ATP AntiPhish looks very interesting and is something that customers are looking for. I have used my O365 lab tenant and have set up ATP antiphishing in it, but I am still able to use an open relay in Sweden to fake an internal sender although both the sender and recipient are listed as protected users in the policy. For sure the email is marked as spam with the fraud-hint and goes to the junk folder, but this has been the case for a long time.

I simply can not seem to “trigger” the ATP antiphishing response (which in my case is to send the mail to a dedicated shared phishing mailbox). What could be a more obvious impersonation attempt than using an open relay which is not in the SPF record to send a mail from AdamTheCEO@test.se to JulieTheCFO@test.se with a mail saying to pay XXX amount of money? I use Powershell Send-Mailmessage for this from my home PC using a public open relay server to mimic an imposter attack and however I try, I can not seem to trigger the ATP phish response?

The Technet articles say that 30 minutes should be allowed to the settings to propagate. I left it overnight but still no cigar..

Also, I don’t feel that the settings I make actually “stick”. When I reconfigure a policy, it simply ignores the changes?? Either I do something wrong or the feature is not yet ready for primetime? I even had a support case open with Microsoft yesterday, and he said it all looked like it was set up right so I am at a loss here..

We really want to use this, but we need to be able to show the customers how it works and THAT it works.. What do I do wrong, or do I misunderstand the feature?