How dynamic delivery works and why you sometimes have to wait for attachments

MVP

Microsoft introduced the Safe Attachments feature as part of its Advanced Threat Protection (ATP) offering in 2015. ATP is an option for Exchange Online Protection (EOP). It is included in the Office 365 E5 plan and can be licensed as an add-on for $2/user per month for other Office 365 plans. Now Safe Attachments can handle dynamic delivery and the improvement is noticeable.

https://www.petri.com/atp-dynamic-delivery-works

15 Replies
I have been using this for some weeks and yeap, since this kind of delay between when you receive the e-mail and when you are finally able to open the attachments that are included...is there any Official information about analysis time required for e-mail attachments?

The answer is "it depends". Clearly, the volume of inbound traffic containing attachments that might need to be checked and the number of user accounts configured for this level of protection are contributory factors that might slow delivery. My practical assessment is that the delay ranges from a minute to three or four, depending on the time of day. Most of the time, it is around two minutes.

This has been our experience as well.

We've first tied "dynamic delivery", but I've reverted to "replace" because of user feedback. Current irritations with dynamic delivery are:

  • multiple push notifications on mobile devices
    • first time the new message (without the real attachment)
    • second time the same message, possibily already read by the user (but with the real attachments)
  • Users forwarding emails with the "ATP scan in progress" attachment placeholder (before the real attachment is delivered) and the receiving users complaining that the ATP Scan is taking "forever" (as in days), when in fact there is not ATP Scan at all
    • this is interesting and might warrant some further investigation, because forwarded messages with the "ATP Scan in Progress" attachments DO NOT get scanned with ATP, which can be observed with Message Trace, while the same message with the real attachment does get scanned (as is should be). It would be interesting to know how the differentiation is being made by ATP. Hopefully not by message subject :)
  • PDF scans by MFP devices being scanned by ATP. 
    • circumvented this by modifying the header. 
    • I know this kind of defeats the purpose but, how likely is it that a scanned PDF is malicious?
Very funny the "taking forever" comment :-). My experience so far with the dynamic delivery is aligned with Tony's comments and so far is working great...my corporate users have not complained about the feature
of course it is not "forever" and just typical user complaints with their generalization of issues :D

how likely is it that a scanned PDF is malicious?

 

Malicious URL within the PDF.  ATP does not detect this all the time even with "Use safe attachements to scan downloadable content" is enabled.  We had a few make it past with a link directly to malicious files in them.

I see internal documents even with the transport rule in place taking 40 mins for a 10 page document.  Little hard to tell a users to wait 40 min to open the document.  Sending the users to web interface to have to relogin every time is cumbersome and then there is no review just blank screen.  Microsoft has put little if any development into this product, to make it more administratively friendly, their answer is go outside the application to control product thru transport rules.

I don't see - and have never experienced - a 40 minute wait for attachments. Two minutes is about all I ever see, and it is pretty consistent. The wait is most obvious with mobile clients as you get notification for the original message and then another when the attachment is ready. But I do not see those extended delays that you report.

The dual notification is the main reason I've reverted to "Replace" instead of "Dynamic". It's actually quite annoying.

Delays more in the area of minutes, but never excessive. Dual notification is indeed annoying - most users I talk to also prefer waiting bit (Replace) more rather than having 2 notifications (Dynamic) and having to wait for the 2nd one as they usually need the attachment.

@Tony Redmond Thanks for the info share.

 

I was a bit curious about something.

 

Why would I need to enable ATP safe attachment if I already have a malware filter in place?

Because Malware filters don't always catch new malware.

@Ivan Unger - Hi Ivan. Are you able to share how you were able to bypass ATP Safe Attachments for documents being scanned by the MFPs. I have a requirement this. Much appreciated.

See these instructions

https://blogs.technet.microsoft.com/office365labs/2017/03/20/eo-atp-considerations-reports-demonstra...

basically utilize X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to value of 1