Skip to main content

Advance Threat protection - Safe Attachment

While Showcasing the ATP features to a client in a POC i noticed the following.

 ATP - Safe Attachment rule is set as Replace - Block bad attachment and continue to deliver the mail. However the Mail is not delivered it is deleted completely.
Solution 

 Go to Exchange Admin Center > Protection > Malware Filter


By default the Malware Policy is set to delete the entire mail if something is found as malware in the mail or attachment.

 Edit your Default policy.

1. Change the Default Setting to - Delete attachment and use default alert text or Custom Alert "depending on your requirement. In my case i had kept as default alert text.



2. You can also customize the Notification too. 
3. You can also set the settings so that it will notifies the sender and sender for the undelivered of the Mail.



4. A notification about the same can be sent to the Admins too, you can use default or costume alert type too. (This will send a intimation to the admin that a user"XXX" had been sent a Bad mail. 

Sample - notification mail to Admin.




After Making the changes i had sent a test mail and it was delivered with a notification. The Attachment was removed but the mail contents were as it is.

1. First did a message trace.



 2. Checked the recipient inbox. The mail was delivered without the attachment, instead there was a text file attached with the information that the attachment was removed as it was marked as Malware.


  




Comments

Post a Comment

Popular posts from this blog

Error - QuarantinedAttributeValueMustBeUnique

Case History. 1. Client already had users created in office 365 2. Client wanted to setup SSO for office 365 users Approach for requirement fullfilment   1. Deployed and configured Azure AD connect      95% users were synced and soft match was successfully done  5% users were getting error - QuarantinedAttributeValueMustBeUnique  (to view the sync issues -  https://aad.portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/SyncErros )  When we checked 2 users were found under Active users  1. one in Cloud (this was created earlier/ already existed ) with active licenses and Mailbox 2. one unlicensed synced with AD Solution - 1. Delete the unwanted user in Azure or AD as per this document.  https://blogs.msdn.microsoft.com/hkong/2017/03/23/how-to-fix-attributevaluemustbeunique-error-message-when-trying-to-sync-an-object-from-on-premises-active-directory-to-office-365/ ...
Post a Comment
Read more

Error - AttributeValueMustBeUnique in Azure AD connect sync

My customer had already created accounts in office 365 and managing them in Azure, however due to some changes in business they wanted to sync AD with Azure to sync Password and Manage Identity form AD. Solution - Deploy Azure AD connect on ADDC, and post that it will do a Soft Match. However there were error with some users, their identities did not sync and their status still reflected as Azure AD. Error -  Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:user@domain.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values. Tracking Id: b8367c95-ae67-46e1-xxxx-xxxxxxxxxx ExtraErrorDetails: [{"Key":"ObjectId","Value":["cd088468-bb6a-4...
4 comments
Read more

Microsoft office 365 product shows as not activated after few days.

Solution Opened CMD Navigated to Path - cd C:\Program Files (x86)\Microsoft Office\Office16\14\15 To view the installed product key, execute cscript ospp.vbs /dstatus To uninstall an installed product key, execute cscript ospp.vbs /unpkey:XXXXX Replace the XXXXX with the last five character of the currently installed product key (found in step 3). Last 5 digits only To activate Office with the new product key, execute cscript ospp.vbs /act
2 comments
Read more