Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Advanced Threat Protection Whitelist 2019

ATP needs a way to whitelist inbound email (IP or domain) from being quarantined as malware. Back in 2016 this issue was resolved by adding exchange mail flow rules to add headers. However, this method no longer works, and Microsoft support (ticket 12611412) confirms that ATP filters before mail rules are applied, and there is no way to whitelist inbound IP's to bypass ATP malware filtering. The only options in the settings is based on recipient. In my case, I want to whitelist to allow a Security Awareness Training provider to send test emails to our users. ATP is incorrectly identifying attachments as malware. Here is the original Uservoice that no longer works:
https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/9292590-advanced-threat-protection-whitelist

151 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

14 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Al Douglas commented  ·   ·  Flag as inappropriate

    The ETR method still appears to have the desired outcome from my testing, but it should be noted that the header added by the transport rule is not preserved for security reasons, but adding the header via ETR still appears to have the desired effect of skipping attachment detonation / safe links rewrite. If this is found not to be the case, please log a call with support.

  • Royce Lithgo commented  ·   ·  Flag as inappropriate

    This is really needed.There should additional configurations for the malware filter to control when it is triggered or bypassed.

  • Mike commented  ·   ·  Flag as inappropriate

    We have elected to remove the scanning of attachments because of long delays in excess of 1-2 hours, not acceptable for anyone. Crazy that they would let this issue continue. In my mind, this is a beta product. If you want to bypass scanned documents, you might use the email address using the "onmicrosoft" email domain and exclude that domain from the scanning of attachments policy until they get the thing fixed.

  • Anonymous commented  ·   ·  Flag as inappropriate

    An absolute need - we have had at least two time periods where scans were taking over an hour!

  • Colt Albrecht commented  ·   ·  Flag as inappropriate

    Yes, I am having customers complain about their scan to emails taking 5min or more depending on pages they scan in due to this. Please add white-list option or method.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a urgently needed feature. Users would rather disable the attachment scan, just because we cannot whitelist the internal scanner email address.

  • J commented  ·   ·  Flag as inappropriate

    Yes, users are confused when scanned files take long to arrive. Should be possible to whitelist user or user & ip combination.

  • Jonathan commented  ·   ·  Flag as inappropriate

    Agreed. This is urgently needed. Expecting all emails from an internal scanners email address to be scanned using safe attachments is disappointing. There needs to be an option to add an exception or whitelist for specific addresses/domains.

Feedback and Knowledge Base