Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Advanced Threat Protection Whitelist

Current Advanced Threat Protection (ATP) scans all non-standard attachments sent, even internally sent emails. This means it could take 30min to receive the a PDF file or scan the from the person in the office next to you. We need a way to create a white-lists and or transport rules for ATP in the same way their is for the spam filter. Either that or speed up the ATP process so it doesn't take so long.

213 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Caleb shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Please understand that ATP feature is actually detonating the attachment in a sandbox. As such, we believe that the protections offered by ATP are worth a few extra minutes. We believe that the worst performance issues with ATP are understood and are being addressed. That said, we also now have more features that will allow you the flexibility to decide what to do when it takes longer than you’d like. The documentation is still being updated, but you can check out the session from Ignite here:
https://myignite.microsoft.com/videos/1339. There are several other sessions on this topic as well.

For the ultimate in flexibility, you may also consider creating an Exchange Transport Rule that adds the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1 under certain criteria. This will essentially disable ATP safe attachment scanning for rules which meet the criteria.

For safe links, the header is X-MS-Exchange-Organization-SkipSafeLinksProcessing.

59 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • me commented  ·   ·  Flag as inappropriate

    Another vote for white list.. All the other competitors have this feature.. step up and make it

  • Caleb commented  ·   ·  Flag as inappropriate

    This isn't a user friendly solution, but it's not a workaround. It does resolve the issue. I agree that a user friendly white-list should be implemented in addition to this solution.

  • Craig commented  ·   ·  Flag as inappropriate

    Honestly I consider the "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" a work around which did not address the issue. A "white-list would but it appears you are not planning on doing thsi?

  • Michael Uribe commented  ·   ·  Flag as inappropriate

    So it marks this issue as addressed but there is still no Whitelist availalbe. Also I see no documentation that was mentioned in the addressing post. This is still a glaring issue for our organization when it comes to ATP.

  • Caleb commented  ·   ·  Flag as inappropriate

    Thanks for the comment. I read the other posts just after I posted. I didn't realize we could delete comments now. I would have done so if I knew that was an option. thanks again, I'm glad to see the positive answer to this question.

  • Caleb commented  ·   ·  Flag as inappropriate

    Can malicious senders outside our organization add the header "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" with a value of 1 to their emails and effectively bypass the safe attachment processing?

  • Ulrich Bernskov commented  ·   ·  Flag as inappropriate

    Dear Sirs.
    Why is something as trivial as whitelisting not an option.
    Just like SPAM handling?

    I have tried the X-MS headerinjection and that made no difference. It still takes 5-15 minutes.

  • Mauro commented  ·   ·  Flag as inappropriate

    With regards to X-MS-Exchange-Organization-SkipSafeAttachmentProcessing, two questions:
    - is there a mechanism to prevent malicious senders to inject the header from outside the organizazion in certain emails?
    - is there a similar header to disable safe links processing (which, in turn, is very limited in therms of configuration)?

  • Anonymous commented  ·   ·  Flag as inappropriate

    I agree with the rest of the comments here, this needs improved granularity on the filtering, whether whitelist by email address or IP address for likes of multi function printer/scanners.

    This needs to be sorted and quickly to make ATP a sensible user application especially in that its is an additional bolt on subscription.

  • Austin commented  ·   ·  Flag as inappropriate

    I am SO GLAD that we are not alone in having this issue. We too resist a workaround that may compromise the security service that we are paying to have. An ATP sender white list would address this completely. Unfortunately, I get the impression from support that there is not an ATP team who we can take this to.

  • Caleb commented  ·   ·  Flag as inappropriate

    Very interesting comment Brad Busch. Microsoft, can you please address Brad's comment? The only thing I can think of that an admin can do at this point is to create a rule that has a higher priority then the rule suggested that says, reject any email that has this header.

  • Brad Busch commented  ·   ·  Flag as inappropriate

    So, essentially, now anybody (hacker, scammer, etc...) can inject this header and bypass the protection?

  • cdodgela commented  ·   ·  Flag as inappropriate

    The work around takes care of the "problem" for me. All internal emails are covered in my transport rule.

  • Ivan H commented  ·   ·  Flag as inappropriate

    Good work-a-round, however this scenario is not officially supported by Office 365.
    So, still waiting for a supported solution form Microsoft! (September 2016)

  • Saikanth commented  ·   ·  Flag as inappropriate

    To bypass ATP based on senders kindly create below transport rule. You can scope the transport rule as per your requirement either based on sender/recipient/domain/type of attachment etc and it works as expected.

    BYPASS ATP Rule
    ================
    If the message...
    Is received from 'xxxxx@gmail.com'
    Do the following...
    Set audit severity level to 'High'
    and set message header 'X-MS-Exchange-Organization-SkipSafeattachmentProcessing' with the value '1 '
    and Stop processing more rules

  • Caleb commented  ·   ·  Flag as inappropriate

    thank you for creating a way to bypass this filter with mail rules. This is extremely helpful. After I implemented this our users would stop by my office and say, I get scans way faster now! Thank you sooo much! They rejoiced!

    That said, when dealing with external clients and on tight deadlines or on a conference call, the 5/10min delay is still very noticeable. Please continue to speed this process up.

Feedback and Knowledge Base