Prevent link or attachment detonation in office365

Created by Yves Lacombe, Modified on Wed, 22 May 2024 at 10:03 AM by Yves Lacombe

Problem:  You receive quarantine digests or attachments through proofpoint but they are still being detonated (ie: clicked/opened) by Office365.

Side-Effect:  On some phishing simulation tools, it can cause the simulations to be "clicked" and hence, creates a "failed phishing sim" false-positive for the simulation tool.  This can happen even if you pushed out ATP Link and Attachment bypass rules or identified the URLs in phishing simulation section of Advanced Delivery.

Issue:  For some reason (unknown), microsoft ignores all forms of whitelisting and it seems to be random or unexplainable.

Solution:  Consider this the last-ditch solution if all else fails (ie: ATP allow rules + Advanced Delivery phishing sim allow)

Go to Office365 -> admin -> Select Security

This will bring you to the Defender page.

Select Submission

Then, click on submission

Enter the URL to prevent the link detonation on:

Complete the submission, the link should be left alone for 30 days.

You may need to repeat this one or two times but at some point the trust will "stick".