Feb 15 2018 06:48 AM
Feb 15 2018 06:48 AM
ATP AntiPhish looks very interesting and is something that customers are looking for. I have used my O365 lab tenant and have set up ATP antiphishing in it, but I am still able to use an open relay in Sweden to fake an internal sender although both the sender and recipient are listed as protected users in the policy. For sure the email is marked as spam with the fraud-hint and goes to the junk folder, but this has been the case for a long time.
I simply can not seem to “trigger” the ATP antiphishing response (which in my case is to send the mail to a dedicated shared phishing mailbox). What could be a more obvious impersonation attempt than using an open relay which is not in the SPF record to send a mail from AdamTheCEO@test.se to JulieTheCFO@test.se with a mail saying to pay XXX amount of money? I use Powershell Send-Mailmessage for this from my home PC using a public open relay server to mimic an imposter attack and however I try, I can not seem to trigger the ATP phish response?
The Technet articles say that 30 minutes should be allowed to the settings to propagate. I left it overnight but still no cigar..
Also, I don’t feel that the settings I make actually “stick”. When I reconfigure a policy, it simply ignores the changes?? Either I do something wrong or the feature is not yet ready for primetime? I even had a support case open with Microsoft yesterday, and he said it all looked like it was set up right so I am at a loss here..
We really want to use this, but we need to be able to show the customers how it works and THAT it works.. What do I do wrong, or do I misunderstand the feature?
Feb 19 2018 02:36 AM
Well, the feature is still rolling out, and I've also spotted some irregularities with it. But they were gone the next morning, so I'd advise you to just wait a bit.
As for testing and in general troubleshooting the new feature, it's best to contact support. No one on these forums know what exactly the feature does behind the scenes, and I doubt Microsoft will want to publish too much information on it, as it can potentially allow the bad folks to bypass it.