Issue
You may encounter an issue that phishing messages sent to a user that contain attachments are being shown as opened, even if the user in question has not clicked on the attachment.


Cause

Office 365's Advanced Threat Protection for file attachments is actually opening the files for deep inspection.  When the files are opened, a linked image is accessed within the file to an external website run by proofpoint which triggers the "opened" flag on the proofpoint side.


Fix

You need to create a mail flow rule to bypass ATP attachment checking.

  1. Create a new mail flow rule in your Exchange admin center
  2. Give the rule a name (i.e. Bypass ATP attachment Checking)
  3. Click more options
  4. Apply this rule if 
    1. A the sender IP address is in any of these ranges or ...
    2. Put in the IPs belonging to Proofpoints Security Awareness Delivery servers.
      52.1.14.157

      54.173.83.138 

      54.229.2.165 

      52.17.45.98 

      52.16.190.81

      52.30.130.201 

      107.23.16.222 

      107.20.210.250

  5. Set the message header: X-MS-Exchange-Organization-SkipSafeAttachmentProcessing to the value: 1
    AND  set the spam confidence (SCL) to Bypass spam filtering
  6. Save your new rule