View reports for Office 365 Advanced Threat Protection

If you are an Office 365 Enterprise global administrator, security administrator, or security reader, you can view reports for Office 365 Advanced Threat Protection (ATP) in the Security & Compliance Center. (Go to Reports > Dashboard.)

The Security & Compliance Center dashboard can help you see where Advanced Threat Protection is working

ATP reports include new real-time reports, the Threat protection status report, the ATP Message Disposition report, and the ATP File Types report.

Note: Advanced Threat Protection is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.

In addition to the ATP reports described in this article, email security reports are available. Email security reports include a top senders and receivers report, a spoof mail report, a spam detections report, and more. See View email security reports in the Security & Compliance Center.

(New!) Real-time reports

Real-time reports are available in the Security & Compliance Center. The real-time reports include a malware report for email, a user-reported messages report, a phish report for email, and a malware report for files.

Important: The new ATP real-time reports are pivoted by recipient counts with message times displayed in local time zones. This differs from the Threat protection status report, which aggregates the number of email messages displayed in UTC.

Malware report for email

The malware report for email shows you incoming and outgoing email that has been classified as malware.

The Malware for email report shows incoming and outgoing email identified as malware

  1. Go to https://protection.office.com and sign in with your work or school account. This takes you to the Security & Compliance Center.

  2. Go to Threat management > Explorer.

  3. In the View menu to choose Email > Malware.

    Use the View menu to choose between Email and Content reports

  4. By default, the report shows data for the past seven days.

    The Malware for email report shows data for the past seven days by default

    This enables you to take action quickly. However, you can use the date filters to change the date range.

  5. Below the chart, in the Email list, choose an item to view more information. For example, you can see the details, attachments, similar email messages, and advanced analysis information for each message listed in the report.

    You can view more information, such as summary, details, and advanced analysis for each message

User-reported messages report

The user-reported messages report is one of the email security reports in the Security & Compliance Center. This report shows information about email messages that people reported as junk or malware, and junk mail that people reported as good mail (not junk).

The User-Reported Messages report shows messages users labeled as junk, not junk, or phishing attempts.

To learn more, see user-reported messages report.

Phish report for email

The phish report for email shows information about email messages that were identified as phishing attempts sent to people in your organization.

The phish report for email shows information about detected phishing messages

  1. Go to https://protection.office.com and sign in with your work or school account. This takes you to the Security & Compliance Center.

  2. Go to Threat management > Explorer.

  3. In the View menu to choose Email > Phish.

    Use the View menu to choose between Email and Content reports

  4. By default, the report shows data for the past seven days.

    This enables you to take action quickly. However, you can use the date filters to change the date range.

  5. Below the chart, in the Email list, choose an item to view more information.

Malware report for files

The malware report for files shows you files that were identified as malware in SharePoint Online, OneDrive for Business, or Microsoft Teams.

With the Malware for files report, you can see a list of files identified as malware in SharePoint Online, OneDrive, or Microsoft Teams

  1. Go to https://protection.office.com and sign in with your work or school account. This takes you to the Security & Compliance Center.

  2. Go to Threat management > Explorer.

  3. In the View menu to choose Content > Malware.

    Use the View menu to choose between Email and Content reports

  4. By default, the report shows data for the past seven days.

    By default, the Malware for files report shows data for the past seven days.

    This enables you to take action quickly. However, you can use the date filters to change the date range.

  5. Below the chart, in the Document list, choose an item to view more information. For example, you can see the date, file name, library (SharePoint Online, OneDrive for Business, or Microsoft Teams) where the malicious file was found, how the file was detected, and its file size.

Threat protection status report

The Threat protection status report is a single view that brings together information about malicious content found and blocked by Exchange Online and Advanced Threat Protection.

To view the Threat protection status report, the Security & Compliance Center, go to Reports > Dashboard > Threat protection status.

Use this report to see what malware, malicious links, and malicious attachments were detected by ATP

To get detailed status for a day, hover over the graph. The report provides an aggregated count of unique email messages with malicious content (files or URLs) blocked by the anti-malware engine, zero-hour auto purge (ZAP), and Advanced Threat Protection features, such as ATP Safe Links and ATP Safe Attachments.

Underneath the chart, you'll see a detailed list of the detections, including subject lines and how each item was detected. Select an item to view additional details, including the item's file name, whether the item was inbound or outbound, and how it was detected.

Select an item in the Protection Status report to view additional details

For malware caught ATP Safe Attachments, on the Details page, choose Advanced Analysis to view more information, including the observed behavior and analysis details for a selected item.

On the Details page, choose Advanced Analysis to view more information about a selected item.

ATP File Types report

The ATP File Types report shows you the type of files detected as malicious by ATP Safe Attachments.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP File Types.

Use the ATP File Types report to see how many malicious URLs and files were detected

When you hover over a particular day, you can see the breakdown of types of malicious files that were detected by ATP Safe Attachments. Click (or tap) the ATP File Types report to open it in a new browser window, where you can get a more detailed view of the report.

In the ATP File Types report, hover over a day to see how many malicious URLs and files detected

Below the chart, you'll see details about the malicious email messages that were detected, including the recipient's email address, the sender's email address, and the file name. Select an item in the list to view additional details about that item, including what actions were taken for the malicious URL or file.

ATP Message Disposition report

The ATP Message Disposition report shows you the actions that were taken for email messages that were found to have malicious files.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > ATP Message Disposition.

Use the ATP Message Disposition Report to see how email messages were handled after malware detection

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

In the Security & Compliance Center Dashboard, choose ATP Message Disposition to view this report in more detail.

Below the chart, you'll see a list of detected email messages and what actions were taken, according to the policies that are defined for your organization.

What if the reports aren't showing data?

If you are not seeing data in your reports, double-check that your policies are set up correctly. Your organization must have ATP Safe Links policies and ATP Safe Attachments policies defined in order for ATP protection to be in place. Also see Anti-spam and anti-malware protection in Office 365.

Related topics

View email security reports in Office 365 Enterprise
Overview of the Office 365 Security & Compliance Center
Office 365 Threat Intelligence overview

Facebook LinkedIn Email
Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×