Skip to main content logo

CSU Logo - click to visit the CSU homepage

Advanced Threat Protection (ATP) for Email

Microsoft Advanced Threat Protection (ATP) is a new layer of email filtering and protection that works to protect your university Office365 email account. The key ATP protections include phishing mitigation, attachment scanning, and link/URL checking. These actions happen in real time with little/no delay to your messages.

Why we are using ATP?

Phishing, malware/virus delivery, and spoofed links continue to grow in sophistication and success worldwide. We are engaging Microsoft's tools to help protect our users and infrastructure.

What do I need to do?

You will notice an increase in the amount of email that is automatically placed into Junk Email and Quarantine, so we strongly suggest monitoring these areas. You can read more about this at

What ATP does to your email

Phishing Protection

  • Any message that is determined to be a phishing attempt will be moved to your Junk Email folder. No further action (such as "reporting to abuse") is required, unless a legitimate message ends up in the Junk Email folder. If that happens, contact

Attachment Scanning


  • The scanning process starts immediately after the message is received and usually takes less than a minute to complete
    Note: on occasion, some attachments will take longer to scan. Depending on the number, type and size of the attachment(s), and the method used by Microsoft to scan a particular attachment, the scan could take multiple minutes. Please be patient waiting for scans to complete.
  • While the scan is underway, a preliminary version of the email with the attachment removed is available in your inbox.
  • Once scanning is complete, the preliminary email message will be swapped out with the final one, including the safe attachment.


  • Examples of how the scan in progress version might look before scanning is complete:
    Another scan progress example
    Example of scan in progress
    Remember this may only appear for a few moments until the attachment has been scanned.
  • It is possible to click on this "scan in progress" version - you will be sent to a Microsoft page to view the attachment:
    example of clicking unfinished scan
  • When attachments are deemed unsafe you will still be able to see the email message, but the attachment will be rejected

Link/URL Checking

"Safe Links" provides time-of-click verification of web addresses (URLs) in email messages and Office documents. When clicking on the link in an email, the URL is scanned to determine if the link is safe: if so, the web page is presented.

  • URL/Link behaviors and appearance may be different from what you are used to: actions such as hovering over a link or copying a link may include special (safelinks) formatting or text in the URLs in some scenarios.
  • Links in email messages sent using "HTML" will keep their display (clickable) web links as written (e.g.
  • Links in email messages sent using plain text will have their display (clickable) links rewritten and will look similar to
  • Clicking on links deemed unsafe will cause a warning message to appear:
    warning about unsafe link



    Please email