Yesterday I was prepping a little for an upcoming conference that a colleague (Ben Miller Cloud Security Dude) and I will be speaking at, I thought I’d share a very short article on how office 365 Advanced threat protection works. For now, I’ll just cover pretty basic stuff like attachments. I’ll go into more detail later and cover address re-writing and other topics.
So here is an email trace I just performed.
So a message comes in and I have ‘dynamic delivery’ set (I’ll cover this in more detail in another article), but basically means that exchange online will deliver the message immediately BUT the attachment will only become available AFTER it tests it in a ‘sandbox’. How does Microsoft do that? They spin up a virtual machine and run the attachment there and then detonate (Microsoft term) it or sends it on to meet up with the message after a series of other steps (e.g. address rewrite).
So the user receiving the email will get this when they first get an email and click on the attachment before testing is done.
The process only takes a few minutes.