This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sandboxing (Office 365 ATP) makes attachment phish marked as opened and enabled

Hi,

 

We are running O365 ATP and we are trialing Phish Threat. Due to the Sandboxing nature of ATP (and any sandbox service really) it marks the campaign emails as 'opened' and 'macro enabled' before it even gets to the user after it is tested in the detonation\sandbox environment.

 

Any way to avoid these being marked as opened\enabled? Can you ignore the sandbox tests somehow?



This thread was automatically locked due to age.
  • Hi Jim,

    Thanks for the question. The best way to do this is with ATP safe links and ATP safe attachments policies in Office 365. Read about them here: support.office.com/.../ATP-safe-links-in-Office-365-dd6a1fef-ec4a-4cf4-a25a-bb591c5811e3

    For example, you'll want to set up a rule that sets the message header 'X-MS-Exchange-Organization-SkipSafeLinksProcessing' to '1' for the Phish Threat IPs. It's a similar process for attachments using the message header 'X-MS-Exchange-Organization-SkipSafeAttachmentProcessing'.

    Hope this helps. Let me know if you have other questions about Phish Threat.

    Best,

    Scott

  • Hi Scott,

     

    I am experiencing this issue in v2 and have logged a support call with Sophos as I have already applied your advice and this has not made a difference, I never experienced this issue using v1.

     

    Is there any other updates on this?

     

    Kind regards

     

    Kaylie

  • We are also experiencing the same issues. What we see as the problem is that ZAP is actually catching the emails at some point in time once it determines these to be Phish attempts and begins removing from mailboxes.  As MS continues to improve their toolsets to find and remove phishing emails, this will continue to become a problem for all these types of campaigns. As far as options from MS - you can try and turn of ZAP, but the logical question would be why would you want to do that???? Only to allow a phish campaign to happen? Are you all working on a solution to keep your tool with the ability to work w/ this new option from MS?