This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sandboxing (Office 365 ATP) makes attachment phish marked as opened and enabled

Hi,

 

We are running O365 ATP and we are trialing Phish Threat. Due to the Sandboxing nature of ATP (and any sandbox service really) it marks the campaign emails as 'opened' and 'macro enabled' before it even gets to the user after it is tested in the detonation\sandbox environment.

 

Any way to avoid these being marked as opened\enabled? Can you ignore the sandbox tests somehow?



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Scott,

     

    I am experiencing this issue in v2 and have logged a support call with Sophos as I have already applied your advice and this has not made a difference, I never experienced this issue using v1.

     

    Is there any other updates on this?

     

    Kind regards

     

    Kaylie

  • We are also experiencing the same issues. What we see as the problem is that ZAP is actually catching the emails at some point in time once it determines these to be Phish attempts and begins removing from mailboxes.  As MS continues to improve their toolsets to find and remove phishing emails, this will continue to become a problem for all these types of campaigns. As far as options from MS - you can try and turn of ZAP, but the logical question would be why would you want to do that???? Only to allow a phish campaign to happen? Are you all working on a solution to keep your tool with the ability to work w/ this new option from MS?