Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

ATP Attachments and Mail Rules

Iron Contributor

Tried to do a search to see if this has been discussed before, but did not find any.  

When you receive an email with an attachment and have ATP Attachment Scanning with Dynamic Delivery turned on, is there a way in Outlook client mail rules to determine if the mail is currently being scanned so you can add exceptions to the rules?  I am hoping that the stub that it puts in "ATP Scanning In Process" (or something like that) can be found in the header of the message so I can have a rule that says:

If recipient is xyz@domain.com

then forward to: abc@domain.com

except if message header "X-Attachment" is "ATP Scanning In Progress"

6 Replies

I guess you can create a rule that checks for the default "Your attachments are being scanned..." text

 

Pay attention to the list of unsupported scenarios though: https://docs.microsoft.com/en-us/office365/securitycompliance/dynamic-delivery-and-previewing#are-th...

I only see that text in the stub of the attachment and not the subject or body.  Is the attachment considered body?  Or is there header information that has that information?  If header, which one?

No, that's my bad. I was referring to the "run a script" action that allowed us to perform additional inspection/actions, but the fact that this option hasn't been available for few years now skipped my mind. So the only possible way would be to check for the presence of the "placeholder" filename ("atp scan in progress.msg").

There is no mail rule that allows you to specify an attachment name.  You can look for the presence of an attachment and the size and things like that, but I do not see any rule that states the name of the attachment.  

I sent myself an attachment and saved off the before scan and after scan.  The message headers of both are identical without any mention of an attachment.

You're absolutely right, guess I should stop living in the past (or at least check the actual functionality before replying). And I'm out of ideas on the subject, let us know if you figure something out.

No worries.  Sometimes it is fun to live in the past!  Remembering when things worked correctly.. <smile>

Has anyone been able to create a rule or have a way that the email would not be acted upon until after the scanning has completed?