Synopsis:
Attachments type phishing campaign gets opened by Advanced Threat Protection in office 365 when sent to users, and the results gets reflected on the campaign stats before even the user gets the message. This causes the portal to display wrong information.
Cause:
When safe attachment that is part of office 365 Advanced Threat Protection is enabled, all incoming phishing campaign with attachments will show opened in SA portal just 15 seconds after the campaign is sent out.
Solution:
Before we go to the solution, I need to show the exact behavior that we are seeing.
When you send the phishing campaign, all you need is to wait about 15 seconds then you will see, in the security awareness dashboard under the campaign name>Users, that the campaign message is displayed as opened and the IP address shown is an office 365 Ip address confirming that the message was opened in office365 and not by the user, otherwise it should show the user Ip address.
So, what we need to do to fix the issue is to disable the safe attachment defense, and to do so, follow the instructions below:
- Login to the office 365 with your Admin credentials
- Navigate to Policies & rules
- Click on Threat policies
- Then under Policies click on Safe Attachments
- Disable the Safe Attachments so that all incoming message aren't scanned for malware by Safe Attachments.
- First navigate to https://security.microsoft.com/threatpolicy
- Click on Safe Attachments (figure 1)
- Under Safe Attachments window, click the name “Standard Preset Security Policy”
- To the right a Standard Preset Security Policy will show, then click on
“View Preset Security policies” (figure 2)
- Under the Standard Protection toggle to Disable (figure 3)
Figure 1:
Figure 2:
Figure 3:
6. Resend your phishing campaign by clicking on the Duplicate button