Safe Links and Safe URLs Delay Email Delivery For the Right Reasons

EOP, ATP, and Mail Hygiene Services

Exchange Online Protection (EOP) comes in for criticism because of the amount of spam that gets past its barriers. Companies selling email hygiene services are keen to point out just how horrible EOP is at stopping spam and often issue reports to highlight the issue (or terrify Office 365 administrators). The simple fact is that EOP does a reasonable job of blocking spam, but because of the changing nature of the threat and the way that attackers continually evolve their techniques, EOP will always be vulnerable against a new attack, even with intelligence flowing into Microsoft through user reports about new examples of spam.

Having multiple defenses in place helps because if spam sneaks by the first line, it might be stopped by the second. Because it builds on the foundation of EOP, Microsoft says that Advanced Threat Protection (ATP), which is part of Office 365 E5, is what you should use. ATP is also available as an add-on for other Office 365 plans.

Update: Advanced Threat Protection is now called Microsoft Defender for Office 365

Third-party mail hygiene services beg to differ and say that their solutions offer better protection. Either way, you’re better protected when EOP is not the only line of defense.

ATP Safety Features for Exchange

All of which brings me to ATP Safe Attachments and ATP Safe Links, both features designed to stop malicious content arriving in user mailboxes.

I like the concept behind ATP Safe Attachments very much. It seems reasonable to me that an inbound attachment that might contain a problem should be intercepted, put somewhere safe, and tested before it reaches me. ATP Safe Attachments also stops infections caused by malware being uploaded to SharePoint Online and OneDrive for Business sites, including the SharePoint Online sites used by Teams (which is enough for Microsoft to claim ATP support for Teams).

My tenant is configured to use Dynamic Delivery, which means that I receive messages without attachments while those attachments are being scanned. The only issue I have is the unfortunate side-effect where Outlook Mobile insists on notifying me twice for these messages: once for the message and the second time after Dynamic Delivery has processed the attachment and declared it safe.

Safe Attachments doesn’t generally take long to process attachments. The usual delay is in the order of one or two minutes, which I think is acceptable. Yet I have heard anecdotal evidence of much longer delays of up to an hour before an attachment is delivered. Michael Osterman of Osterman Research said that he’d been told of this experience by Office 365 customers when he spoke at the recent TEC conference. I’ve never experienced long delays and am interested in hearing if others have.

Another complaint I’ve heard is that Safe Attachments stops people being able to email documents to each other when needed quickly in meetings. There’s an easy answer to this: share the document from OneDrive instead of sending it as an email attachment.

Safe Links

ATP Safe Links protects users from links in messages pointing to malicious sites. While links are checked, users are prevented going to the sites. Again, this can delay mail recipients from being able to get to information but given the amount of bad sites that exist on the internet, this is reasonable, even if users are sometimes frustrated when they can’t reach a site because of a blocked link.

A new feature in the ATP Safe Links policy allows tenant administrators to delay message delivery until all links in a message are scanned (Figure 1). If you haven’t yet chosen this option, it’s a good one to consider. Email delivery is delayed slightly but recipients can click all good links in messages when they do arrive. I think this is less frustrating all round for recipients.

Configuring Wait for URL Scanning in an ATP Safe Links policy
Figure 1: Configuring Wait for URL Scanning in an ATP Safe Links policy

Need more information about how EOP and ATP work? Look no further than Chapter 17 of the Office 365 for IT Pros eBook, which goes into these topics in enormous detail.

2 Replies to “Safe Links and Safe URLs Delay Email Delivery For the Right Reasons”

  1. If anyone else has been struggling with compiling a report to calm down end-users who keep saying that it takes HOURS (!) to receive emails because of ATP scanning, this might be a good link for you!

    I took the CSV file and created a Power BI report so its a bit easier to understand. Let me know what you think!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.