This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

O365 ATP is still marking as opened attachments, even adding the exceptions suggested in KB

Hi,

Even following KB's:

 https://support.sophos.com/support/s/article/KB-000039921?language=en_US

 and

https://support.sophos.com/support/s/article/KB-000037983?language=en_US

We are haveing false positives, the ATP is detonating the attachments. Anyone is having the same issue?

thank you



This thread was automatically locked due to age.
Parents Reply
  • I had a case open with Microsoft and they worked with me for weeks attempting to solve a couple issues. Phish Threat has 30 domains that need to be bypassed, Microsoft limits the Advanced Delivery bypass feature to 20 domains. When I inquired about increasing that they recommended using the DKIM domain, i tested this and had mixed results. I'd recommend the community continue to open support cases with Microsoft asking for an increase in the 20 domain limit. 

    Hello Tommy,

    I'll follow up to see if there's any additional assistance we can provide with the Microsoft 365 issue. As a recap, we performed the following in troubleshooting the problem:

     

    Troubleshooting/actions Completed:  

    • Recommended using the DKIM domain in Phishing Simulations to work around the 20 domain limit:

     Mastering Configuration in Defender for Office 365 - Part Two

    https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-two/ba-p/2307134

    • We're adding support for DomainKeys Identified Mail (DKIM) domains to our advanced delivery feature, enabling administrators to use DKIM domains in addition to sending domains to configure their third-party phishing simulations."
      Microsoft 365 Roadmap | Microsoft 365
    • As noted in a couple of the above comments, we are adding one additional secure option for phishing simulation vendors - the ability to specify a DKIM domain. This is targeted to roll out in September (Please see M365 Roadmap item: Feature ID 82083).
    • In order for this option to work, the phishing simulation vendor will need to implement DKIM domain in their phishing simulation offerings to customers.
Children