Bypass ATP Link Processing

Created by Abderrahim Ibnou el kadi, Modified on Mon, 15 Aug, 2022 at 3:57 PM by Yves Lacombe

PROBLEM

All the phishing messages sent to the users are showing as being clicked and/or opened in Security Awareness


Example:





CAUSE


Office 365's Advanced Threat Protection for links is clicking on the links inside the messages to check to see if the links are dangerous.  The problem is that this makes proofpoint think that the links are clicked and the messages are opened.   So everybody is marked has having failed the test.   You can tell this is happening by looking at the originating IPs the clicks are coming from.  In the highlighted column on the right side of the screenshot, doing an IP whois on them shows they are all microsoft IP addresses.



FIX

You need to create a mail flow rule to bypass ATP link checking.

Below are the steps to setup a mail flow rule to bypass ATP link checking:

  1. Create a new mail flow rule in your Exchange admin center
  2. Give the rule a name (i.e. Bypass Link Checking)
  3. Click more options
  4. Apply this rule if 
    1. A message header includes "Received" header includes values ...
    2. Put in the IP addresses belonging to proofpoint for security awereness delivery servers.
  5. Set the message header: X-MS-Exchange-Organization-SkipSafeLinksProcessing to the value: 1
    AND  set the spam confidence (SCL) to Bypass spam filtering
  6. Save your new rule