Microsoft - How to Prevent ATP False Positives in Phishing and Ransomware Simulations (DMI)

This article explains how to configure Advanced Threat Protection (ATP) rules in Microsoft to avoid false positives in simulations sent via Direct Message Injection (DMI). This is a necessary step when DMI is already configured but clicks or file openings are recorded that users did not perform.

Prerequisites

• The DMI sending method must be configured and working. If you have not configured it yet, first follow the Microsoft - How to configure simulation delivery via DMI (Direct Message Injection).
• Administrator access to the Exchange Admin Center: https://admin.exchange.microsoft.com
• Administrator access to your SMARTFENSE platform.

Step 1 — Shorten the SMARTFENSE header

Microsoft has a limit of approximately 100 characters for the header value in mail flow rules. The default SMARTFENSE header usually exceeds this limit, so it must be shortened before creating the rules.

1. Log in to your SMARTFENSE platform.
2. Go to Settings > Security > Whitelist.
3. In the Phishing and Ransomware Email Header section, click Customize Header.
4. Copy the header value into a text editor (for example, Notepad).
5. Delete characters from the end until the text is approximately 100 characters long.
6. Paste the modified header into the corresponding field in the platform.
7. Click Save.

Keep the manually shortened header: you will need it to configure both rules in the following steps.

Step 2 — Create the rule to skip ATP Link

This rule prevents ATP from scanning the links included in simulations, eliminating false clicks.

1. Log in to the Exchange Admin Center: https://admin.exchange.microsoft.com
2. Go to Mail Flow > Rules.
3. Click (+) Add a rule > Create a new rule.
4. Name it Skip ATP Links.
5. Under Apply this rule if..., select Message header > includes any of these words.
6. In Enter text, enter: X-PHISHINGSIMULATION. Click Save.
7. In Enter words, paste the header you shortened in Step 1. Click Add and then Save.
8. Under Do the following, select Modify the message properties > set a message header.
9. In Enter text, enter: X-MS-Exchange-Organization-SkipSafeLinksProcessing. Click Save.
10. In value, enter: 1. Click Save.
11. Click Next.
12. In Set rule settings, leave the default values and click Next.
13. In Review and finish, click Finish.

Step 3 — Create the rule to skip ATP Attachment

This rule prevents ATP from scanning attachments in ransomware simulations, eliminating false file openings.

1. On the Rules screen, click (+) Add a rule > Create a new rule.
2. Name it Skip ATP Attachments.
3. Repeat steps 5 through 10 from Step 2, with the following difference in step 9:
   • In Enter text, enter: X-MS-Exchange-Organization-SkipSafeAttachmentProcessing
4. Click Next.
5. In Set rule settings, leave the default values and click Next.
6. In Review and finish, click Finish.

Step 4 — Enable the rules and set priority

Once the two rules are created, you need to enable them and set their priority correctly. Without this step, the rules will have no effect.

1. Edit the rule Skip ATP Links.
2. Go to Edit rule settings.
3. Enable the Enabled field.
4. Set the priority to 0.
5. Save the changes.
6. Edit the rule Skip ATP Attachments.
7. Go to Edit rule settings.
8. Enable the Enabled field.
9. Set the priority to 1.
10. Enable the option Stop processing more rules.
11. Save the changes.

The option "Stop processing more rules" should only be enabled on the Skip ATP Attachments rule (priority 1).

Step 5 — Verify the configuration

Before launching a campaign to all users, validate that the rules work correctly.

1. Wait at least 2 hours for the rules to propagate to all users.
2. Set up a test simulation campaign aimed at a small group of users (it can be your own user).
3. Verify that no clicks or file openings are recorded that were not performed by the users in the test group.

💡 Best Practices

• Configure ATP rules whenever DMI is used as the sending method in Microsoft environments, even if no false positives have been detected yet.
• Use the customized (shortened) header consistently: the same value must be in the SMARTFENSE platform and in both Exchange rules.
• Test the configuration with a small group before launching large campaigns.
• Do not exceed 100 characters in the header value to avoid Microsoft silently rejecting the rule.
• Review the rules in Exchange if false positives reappear at any point, as Microsoft environment updates may disable them.