Sandboxing (Office 365 ATP) makes attachment phish marked as opened and enabled

Hi Jim,

Thanks for the question. The best way to do this is with ATP safe links and ATP safe attachments policies in Office 365. Read about them here: support.office.com/.../ATP-safe-links-in-Office-365-dd6a1fef-ec4a-4cf4-a25a-bb591c5811e3

For example, you'll want to set up a rule that sets the message header 'X-MS-Exchange-Organization-SkipSafeLinksProcessing' to '1' for the Phish Threat IPs. It's a similar process for attachments using the message header 'X-MS-Exchange-Organization-SkipSafeAttachmentProcessing'.

Hope this helps. Let me know if you have other questions about Phish Threat.

Best,

Scott

Hi Scott,

I am experiencing this issue in v2 and have logged a support call with Sophos as I have already applied your advice and this has not made a difference, I never experienced this issue using v1.

Is there any other updates on this?

Kind regards

Kaylie

Hi Scott,

I am experiencing this issue in v2 and have logged a support call with Sophos as I have already applied your advice and this has not made a difference, I never experienced this issue using v1.

Is there any other updates on this?

Kind regards

Kaylie

We are also experiencing the same issues. What we see as the problem is that ZAP is actually catching the emails at some point in time once it determines these to be Phish attempts and begins removing from mailboxes.  As MS continues to improve their toolsets to find and remove phishing emails, this will continue to become a problem for all these types of campaigns. As far as options from MS - you can try and turn of ZAP, but the logical question would be why would you want to do that???? Only to allow a phish campaign to happen? Are you all working on a solution to keep your tool with the ability to work w/ this new option from MS?