Bypass ATP Attachment Processing

Created by Abderrahim Ibnou el kadi, Modified on Mon, 15 Aug, 2022 at 3:58 PM by Yves Lacombe

PROBLEM

All the phishing messages sent to the users are containing file attachments show as being opened.



CAUSE


Office 365's Advanced Threat Protection for file attachments is actually opening the files for deep inspection.  When the files are opened, a linked image is accessed within the file to an external website run by proofpoint which triggers the "opened" flag on the proofpoint side.



FIX

You need to create a mail flow rule to bypass ATP attachment checking.

  1. Create a new mail flow rule in your Exchange admin center
  2. Give the rule a name (i.e. Bypass Link Checking)
  3. Click more options
  4. Apply this rule if 
    1. A message header includes "Received" header includes values ...
    2. Put in the IP addresses belonging to proofpoint for security awereness delivery servers.
  5. Set the message header: X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to the value: 1
    AND  set the spam confidence (SCL) to Bypass spam filtering
  6. Save your new rule