In January of this year Microsoft added two new features to Advanced Threat Protection for Exchange Online. One of the new features, called Dynamic Delivery, provides an additional option that administrators can configure for the delivery of emails while ATP scanning of attachments is occurring.
To set the scene for those who might be unfamiliar with ATP, when ATP’s Safe Attachments feature scans email attachments for signs of malicious behavior, it causes a short delay before the email is delivered to the destination mailbox. This is not simple signature-based scanning, this is a behavioral analysis that opens the email attachment in a sandbox environment, so naturally it will take some time. I’ve seen delays of 1-2 minutes, all the way up to 10-12 minutes. But that’s only noticeable when I’m actually expecting an email with an attachment, such as when I’m in a discussion with someone and they send me a document to look at while we are talking.
Of course, that delay is not always acceptable for some customers. Perhaps the file attachment is less important than the contents of the email itself, and they’d prefer to receive the email promptly and wait for the attachment. That’s where Dynamic Delivery comes in. With Dynamic Delivery enabled, the recipient of the email receives the message in their inbox, but with the original attachments replaced by a message explaining that ATP is still scanning the files.
When the ATP scan has completed, assuming the file is safe, the message is replaced in the mailbox with the real attachments.
You can see a more detailed look at the Dynamic Delivery behavior in Tony Redmond’s article on Petri. What I want to cover here is something that a customer raised to me as a concern when they were considering turning on Dynamic Delivery.
This customer uses journaling as part of their overall compliance and archiving strategy. As you’re probably already aware, Exchange Online mailboxes can’t be used as journaling targets. The reasons are fairly obvious to anyone who has ever managed a journal mailbox. They grow very big, very fast. The economics and support implications just make it unreasonable to expect Microsoft to deal with thousands of exploding journal mailboxes for customers. At least not for the price we’re currently paying for Exchange Online.
So this means that the customer needs to use an externally hosted email address as the journaling target, provided by a third party cloud-based journaling service, or hosted on their own on-premises server. Since the journal mailbox is not hosted in Exchange Online, Dynamic Delivery can’t make changes to a delivered message (i.e. to redeliver or re-inject the attachment) the same way it can for an EXO mailbox. Meanwhile, the expectation of the customer is that their journaled copy of emails will match what was delivered to the recipient. The concern from the customer is that the journaled item will be a copy of the message at one point in time, but the message is then modified by Dynamic Delivery.
I did a little testing to see what would happen with Dynamic Delivery and external journal targets, and here’s what I found.
First, when ATP is not enabled for Dynamic Delivery, the external journal target sees the same delay for delivery of a message as the recipient themselves. In other words, ATP delivers to the recipient and to the journal address after completing its behavioral analysis (that 2-12 minute delay I mentioned earlier).
When Dynamic Delivery is enabled, the behavior changes. Both the recipient and the journal target receive the email almost immediately. The recipient’s copy is missing the attachments while ATP continues its analysis, but the journal target receives the attachments intact. Several minutes later, when the ATP scan is complete and Dynamic Delivery updates the message in the Exchange Online mailbox, no changes are sent to the journal target. In other words, the journal target receives only one copy of the email message, with attachments included, regardless of the ATP scan results or subsequent Dynamic Delivery behavior (which could include removing the email messages from the recipient’s mailbox).
A look at a message trace in Exchange Online shows the sequence of events.
As you can see above, the journal events occur before the dynamic email delivery event. So the email I sent during my test was journaled, and then delivered to the recipient without the attachments, and then only after ATP completed its scans did Dynamic Delivery update the delivered message several minutes later.
For your own assessment of the suitability of Dynamic Delivery, you should consider the behavior above and whether it impacts your compliance and archiving strategy. I would assume that for most organizations it will not be an issue, since Exchange Online still journals the complete message to the external journaling service. Any subsequent actions taken by ATP can be found in the message trace results for up to 90 days. If there’s concerns about cases older than 90 days not being available in message tracing, you may need to review your use of preservation policies, litigation hold or in-place hold and how you utilize Office 365’s eDiscovery tools for such matters.
Can atp dynamic delivery be removed? I find it very annoying and a waste of time.
Can’t believe that I just got around to reading this – I’ve been addressing customer requests for demos and walkthroughs of ATP functionality and this really helps – I will definitely be pointing to your article for some of these customers Paul. Awesome! Thanks once again for making your knowledge so generally available!