Coping with warning messages from Office 365 Advanced Threat Protection (ATP)

5. February 2020

Some email recipients who subscribe to Microsoft Office 365’s Advanced Threat Protection service, a/k/a ATP, report encountering a warning message upon clicking Trackable links in email sent from Voodoo accounts.

The email received from Voodoo is delivered and fully viewable by the recipient. However, the recipient encounters a warning when they click a link within the email. (If they choose to bypass the warning message, they can access the linked content without further problems.)

Warnings may be generated from any live link whose source ATP's limited whitelist doesn’t recognize or that their algorithm has difficulty deeming “safe" because it includes a relay from one URL to another. 

Voodoo’s own online research reveals many complaints regarding ATP malware warnings for links and content that are known and proven to be safe. The warnings seem to be especially common with email and newsletters from any bulk sender, including MailChimp, Constant Contact, Voodoo, etc. Currently Microsoft offers no way to whitelist for ATP malware filtering. (Also, connection rules normally used to whitelist in Exchange have no effect.)

Fortunately, the vast majority of email recipients do NOT have ATP service in place, and therefore, do not encounter these warnings. Many Office 365 customers complain that not to be able to whitelist a domain is a showstopper for "safe attachments”and has led them to drop or disable the ATP service. Because the ATP feature actually “detonates" attachments in a sandbox environment, many customers also report and complain of lengthy scan times which delay the receipt and availability of email containing links and attachments that are, in fact, safe. 

For the reasons above, many Microsoft customers describe ATP as a beta product and have demanded a fix for their lack of whitelisting options. Nonetheless, we’ve found no evidence that Microsoft is responding to their customers' demands or working on the issue.

If your company uses Office 365 with ATP, you can elect to remove the scanning of links and/or attachments via bypassing ATP rules:

If a client or prospect reports a warning message when clicking links in an email they’ve received from you, we suggest replying with an email stating the following (replacing the word in brackets with your own company name, of course):


Thanks for telling us about the warning message you received when accessing the information we recently shared via email.
 
This type of warning sometimes appears to those who use Microsoft Office 365’s Advanced Threat Protection (ATP) service.

Unfortunately, ATP currently offers no method of whitelisting email links and attachments. Many ATP users report being frustrated about malware warnings for links and attachments that are known and proven to be safe. (The warnings are especially common with email and newsletters from any bulk sender, including MailChimp, Constant Contact, etc.)

Rest assured that any email you receive from
[Your Company Name] has been tested and proven to be safe. If you encounter a warning from ATP, you can confidently click through to access the desired content without any further issues or risks.

We appreciate your understanding and thank you for reading and enjoying the content we share with you! 

Warning Messages, Office 365, Office 365 ATP, Advanced Threat Protection