Advanced Threat Protection Whitelist
Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.
Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.
For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.
For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.
Frank Martinez commented
Microsoft needs to provide a mechanism for customers to refute their adjudications of URLs. I am using a 3rd party service that provides web-based security awareness training, and Microsoft is flagging the URL to their site as unsafe. I tried adding the URL to the Safelinks whitelist (following Microsoft's documentation), but it's not working. Even so, thsi is something that shouldn't just be whitelisted for me, it should be whitelisted for everyone. Whatever automated mechanism decided that this site was unsafe is incorrect, and there doesn't seem to be any way for a customer to submit a correction.
Just got hit by a false positive on my safe links and now I have hundreds of people that can't access a link from our vendor because ATP thinks it's a phishing campaign. It would be fantastic if ATP could add an action to let me allow this URL. Using mail flow rules or bypasses is kind of archaic compared to the intelligence behind this system.
Looks like I'm up the creek!!!
This no longer works. We need updated solution.
This solution no longer works on Office 365. I worked with Microsoft support for weeks and found out that the emails are scanned and quarantined prior to Exchange Mailflow rules (I believe the scanning engine is is officially called Advanced Threat Protection). This mean that adding headers will have no affect. Currently there is no way to whitelist for ATP malware filtering. None of the connection rules in Exchange have any affect. The settings allow for rules based on recipient, but nothing for sender. I have started a new uservoice to get this issue addressed again: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/36565708-advanced-threat-protection-whitelist-2019
David Grand commented
So far in my testing your "solution" with the mail flow rule is not working. I set the rule up about 20 minutes ago and mail from our scanner's IP RANGE is still getting scanned. This is not a problem is ATP gave our users the attachment eventually but we have seen scans run for many hours. One page documents that get scanned for many hours. Not good.
Why can't we add an exception if the sender is...
Internally users who send .docm files to each other get blocked for malware when it's not and there seems to be no way around this at the moment. .
Callens Christophe commented
Please offer this: our scanners will never send virus
->> I would really like to see a filtering option that lets you define senders, not just recipients, in ATP.
It seems adding a rule to stamp the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing value 1 works but does not actually show in the header after the client receives it. Can anyone confirm this?
I would really like to see a filtering option that lets you define senders, not just recipients, in ATP.
Other online filtering services such as Fireeye are nearly instant scans. I don't understand the difference between this service and Microsoft ATP. The dealy is not business firendly which works at a high reate of speed or sales may be lost.
This is **** ! I can't open any important links in my mail. I did not aske for this.
Please remove this from my mail.
i really appreciate Microsoft for coming out with the extra measures to protect the user from hackers and possible virus attack. However if the scan took 30 minutes, it is certainly worth the wait. BUT i have a concern here, i've some email which was sent to me, in January 2018 AND when i look back into the email, it is still under ATP scan. This is certainly not just 30 minutes, it is more than 30 days.
Internal attachments that are known to be safe are being blocked by the ATP safe attachment policy. Microsoft must improve the product by at least allowing to whitelist the senders.
Tom Scalish commented
Unable to use ATP until Microsoft adds an exception from a sender to the rule.
Our mainframe pumps out hundreds of Excel reports that are known to be safe,
During a test of the product the user frustration waiting for known safe attachments to be scanned was very frustrating.
1/18/2018 still no solution from Microsoft on this one... and the explanation is that you can go outside the product to try and address it thru a transport rule... That's user friendly ( not )
Trent_ B commented
There seems to have been a service disruption yesterday where even small files were taking up to 30 mins to scan and be delivered. This happened to 3 different users. 2 were internal senders and one was an external sender. Not sure that this is the right place for this comment, but thinking it would be nice if ATP had it's own Service Status category.
Gaurav Anand commented
Hello Microsoft ATP Team,
This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request you all to look in this matter on a larger scale. We have created a case with Microsoft Support for Office 365.
i would like to add also my feedback, its weird for a company like Microsoft to do not have planned to give people using ATP to permit an exception based on the sender instead of only the receiver.
I also needed to create a more comple exception just because of an avatar image inside a notification email from confluence....
Chris Littlefield commented
We have tested adding an IP address mail flow rule with the following action:
Set the message header 'X-MS-Exchange-Organization-SkipSafeAttachmentProcessing' to the value '1'
This does not have an effect on ATP blocking attachments. Is there something I'm missing to get this rule to work?