How Exchange Online Protection Dynamic Delivery Works Inside Office 365

Posted on February 23, 2017 by Tony Redmond in Exchange Online, Office, Office 365 with 0 Comments

ATP Plays Safe with Attachments

Microsoft introduced the Safe Attachments feature as part of its Advanced Threat Protection (ATP) offering in 2015. ATP is an option for Exchange Online Protection (EOP). It is included in the Office 365 E5 plan and can be licensed as an add-on for $2/user per month for other Office 365 plans. Now Safe Attachments provides the option to scan inbound attachments dynamically and allow users access to message bodies while the scan proceeds. This feature is called Dynamic Delivery.



The Problem Lurking in Email

The idea behind Safe Attachments is simple. We know that attachments are a prime transmission vector for malware. This has been true since the first email-transmitted attacks like the famous “I Love You” virus appeared in 2002.

The majority of email messages are safe in that anti-malware engines are able to detect that their content does not include anything that could damage the recipient. But because malware authors constantly alter their attack techniques in an attempt to bypass anti-malware blocks, the danger exists that items might contain something that is dangerous but cannot be detected because the attack vector has never been seen before. This content might belong to a so-called Day Zero attack.

Messages and attachments that do not have a known malware signature are deemed unsafe. ATP routes these messages to a special hypervisor environment where a variety of techniques are used to test the content. If everything checks out, ATP releases the item back to the Exchange transport system for delivery to the end user.

The basic Safe Attachments feature works, but the need to spin up special test servers in the hypervisor environment to probe suspicious content can result in email delays. Some tenants reported that they experienced delays of between 10 and 15 minutes, depending on the load on Office 365 and EOP. A good case can be made that it is better to be safe than sorry when Day Zero attacks erupt in the wild, but users want their email now. And they want their email to be secure. It’s a hard balancing act.

Dynamic Delivery Steps In

Dynamic Delivery builds on the concept of Safe Attachments while recognizing that, in most cases, unrecognized content lurks in attachments rather than the messages to which they are attached. If a message is OK, it is possible to deliver it immediately. Meantime, the attachment is shuttled off to the side to be checked and when everything checks out, the attachment is released to reconstitute the full message.

The advantage of the approach is obvious. Recipients get to see the safe part of a message immediately instead of having to wait for EOP to validate the entire content. And often it is enough for a recipient to see the text of a message to understand its importance and know if they must take action.

Setting Up Dynamic Delivery

To implement Dynamic Delivery, you first need the necessary Office 365 licenses. Moving past that obvious requirement (Office 365 does nothing unless licenses are in place). The next step is to enable Safe Attachments scanning by policy. Go to the Threat Management section of the Security and Compliance Center and access Safe Attachments., You might not have a policy in place already. If not, create a new policy. You can then enable Dynamic Delivery in the policy (Figure 1) and decide the mailboxes to which you want the policy to apply. You can apply a policy to all recipients in one or more domains or members of a distribution group, or even individual people. You can also decide to exclude certain recipients from the policy (they are the people who only receive “nice” attachments). And multiple Safe Attachments policies can be active within a tenant.

Enabling Dynamic Delivery

Figure 1: Enabling Dynamic Delivery in a Safe Attachments Policy (image credit: Tony Redmond)

The User View

The Safe Attachments policy becomes active immediately it is saved. Users will be unaware that anything has changed until the first time that ATP intercepts a suspicious message en route to their mailbox. When this happens, ATP swaps the suspicious attachment for a special .eml attachment to inform the user what is happening (Figure 2).

Dynamic scanning of attachment

Figure 2: What a user sees when an attachment is being scanned (image credit: Tony Redmond)

In the background, ATP is scanning the suspicious content as before. The difference is that the user knows what is happening and can access and deal with any “good content” immediately. And when the scan is complete, ATP swaps its message out for the original now-verified and passed attachment. In my experience, the delay between the arrival of a new message and ATP updating the message with a passed attachment is usually two-three minutes, depending on the number of attachments. In short, it is enough for the recipient to read the cover note and begin to consider opening the attachment.

One thing that might disturb users is that messages are apparently delivered twice to their Inbox. The first contains the ATP notice; the second contains the real content. You get two notifications on mobile devices… But after a while, you get used to what’s happening.


A Step Forward

The war against malware will not stop anytime soon. Too many victims remain for malware authors to exploit, usually at great profit for the miscreants and loss for the unsuspecting. It is good to see Microsoft evolving ATP to speed up delivery to users while retaining the goodness of attachment checking. I rather like dynamic delivery. It is a good addition to the anti-malware mix.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.


Tagged with , , , , , ,