purchased the ATP add-on license.

  4. Wow, you would think this feature would be included in the Office 365 plans.

  5. Hi,

    Will the Link Detonation features interfere at all with one-time links like password resets and such? A lot of smaller websites burn the token they use in the link on the first get request, so I’m curious if this will do a get request to a link like that it sees in an email.


    • With Safe Links (link rewrite), we rewrite the links but do not click on it. So these one-time password links will not be clicked before the user sees it.
      With URL Detonation, we detonate links that point to files (For example: office files, PDFs, executables, etc). Since these one-time click password reset links do not fall into those categories, they will not be clicked on.


Comments are closed.