none
Behavior of ATP and Journal Rules RRS feed

  • Question

  • I've noticed an odd behavior with messages analyzed by ATP and a journal rule to my archive solution. In most cases, a message that is blocked by ATP or flagged as spam by EOP does not trigger the journal rule. This is the behavior I would expect, as I would not want malicious mails to be sent to the archive.

    I am now seeing instances where ATP shows "Blocked. Advanced Threat Protection Malware" in the message events, but the journal rule still fires and sends a copy of the message to the archive. Is there a setting that must be enabled to prevent these bad mails from triggering the journal rule?

    Thursday, November 15, 2018 3:35 PM

All replies

  • Hi Jason,

    Per my knowledge, there is no such a setting to prevent the emails which are blocked by ATP from triggering the journal rule. 


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, November 16, 2018 7:22 AM
    Moderator
  • Hi ,

    I'm just writing to check how's everything going? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Thanks for your understanding.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, November 23, 2018 2:19 AM
    Moderator
  • Hi Niko,

    Thank you for your response. I understand that there is not a setting to change this behavior. My follow-up question is why do messages blocked by ATP trigger the journal rule in the first place?

    From a security and compliance perspective, I do not want malicious content placed into my archive. When the legal team submits an eDiscovery search, there is the potential for malicious content that was journaled to be included with the search results. The organization could be at risk if that malicious content is accessed by a user or even sent to 3rd party counsel as part of eDiscovery.

    This was not an issue prior when using Microsoft Exchange. The email gateway in front of the transport servers would block malicious content and only "clean" messages would be journaled by Exchange. I would expect the same behavior with Office 365, even if the tenant is a combination of email filtering and hosted Exchange.

    Best,

    Jason

    Wednesday, December 12, 2018 4:24 PM