Advanced Threat Protection Whitelist
Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.
Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.
For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.
For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.
It seems adding a rule to stamp the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing value 1 works but does not actually show in the header after the client receives it. Can anyone confirm this?
I would really like to see a filtering option that lets you define senders, not just recipients, in ATP.
Other online filtering services such as Fireeye are nearly instant scans. I don't understand the difference between this service and Microsoft ATP. The dealy is not business firendly which works at a high reate of speed or sales may be lost.
This is **** ! I can't open any important links in my mail. I did not aske for this.
Please remove this from my mail.
i really appreciate Microsoft for coming out with the extra measures to protect the user from hackers and possible virus attack. However if the scan took 30 minutes, it is certainly worth the wait. BUT i have a concern here, i've some email which was sent to me, in January 2018 AND when i look back into the email, it is still under ATP scan. This is certainly not just 30 minutes, it is more than 30 days.
Internal attachments that are known to be safe are being blocked by the ATP safe attachment policy. Microsoft must improve the product by at least allowing to whitelist the senders.
Tom Scalish commented
Unable to use ATP until Microsoft adds an exception from a sender to the rule.
Our mainframe pumps out hundreds of Excel reports that are known to be safe,
During a test of the product the user frustration waiting for known safe attachments to be scanned was very frustrating.
1/18/2018 still no solution from Microsoft on this one... and the explanation is that you can go outside the product to try and address it thru a transport rule... That's user friendly ( not )
Trent_ B commented
There seems to have been a service disruption yesterday where even small files were taking up to 30 mins to scan and be delivered. This happened to 3 different users. 2 were internal senders and one was an external sender. Not sure that this is the right place for this comment, but thinking it would be nice if ATP had it's own Service Status category.
Gaurav Anand commented
Hello Microsoft ATP Team,
This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request you all to look in this matter on a larger scale. We have created a case with Microsoft Support for Office 365.
i would like to add also my feedback, its weird for a company like Microsoft to do not have planned to give people using ATP to permit an exception based on the sender instead of only the receiver.
I also needed to create a more comple exception just because of an avatar image inside a notification email from confluence....
Chris Littlefield commented
We have tested adding an IP address mail flow rule with the following action:
Set the message header 'X-MS-Exchange-Organization-SkipSafeAttachmentProcessing' to the value '1'
This does not have an effect on ATP blocking attachments. Is there something I'm missing to get this rule to work?
Come on Microsoft. It is now August 2017. The company I work for is paying for this Exchange Advanced Protection and we are only using half of its capabilities. We want the ability to white-list internal emails before we turn "safe attachments" feature on again. What is also nice to have is the ability to add external senders to a white-list.
Matthew Peronto commented
This issue should not be closed. Our users would like an internal whitelist, if nothing else: "Except if the sender domain is..." seems like a no brainer. (Along with SPF, maybe)
Another vote for white list.. All the other competitors have this feature.. step up and make it
This isn't a user friendly solution, but it's not a workaround. It does resolve the issue. I agree that a user friendly white-list should be implemented in addition to this solution.
Honestly I consider the "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" a work around which did not address the issue. A "white-list would but it appears you are not planning on doing thsi?
Michael Uribe commented
So it marks this issue as addressed but there is still no Whitelist availalbe. Also I see no documentation that was mentioned in the addressing post. This is still a glaring issue for our organization when it comes to ATP.
Really, it should allow domains too, like http://www.staples.com/* since many people send links that are not only the exact url but pages in that same domain which are expected to be safe.
Thanks for the comment. I read the other posts just after I posted. I didn't realize we could delete comments now. I would have done so if I knew that was an option. thanks again, I'm glad to see the positive answer to this question.