For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Office 365 – Email Advanced Threat Protection (ATP)

Drexel IT has enabled Email Advanced Threat Protection (ATP) for all accounts that use the Office 365 cloud email service. ATP offers greatly improved spam and malicious software protection for your email account by scanning and testing all attachments for unsafe behavior and malicious code. In addition, ATP checks each message for links that might take you to a phishing or otherwise counterfeited web portal. All incoming messages will undergo both types of scan.

Note: For general information about Office 365 email at Drexel, see Office 365 Email Setup.

Safe Links

When a message contains a clickable image or text, the original address of the link will be replaced with a “safe link.” Safe links apply to ALL email sent to a Drexel mailbox, external or internal.

Safe links contain the string "" near the beginning of the URL, such as the example below:

Hovering over a link in email displays the safe link URL in Outlook's bottom bar. 

Safe links, whenever possible, will show you the original URL when you mouse over the link. If the original content cannot be displayed, it will show you the safe link that your browser will actually use if you click on the message. The original URL can also be viewed by copying the the safe link and then decoding it at

Safe Attachments

When a message contains one or more attachments, the message will be delivered and ATP will begin scanning the attachments. You can read the message body immediately, but the attachments won't be completely available until the safety scan is complete. You may, however, preview attachments deemed "safe" before scanning is complete.

If you open a message immediately after it appears in your Inbox, you might see the attachments listed as being scanned, as shown here. (Opening the "ATP Scan In Progress" attachment shows a message that explains the attachment sent to you is still being scanned.)

Placeholder attachment that shows threat scan is in progress. 

Safe Attachment scans typically complete in under 2 minutes, but they could take longer for large attachments. To see if the scan is complete, close and re-open the message.


If I mouse-over a link from a trusted source, why does it look like a weird address?

Hovering your mouse over hidden links is always a good practice, and can continue to serve you well even with Office 365 ATP enabled. When a link is found in an incoming email, ATP encodes the original destination in a placeholder to “” – the encoding makes the original link that looks weird. By pointing to the Safe Links service, no matter when you click a link, Office 365 can screen the original address and make sure it’s not a reported spam or phishing web site, protecting you even if the site is compromised after the message was delivered to your Inbox.

How do I forward a message or get the link with a Safe Link address?

Just as you normally would. The presence of the Safe Link address doesn't impede forwarding or the recipient's ability to open the link.

I received an email with an attachment but it just says, “ATP Scan In Progress – Outlook Item” instead of the file I was expecting. Why?

As each message comes in to Office 365, it is scanned for dangerous attachments. The message body can be read while that scan is in progress, but the attachments cannot because they aren't yet thought to be safe. While the attachment scan is ongoing–typically less than two minutes–you'll see a placeholder in the attachments area. Close the re-open the message to see if the scan is complete and the attachment is available. Note that even if you read the body of the email before the scan completed, following the scan, the message status will reset to unread.

Why is all incoming mail being scanned by ATP?

The ATP service provides advanced protection against malware and malicious Phishing attempts. It provides Drexel users with additional security and prevents many of the phishing attacks that compromise user credentials by blocking access to dangerous sites. Additionally, with threats like ransomware and cryptoviruses on the rise, tools like this allow the threat to be detected and removed before it reaches your computer, rather than relying on your personal antivirus program to stop the malicious code from executing when you try to read the message. The scanning process ATP uses tests links and opens files in a “detonation chamber”, which means it downloads files received into a protected environment on Microsoft’s servers, and then opens the documents in that environment to see if they trigger any malicious activity.

I clicked on a link in my email and it told me, “This website has been classified as malicious.” Why?

If a link in your message points to a location that has been verified to be malicious in some way, Safe Links will stop you from accessing that location when you click on the link. If you think a site has been blocked by mistake, please report it to by forwarding the message as an attachment (On PC: Click “More” in Outlook, then “Forward as Attachment” On Mac: Click “Message”, then “Forward as Attachment”). A blocked Safe Link will take you to a site like this:

Sample of message showing that an unsafe link was blocked.