Forum Discussion
ATP - Safe Attachment Modes fully explained
Blocked means the entire message is scrapped, not just the attachment. Future emails is a bit dodgy, I guess they mean that once the attachment is stamped as malware, the action applies across the service. Pretty much what's described in this FAQ item:
- How does Advanced Threat Protection treat multiple versions of the same file? Does ATP scan duplicates? For example, if 1,000 users received the same file would ATP detonate all 1,000 messages?
After the first file is scanned, the outcome is applied to other recipients who have received the same file. For example, if File #1 was sent to Employee A and blocked, File #1 will be blocked for all other employees. File # 1 will also be blocked by reputation immediately for all other ATP tenants.
Taken from: https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx
And documentation seems to be non-existing indeed. Flagging some folks on MS side that might be able to help: Jon Orton Ankur Kothari
- How does Advanced Threat Protection treat multiple versions of the same file? Does ATP scan duplicates? For example, if 1,000 users received the same file would ATP detonate all 1,000 messages?
Blocked means the entire message is scrapped, not just the attachment. Future emails is a bit dodgy, I guess they mean that once the attachment is stamped as malware, the action applies across the service. Pretty much what's described in this FAQ item:
- How does Advanced Threat Protection treat multiple versions of the same file? Does ATP scan duplicates? For example, if 1,000 users received the same file would ATP detonate all 1,000 messages?
After the first file is scanned, the outcome is applied to other recipients who have received the same file. For example, if File #1 was sent to Employee A and blocked, File #1 will be blocked for all other employees. File # 1 will also be blocked by reputation immediately for all other ATP tenants.
Taken from: https://technet.microsoft.com/en-us/library/mt789012(v=exchg.150).aspx
And documentation seems to be non-existing indeed. Flagging some folks on MS side that might be able to help: Jon Orton Ankur Kothari
Could someone explain why Block is better, or the recommended default, than Dynamic Delivery? The end result sounds the same to me, except that Dynamic Delivery seems like it would work better in an enterprise setting. For example, with Dynamic Delivery, we'll know that Microsoft blocked certain attachments because the user still gets the email, but with Block, we'll never know if an important email in the queue was blocked.
- If there is malware attached to an email, it is most likely the email itself is malicious. It is safer not to deliver emails that have malware as an attachment. If you are getting too many false positive detections, it would be worth checking all policies, as there are various changes to the recommended values. https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide
