If you are an Office 365 Enterprise global administrator, security administrator, or security reader, you can view reports for Office 365 Advanced Threat Protection (ATP) in the Security & Compliance Center. (Go to Reports > Dashboard.)

ATP reports include new real-time reports, the Threat protection status report, the ATP Message Disposition report, and the ATP File Types report.
Note: Advanced Threat Protection is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.
In addition to the ATP reports described in this article, email security reports are available. Email security reports include a top senders and receivers report, a spoof mail report, a spam detections report, and more. See View email security reports in the Security & Compliance Center.
(New!) Real-time reports
Real-time reports are available in the Security & Compliance Center. The real-time reports include a malware report for email, a user-reported messages report, a phish report for email, and a malware report for files.
Important: The new ATP real-time reports are pivoted by recipient counts with message times displayed in local time zones. This differs from the Threat protection status report, which aggregates the number of email messages displayed in UTC.
Malware report for email
The malware report for email shows you incoming and outgoing email that has been classified as malware.
To view and use the malware report for email
-
Go to https://protection.office.com and sign in with your work or school account. This takes you to the Security & Compliance Center.
-
Go to Threat management > Explorer.
-
In the View menu to choose Email > Malware.
-
By default, the report shows data for the past seven days.
This enables you to take action quickly. However, you can use the date filters to change the date range.
-
Below the chart, in the Email list, choose an item to view more information. For example, you can see the details, attachments, similar email messages, and advanced analysis information for each message listed in the report.
User-reported messages report
The user-reported messages report is one of the email security reports in the Security & Compliance Center. This report shows information about email messages that people reported as junk or malware, and junk mail that people reported as good mail (not junk).
To learn more, see user-reported messages report.
Phish report for email
The phish report for email shows information about email messages that were identified as phishing attempts sent to people in your organization.
View and use the phish report for email
-
Go to https://protection.office.com and sign in with your work or school account. This takes you to the Security & Compliance Center.
-
Go to Threat management > Explorer.
-
In the View menu to choose Email > Phish.
-
By default, the report shows data for the past seven days.
This enables you to take action quickly. However, you can use the date filters to change the date range.
-
Below the chart, in the Email list, choose an item to view more information.
Malware report for files
The malware report for files shows you files that were identified as malware in SharePoint Online, OneDrive for Business, or Microsoft Teams.
View and use the malware report for files
-
Go to https://protection.office.com and sign in with your work or school account. This takes you to the Security & Compliance Center.
-
Go to Threat management > Explorer.
-
In the View menu to choose Content > Malware.
-
By default, the report shows data for the past seven days.
This enables you to take action quickly. However, you can use the date filters to change the date range.
-
Below the chart, in the Document list, choose an item to view more information. For example, you can see the date, file name, library (SharePoint Online, OneDrive for Business, or Microsoft Teams) where the malicious file was found, how the file was detected, and its file size.
Threat protection status report
The Threat protection status report is a single view that brings together information about malicious content found and blocked by Exchange Online and Advanced Threat Protection.
To view the Threat protection status report, the Security & Compliance Center, go to Reports > Dashboard > Threat protection status.
To get detailed status for a day, hover over the graph. The report provides an aggregated count of unique email messages with malicious content (files or URLs) blocked by the anti-malware engine, zero-hour auto purge (ZAP), and Advanced Threat Protection features, such as ATP Safe Links and ATP Safe Attachments.
Underneath the chart, you'll see a detailed list of the detections, including subject lines and how each item was detected. Select an item to view additional details, including the item's file name, whether the item was inbound or outbound, and how it was detected.
For malware caught ATP Safe Attachments, on the Details page, choose Advanced Analysis to view more information, including the observed behavior and analysis details for a selected item.
ATP File Types report
The ATP File Types report shows you the type of files detected as malicious by ATP Safe Attachments.
To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP File Types.
When you hover over a particular day, you can see the breakdown of types of malicious files that were detected by ATP Safe Attachments. Click (or tap) the ATP File Types report to open it in a new browser window, where you can get a more detailed view of the report.

Below the chart, you'll see details about the malicious email messages that were detected, including the recipient's email address, the sender's email address, and the file name. Select an item in the list to view additional details about that item, including what actions were taken for the malicious URL or file.
ATP Message Disposition report
The ATP Message Disposition report shows you the actions that were taken for email messages that were found to have malicious files.
To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP Message Disposition.
Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.
Below the chart, you'll see a list of detected email messages and what actions were taken, according to the policies that are defined for your organization.
What if the reports aren't showing data?
If you are not seeing data in your reports, double-check that your policies are set up correctly. Your organization must have ATP Safe Links policies and ATP Safe Attachments policies defined in order for ATP protection to be in place. Also see Anti-spam and anti-malware protection in Office 365.
Related topics
View email security reports in Office 365 Enterprise
Overview of the Office 365 Security & Compliance Center
Office 365 Threat Intelligence overview