Information Technology A to Z Index IT Service Support Request

Advanced Threat Protection (ATP)

ATP header


EKU IT is pleased to announce that we will be enabling Office 365 Advanced Threat Protection (ATP) on our Microsoft systems soon.  In addition to other protections already in place, ATP helps protect the EKU community from malicious attacks by providing better spam and malware protection for email, SharePoint Online, OneDrive, and Microsoft Teams.

Even with this additional security, remember that you must take personal responsibility for your actions and be vigilant against attacks at all times.  Whether you know it or not, you are always a target for scammers and hackers. This includes your email and EKU Direct accounts as well as your PC, mobile devices, and other sources of personal information.  Protect these just as you guard your purse, wallet, or any other valuables!

One of the settings we are turning is the “Quarantine” feature that will catch some messages before they can arrive in a person’s junk email folder. As messages are caught and held, MS will send that user an email indicating there are messages in quarantine to review/delete/release. The benefit to the end user is that email messages containing malware might not even land on the user's device.

Every week you will receive an email from like the image below.  For each message you will se a Sender, Subject, Date, and three option boxes.  Some emails may have 1-2 messages and some will have more.  You should look through each of these in the event a legitimate email was flagged by Microsoft. 

Quarantine notification email

 The three options for each message are:

  • Block Sender.  If the sender is obvious spam, you can click this button to block them. If you click this, a browser window will pop up with this message:

    Spam blocked

  • Release.  If the message is not spam and you want it delivered to your email Inbox (Note: It may appear in the Inbox Junk Email folder), you can click this button. If you click this, a browser window will pop up with this message:

    release msg

  • Review. This will open the Details in a browser window.  You can click the Preview Message button to see the actual email to determine if it is spam.

    Msg Details

You can follow this link to see all messages in the quarantine folder:   (Login with EKU credentials)

Quarantine View


When you receive these, you can do the following actions on the alerts:

1. Do nothing. If you choose to do nothing (you KNOW it is a spam or phishing email), the message will be deleted by Office 365 automatically upon expiration (30 days).  Remember, when Office 365 deletes a message from quarantine, you can't get it back.

2. Preview.  This allows you to look at the message with no harm to your PC. (This does not include clicking links or opening attachments, however.

3. Release message.  Release a quarantined message (or set of messages) so that the message is sent to your mailbox.  When you release a message, you have the option to report the message to Microsoft for analysis.

When you choose to report a message, also called reporting a message as a false positive, the message is reported to the Microsoft Spam Analysis Team. The team evaluates and analyzes false positive messages, and, depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow these messages through.

4. Download message Lets you download the message as a .eml file. Once you download a message, you can review the .eml file using your email client before releasing the message.

5. Remove from quarantine.  EKU IT has disabled this since it is permanent plus they will be permanently deleted after 30 days of receipt.


After you select a message, you'll see a summary of the message properties in a pane on the right side of the page.

  • Message ID: The unique identifier for the message.
  • Sender Address: Who sent the message.
  • Received: The date the message was received.
  • Subject: The text of the Subject line in the message.
  • Quarantine reason: Shows if a message has been identified as Spam or Bulk.
  • Expires: The date when the message will be deleted from quarantine.
  • Released to: All email addresses (if any) to which the message has been released.
  • Not yet released to: All email addresses (if any) to which the message has not been released. You can choose Release if you want to release the message to your mailbox (more about releasing messages in the next section).

You can get even more details about the message by choosing one of the following options:

  • View message header Choose this to see the message header text. To analyze the header in depth, copy the message header text to your clipboard, and then choose Microsoft Message Header Analyzer to go to the Remote Connectivity Analyzer (right-click and choose Open in a new tab if you don't want to leave Office 365 to complete this task). Paste the message header onto the page in the Message Header Analyzer section, and choose Analyze headers.
  • Preview message Lets you see raw or HTML versions of the message body text. In the HTML view, links are disabled.


More about ATP  and creating email rules


Published on March 13, 2019