Advanced Threat Protection Whitelist
Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.
Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.
For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.
For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.
Gaurav Anand commented
Hello Microsoft ATP Team,
This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request you all to look in this matter on a larger scale. We have created a case with Microsoft Support for Office 365.
i would like to add also my feedback, its weird for a company like Microsoft to do not have planned to give people using ATP to permit an exception based on the sender instead of only the receiver.
I also needed to create a more comple exception just because of an avatar image inside a notification email from confluence....
Chris Littlefield commented
We have tested adding an IP address mail flow rule with the following action:
Set the message header 'X-MS-Exchange-Organization-SkipSafeAttachmentProcessing' to the value '1'
This does not have an effect on ATP blocking attachments. Is there something I'm missing to get this rule to work?
Come on Microsoft. It is now August 2017. The company I work for is paying for this Exchange Advanced Protection and we are only using half of its capabilities. We want the ability to white-list internal emails before we turn "safe attachments" feature on again. What is also nice to have is the ability to add external senders to a white-list.
Matthew Peronto commented
This issue should not be closed. Our users would like an internal whitelist, if nothing else: "Except if the sender domain is..." seems like a no brainer. (Along with SPF, maybe)
Another vote for white list.. All the other competitors have this feature.. step up and make it
This isn't a user friendly solution, but it's not a workaround. It does resolve the issue. I agree that a user friendly white-list should be implemented in addition to this solution.
Honestly I consider the "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" a work around which did not address the issue. A "white-list would but it appears you are not planning on doing thsi?
Michael Uribe commented
So it marks this issue as addressed but there is still no Whitelist availalbe. Also I see no documentation that was mentioned in the addressing post. This is still a glaring issue for our organization when it comes to ATP.
Really, it should allow domains too, like http://www.staples.com/* since many people send links that are not only the exact url but pages in that same domain which are expected to be safe.
Thanks for the comment. I read the other posts just after I posted. I didn't realize we could delete comments now. I would have done so if I knew that was an option. thanks again, I'm glad to see the positive answer to this question.
@Caleb, No, see the prior response. "Header firewall" feature in Exchange prevents this.
Can malicious senders outside our organization add the header "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" with a value of 1 to their emails and effectively bypass the safe attachment processing?
@Mauro - Yes, as with all MSExchange headers, these are protected from anonymous injection by the header firewall, for example see: https://technet.microsoft.com/library/bb232136.aspx
Ulrich Bernskov commented
Why is something as trivial as whitelisting not an option.
Just like SPAM handling?
I have tried the X-MS headerinjection and that made no difference. It still takes 5-15 minutes.
Paul B. commented
With regards to X-MS-Exchange-Organization-SkipSafeAttachmentProcessing, two questions:
- is there a mechanism to prevent malicious senders to inject the header from outside the organizazion in certain emails?
- is there a similar header to disable safe links processing (which, in turn, is very limited in therms of configuration)?
I agree with the rest of the comments here, this needs improved granularity on the filtering, whether whitelist by email address or IP address for likes of multi function printer/scanners.
This needs to be sorted and quickly to make ATP a sensible user application especially in that its is an additional bolt on subscription.
I am SO GLAD that we are not alone in having this issue. We too resist a workaround that may compromise the security service that we are paying to have. An ATP sender white list would address this completely. Unfortunately, I get the impression from support that there is not an ATP team who we can take this to.
Very interesting comment Brad Busch. Microsoft, can you please address Brad's comment? The only thing I can think of that an admin can do at this point is to create a rule that has a higher priority then the rule suggested that says, reject any email that has this header.