When the Advanced Threat Protection (ATP) Service detects a threat in an email attachment or publicly accessible direct download link, the recipient may receive an email notification based on the conditions described below. Email notifications are dependent on the selections made on the ATP Settings page:
- Enable Advanced Threat Protection – When set to Deliver First, then Scan, the message, including attachments, is first delivered to the recipient and then scanned by the ATP service. Once scanning begins, if a threat is detected the message is deferred for additional scanning, and an email notification is automatically sent to the email recipient warning them of the threat.
- Enable Advanced Threat Protection – When set to Scan First, Then Deliver, the message is scanned before delivery. Once the scan is complete, if ATP does not detects a virus or suspicious attachment, the message is sent to the recipient. If ATP detects a virus or suspicious attachment, the message is blocked and no email notification is sent to the recipient.
- Notify Admin – When set to Yes, an email notification is automatically sent to the email entered in the ATP Notification Email field when ATP detects a virus or suspicious attachment.
Example 1. Recipient Email Notification.
In this example, ATP detected a virus, and notifies recipient@organization2.com that a virus was detected in an attachment from sender@organization1.com:
Example 2. Admin Email Notification.
In this example, Advanced Threat Protection is set to Deliver First, then Scan, and Notify Admin is set to Yes. ATP detected a virus after delivering the email. The admin at NotifyAdmin@organization2.com is sent an email notification that a virus was detected in an attachment from sender@organization1.com sent to recipient@organization2.com:
