Safe Attachments is like Safe Links, in that, it is implemented at the end of the EOP mail processing flow, after the other protection mechanisms have already been applied. Now there’s a good reason for having it here. Lots of threats will be blocked by connection filtering and malware filtering, which uses signature-based detection, and they are relatively low resource protection mechanisms. There’s still obviously some processing involved, but not to the same degree as what ATP Safe Attachments does. So in comes an email with a file attachment. Let’s assume that the file is a new zero-day attack, something nasty, but never seen before. It manages to get past all of the other EOP protection measures, because it’s coming from a clean IP address, it uses brand new malware code that the antivirus engines don’t recognize yet, and it hasn’t got any spammy-looking content in the email itself. When you have Safe Attachment policies in place, the email attachment is placed into a sandbox environment, basically a virtual machine that has been spun up to analyze the behavior of the file attachment. The attachment is then run, or detonated as they like to say, and its behavior is looked at. Of course, a harmless Word document is not going to do anything suspicious, right? Whereas malware is going to do some very suspicious things like try to read or write to the registry of the computer, or try to reach out to the internet, and download further malicious payload from a command and control server, or it’s going to start scanning the system for files to encrypt, and hold hosting from the user, or it’s going to try and add a startup process that will run a key logger to steal passwords. Those are all examples of suspicious behavior. So ATP is going to see that type of behavior, and consider the file malicious even if it’s never seen that file or that malicious code before. This is the value of ATP, it’s behavior based, not signature based, so it has a good chance to detect previously unseen malware. Now that processing is going to take some time. That means that email is going to be delayed, and in the real world, Microsoft says, that the delay could be anywhere from 2 to 15 minutes, but it’s more likely to be on the lower side of that range. Any delay is undesirable, so ATP gives us a few options for how to deal with the scanning on attachments.
- OFF –> This option will not scan attachments for malware and there will be no delay in message delivery. You will usually turn scanning of for internal senders, scanners, faxes, or smart hosts that will only send known, good attachments. This will prevent unnecessary delays in routing internal mail. Use this option only for a small group of internal senders.
- MONITOR –> We can simply monitor malware, and let it through even if malware is detected by safe attachments. Even if it sounds crazy we can use this option to track where detected malware goes in the organization.
- BLOCK –> We can block the entire message, the recipient will never see it, so they’re unaware that a message was inbound, that it was held for scanning by safe attachments, and that it was then found to contain malware. This option will blocks future messages and attachments automatically and it will send messages with detected malware to quarantine in Office 365 where you can review and release (or delete) those messages.
- REPLACE –> we can replace the malware with a TXT file that explains to the user what happened, so they still get the message, just not the attachment.
- DYNAMIC DELIVERY –> You can enable Dynamic Delivery, this is what Microsoft has developed to try and resolve the perception or the problems of a delay while safe-attachment scanning is happening. When Dynamic Delivery is chosen, the message is delivered without its attachment, and a placeholder file is attached instead, which explains to the user what is happening. If the file is a PDF or an Office document, the user can preview the file by clicking on the placeholder in their email. The preview file is sandboxed, so it’s not going to run any malicious code such as macros. This is so the user can see that important Excel spreadsheet, or whatever, immediately, perhaps while they’re on the phone discussing it, and while they wait for the full ATP processing to finish. If the file is safe, the message gets replaced in the inbox with the fully-intact file attachment. If it’s not safe, then it’s quarantined instead, and only an administrator can get to that suspected file.
Enable Redirect –> This option applies when you select one of these options Monitor, Block, or Replace. If you enable this, it will send attachments to a specified email address where you can investigate it.
ATP NOT ONLY FOR EMAIL MESSAGES
ATP Safe Attachments is not just for protecting email attacks. ATP also apply Safe Attachment sandboxing and analysis of files in SharePoint, OneDrive, and Microsoft Teams, so that users are protected from malicious files in those applications as well.
Why are those applications included?
Well it would be nice to think that attackers can only send us malicious files via email, and that our SharePoint libraries are safe, but that’s simply not the reality that we’re dealing with today. An attacker who manages to compromise a user account or a computer in your organization could very well upload malicious files to SharePoint, or replace existing files, and then send a sharing link to others in your organization to try and trick them into opening it. So we need that protection as well.
Let’s go ahead and configure a Safe Attachments policy.
ATP Safe Attachments are configured from the Security and Compliance center –> Threat Management –> Policy –> ATP Safe Attachments
We’re looking at two parts to this Safe Attachments configuration. The first is organization wide. This is where we can turn on ATP Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. This is a single checkbox and applies to everyone in the organization. So to start with, I’ll turn that on.
Next is the Safe Attachment policies for emails. If you’ve already checked my previous post about Safe Links, you’ll remember that policies can be scoped or applied to specific recipients. The same is true for Safe Attachment policies. We can have multiple policies if we so choose, and we can have them scoped to different recipients. To create a new policy, click on the + sign
The policy names themselves aren’t really all that important, just give it a meaningful name that makes sense to you, especially if you have multiple policies, you might want to work out some sort of naming convention, so that you understand what each policy does.
Now we need to decide what to do with what ATP calls unknown malware. Remember, this is malicious code that has made it past all of the other EOP protection layers, but when ATP is detonating it in the sandbox, and looking at the attachment’s behavior, it’s seeing something that is suspicious, so it considers it malware, but it’s likely to be previously unknown malware that hasn’t got a specific virus or attack name yet.
I will select Dynamic Delivery. Dynamic Delivery is the option to allow the message to be delivered immediately, and just hold back the attachment for scanning. The catch is this only works for Exchange Online mailboxes, if you’re using EOP for protecting on-premises Exchange, or you’ve got a hybrid deployment with some on-premises mailboxes, Dynamic Delivery can’t work the same way, because it can’t re-inject the message to the mailbox after ATP scanning has been completed. So we’ll just use the replace option for on-premises mailboxes instead.
If you’d like, you can Redirect attachments that ATP thinks are malicious, and send them to another email address. The other reason to turn it on is if you’re enabling the next option (Apply the above selection if malware scanning for attachments times out or error occurs), which is what to do if the analysis times out before a decision has been made about the safety of the attachment. I recommend leaving this option enabled. You don’t want malware getting let through to mailboxes, just because ATP is chewing on it for too long and hasn’t worked out what it is yet. But there’s a risk of email being lost if it’s rejected because of a timeout, whether or not it’s actually malicious. So that’s where this redirect option will save you from potential data loss.
Final section, who will the policy apply to?
You’ll notice when you click on save, that warning appears about the use of dynamic email delivery when there are on-premises mailboxes in the organization.
Let’s see it in action. When an email with attachment arrives, we can see that ATP scan the attachment instead of the real attachment. This is Dynamic Delivery in action. If we want to preview the attachment, it’s as simple as clicking through.
After a few second, the actual attachment has now been redelivered, because ATP has finished scanning the file, determined that it’s safe, and has replaced the temporary attachment with the real attachment and you can see how that user experience is a little bit different. The message, if it had already been read, is now marked as unread again, and any mobile devices might show another new mail notification, but again that’s just a tradeoff between security and user convenience. The alternative would be for the user to have to wait until that ATP scanning is completely finished before they see that email message at all, and that just might not be suitable if they’re trying to discuss that document right then and there.
I hope this has been informative for you.
Great info Nedim. Many thanks for Office 365 security posts and the knowledge sharing.
If anyone else has been struggling with compiling a report to calm down end-users who keep saying that it takes HOURS (!) to receive emails because of ATP scanning, this might be a good link for you!
I took the CSV file and created a Power BI report so its a bit easier to understand. Let me know what you think!