Implement A Proper Quarantine Mailbox for Advanced Threat Protection's Safe Attachments
We're seeing tons of mail get caught by the Safe Attachments feature in ATP and the experience is horrible. The only way to monitor blocked attachments right now is to hope that the user notifies you that their email is missing an attachment or utilize the "feature" that allows you to copy all blocked attachments to another mailbox. Usually I check that and it turns out to be a false positive, but guess what, I can't forward it on to my user because it'll block it again. Recipient-based filtering is a terrible option and the whitelisting capabilities are another sore spot as addressed by another bit of feedback here -- https://office365.uservoice.com/forums/289138-compliance-protection/suggestions/9292590-advanced-threat-protection-whitelist
Please vote for both of these to be resolved.
You could exclude mail sent from the quarantine mailbox from Safe Attachment filtering using a ETR.
The ETR would be:
1. Condition=from quarantine mailbox
2. Action = Set the message header to this value. Enter in this header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing and set the value to 1
That will cause Safe Attachments to skip.
John Fedor commented
ATP should have the option to redirect to the centralized quarantine. We've put in the Band-Aid similar to Taylor.
Taylor Higley commented
In our case, we have blocked the messages and redirect all messages to a Shared Mailbox. We periodically check this "quarantine" mailbox.