Safe Attachments is a peculiar one, and I’m curious how its implementation works in large organizations and if the mail delay is acceptable. If you have Safe Attachments on, when an email is sent to a customer of ATP with Safe Attachments, it will on average take anywhere from 5 minutes or in my experience 15 minutes to actually receive the email. This is well documented with Microsoft. What this means is that in a corporate environment, if an email is sent, it can take upwards of 15 minutes or more in order to receive an email. My guess is that this is Microsoft’s first iteration to compete with sandbox/virtualization SMTP gateways on the market today and in the cloud. I won’t spend much time on this area; generally when I’m going after a company, it’s through malicious websites versus actual attachments. I will say that during my analysis of this area, large file attachments, double zipped files, obfuscated macro injection, direct data types, large time delays, and more were successful in going through the Safe Attachments protection. During my testing, I didn’t notice a difference in being flagged from traditional A/V versus ATP’s attachment detection.
https://www.trustedsec.com/2017/02/office-365-advanced-threat-protection-features-shortfalls/