PROBLEM
All the phishing messages sent to the users are containing file attachments show as being opened.
CAUSE
Office 365's Advanced Threat Protection for file attachments is actually opening the files for deep inspection. When the files are opened, a linked image is accessed within the file to an external website run by proofpoint which triggers the "opened" flag on the proofpoint side.
FIX
You need to create a mail flow rule to bypass ATP attachment checking.
- Create a new mail flow rule in your Exchange admin center
- Give the rule a name (i.e. Bypass Link Checking)
- Click more options
- Apply this rule if
- A message header includes "Received" header includes values ...
- Put in the IP addresses belonging to proofpoint for security awereness delivery servers.
- Set the message header: X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to the value: 1
AND set the spam confidence (SCL) to Bypass spam filtering - Save your new rule
