Exclusive: Microsoft ‘Delay in fix to Advanced Threat Protection flaw’

Microsoft has admitted that there is a problem with its Advanced Threat Protection module, a paid-for add-on to Office 365, which allows malicious URLs to slip through its premium email protection product. 

Enterprise customers of Office 365 can pay an extra fee on top of the basic software-as-a-service price to add ATP. ATP features two components, Safe Attachments which analyses attachments and Safe Links which provides real-time protection when clicking on a URL.

Safe Links rewrites URL links to route the HTTP request through Microsoft's servers. When the user clicks the link, Microsoft checks the target web page for malware before passing the URL to the user's browser. Users receive a warning message if the site is blocked or appears to contain malware.

Nick Ioannou, head of IT at the RG Partnership Ltd, told that he complained to Microsoft in September that Safe Links wasn't working in all instances. He says he submitted a ticket on 1 September and supplied additional information to Microsoft which enabled its engineers to identify the problem and reply to him by 4 September.

In the reply, which has seen, Microsoft identified the cause of the problem and admitted that the flaw enables malicious links to pass through ATP unchecked.

It goes on to say: “You have received a few emails containing links which were not rewritten by ATP safe links… A request was opened to our product engineering team, and they confirmed that all urls... should be caught by ATP safe links. As such, they are currently working on finding a solution for this. However, there is no ETA for when a fix will be deployed, as this whole process requires extensive analysis and testing.”

Ioannou didn't want to go into the exact details of the flaw because it still hasn't been fixed, but it's safe to say that the danger arises because of the interaction between ATP and Office 365 but it could be solved by a rewrite of Safe Links.

But it has been more than two months now and Ioannou tells SC that the problem has not been fixed. In response to a chasing email, Microsoft wrote to Ioannou today saying: “The issue… is still under investigation by our Product Engineering team. Unfortunately, there is no ETA for a resolution as of yet.”

Ioannou told SC: “Microsoft has admitted they need to recode. When you pay extra for ATP and Safe Links, you don't expect this. Safe Links is designed to protect you against what I call the Jamie Oliver exploit: a link that looks clean when it goes through the email server today could direct you to a website with malware tomorrow.”

He felt that the product was not as mature as it could have been. “It should be in beta – it should never have been released and charged for,” he said.

SC asked Microsoft for a comment but no one from the company replied by the time of publication.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.