4 min read

Office 365 Advanced Threat Protection: Plan 1 vs Plan 2

Featured Image

Office 365 Advanced Threat Protection (ATP) protects you by preventing dangerous links and malicious attachments from entering your organization via email and other tools (like SharePoint, OneDrive, and Teams). On the rare occasion that Office 365 ATP somehow fails to intercept these dangers, the automated investigation and response feature will kick in and remediate the breach. 

Security is essential but it isn't one size fits all. Feel like you're too small or maybe just immune to a cyberattack? Check out our cybersecurity page for some stop you in your track stats. In this blog post, we'll go over the differences between the features and pricing for Office 365 ATP Plan 1 and Plan 2 (aka P1 and P2) so you can decide which option best fits your security needs.

Note: This blog was last reviewed 2/2022. We do our best to keep all of our blogs up to date to offer you the best, most accurate guidance possible. If you notice otherwise, please drop a comment so we can update the blog. Thank you!

What is Advanced Threat Protection?


Features: Office 365 ATP Plan 1 vs Plan 2

With Office 365 ATP Plan 2 you get all of the features in Office 365 ATP Plan 1 plus the following 4 features:

  1. Threat Trackers: Threat Trackers are widgets and views that alert and educate you regarding different cybersecurity issues that could adversely affect your company. With Threat Tracker, you can see an overview of trending malware campaigns your company might be at risk for. You are also able to click into the overview for a more detailed report.

    Threat Trackers
  2. Explorer (Advanced Threat Investigation): Threat Explorer, also known as Explorer, is your security investigation hub. Use Explorer to synthesize and analyze threats and threat data, view attack volume over time, and even analyze data by threat families, attacker infrastructure, and more.

    Threat Explorer Screenshot
  3. Automated Investigation and Response: Automated investigation and response (AIR) helps to automate the revision, prioritization and response to alerts as they come in. This automation frees your team to focus on your most pressing threats first without losing sight of your entire threat landscape.
  4. Attack Simulator: It's always nice to have an idea of the game before you start playing, right? With Attack Simulator your team can run drills on realistic attack scenarios your organization might face. These drills help you find weak spots in your users or infrastructure before an attacker identifies them for you. The following example shows one such drill: a phishing attack. 
InkedAttack Simulator Phishing Email Example Minus Emails

In this scenario, the email identified Bruno and Joel (the co-owners of BEMO) as our decision-makers (they are), it used convincing industry-specific jargon like SSO (Single Sign-On), the email subject line was innocuous and the sender's address was a company address. Overall, it could have been a very convincing email (minus the extra lengthy link and having being sent to only one person) and if real and clicked, it could have done some serious damage. With Attack Simulator, you learn the game and level up the playing field.

Curious what your risk is? Click below to take our free 3-minute assessment (no email required) 👇

Office 365 ATP Pricing

  • Office 365 ATP Plan 1 and Office 365 ATP Plan 2 are each available as standalone plans.

  • Office 365 ATP Plan 1 is included in Microsoft 365 Business Premium (formerly known as Microsoft 365 Business). What’s the difference between Microsoft 365 and Office 365? Read our blog Microsoft 365 vs. Office 365 to find out.

  • Office 365 ATP Plan 2 is included in Office 365 E5 and Microsoft 365 E5.

  • Not included in your plan? View the table below for pricing:

Office 365 ATP - "A La Carte"

ATP Plan 1 vs. Plan 2

All Office 365 ATP Features 

Now that we know their differences, we'll discuss the following standard features available with both Plan 1 and Plan 2:

Anti-Phishing: Remember that confusing email you got from your CEO, Dave, asking you to complete a wire he “forgot to initiate”? You don’t if you have ATP. With ATP (P1 or P2) tricky Phishing and Spear Phishing attacks never even make it to your inbox so you never have to worry about navigating strange requests (or accidentally help to hack the company) again.

ATP Anti-Phishing

Safe Attachments: Safe Attachments opens any document attached to an email in a separate, protected virtual environment (a “sandbox”) to check that the attachment is safe. If the attachment is deemed unsafe, it is sent into a detonation chamber (pretty cool, huh?). 1 billion items are detonated monthly, and information about the unsafe content feeds back into Microsoft’s Intelligent Security Graph to continuously improve their machine learning.

Safe Links: Concerned about click happy employees? You probably should be. 91% of cyberattacks start with phishing emails, emails which often contain unassuming (yet damaging) links you or your employees could click on. “But...it’s in my inbox, it should be safe, right?” With ATP, the answer is emphatically “Yes”. Safe Links examines the URL of every link you click in real time in a sandbox (separate, sequestered, safe) environment. If the link is deemed unsafe, a warning immediately alerts you to the danger of the link. Safe URLs are recorded, creating a feedback loop to further inform your security agenda. 

ATP Safe Links

Anti-Spam: Love arriving to work with a tidy inbox? ATP makes that a reality by filtering out the spam emails attempting to clog your inbox.

Spoof Intelligence: This feature ensures that senders are who they claim to be and sources are where they claim to be from. For example: when you get an email from Bank of America, Advanced Threat Protection verifies that the email actually came from Bank of America’s domain. The same verification occurs with senders.

ATP for SharePoint, OneDrive, and Teams: Make sure your organization is protected when users share files and collaborate by identifying and blocking malicious files in team sites and document libraries. ATP helps detect and block files that are identified as malicious in team sites and document libraries and lock them. The file "Billing_Contoso_May_20" below is identified as malicious and is locked.

Malicious file ATP

Anti-Malware: Microsoft uses anti-virus/anti-malware engines to detect malicious content meaning your company won’t be crawled or controlled by hackers stealing your data and money (and reputation).

Want a more in-depth overview of all the Office 365 ATP features? Watch this video from Microsoft Mechanics to learn more.



Next Steps

Looking to implement Office 365 ATP? Read our blog post: How to Set Up Office 365 Advanced Threat Protection. Don't want to do it yourself? We can implement it for you as part of our email security plan.

Want to talk to someone about Office 365 ATP? Schedule a call with us below:


Leave us a comment!