365 ATP scanning time

Brass Contributor

I know the time it takes to scan will vary but does it matter if the user keeps the email open that contains the attachment that's being scanned vs closing the email and checking back in 5 minutes or that makes no difference?


Also, can I whitelist or create a rule to have specific domains bypass ATP?

9 Replies

@Paul Storic 


I find most of the time 2-5 minutes and the attachment is available. 


I ended up turning off the setting that delivered the email without the attachment due to complaints from users they couldn't open it.  It seemed like a good idea when I set it up but the users got frustrated. 


Now the email gets delivered once the attachment has been scanned and the only time they notice the delay is with emails from the copier which no longer arrive instantly.


For your second question, try a mail flow rule which sets the message header to X-MS-Exchange-Organization-SkipSafeAttachmentProcessing and the value to 1 and set it to apply under specific conditions such as sender domain.

No, it doesn't matter if you open the email, view it, etc. It's all done on the backend.


And just to add an article detailing the solution @PaulaSillars provided: https://www.undocumented-features.com/2018/05/10/atp-safe-attachments-safe-links-and-anti-phishing-p...

@Vasil Michev Thanks!

I came across the "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" workaround while I was searching but someone said it doesn't work anymore. I guess I'll need to test it out.

Appreciate the tip
Yea that sounds like a good idea. I had someone complain that an attachment took 43 minutes to open yesterday which is a valid complaint. If that continues I'll turn off dynamic delivery as well.

@Paul Storic I have seen that happen once and it seemed to come right on its own after around an hour.   It was shortly after we deployed ATP and I was still working through the configuration process.  I turned off Dynamic Delivery and no more user complaints.



@Vasil Michev Thanks for posting the link with the instructions :) 

@PaulaSillars Which setting do you have it set to so that internal users get the email only after it's been scanned? Replace?



@Paul Storic 


Yes, I am using Replace.  This is my configuration for our tenant.