Why Office365 detecting PDF attachments as malware?

  • Profile Image
    cbna
    Asked on October 05, 2017 at 02:11 PM

    As of today, Office 365 started detecting the JotForm PDF attachments by email as malware and automatically stripping the attachments.  Microsoft does not seem to allow a way to release the email with the attachment from malware quarantine or make a policy exception even though it is clearly a false positive.

    I am guessing this is because of the file naming ###################.pdf

    The alert message is

    Zero-Hour Auto Purge

    Malware was detected in one or more attachments included with this email message.
    Action: All attachments have been deleted.

    Any suggestions to make this work again?

     

       

  • Profile Image
    Kiran
    Answered on October 05, 2017 at 03:25 PM

    This must be a false positive issue from Office365. Please try adding jotform.com domain to the whitelist or add the JotForm email address in the safe sender list.

    https://support.office.com/en-us/article/Prevent-email-from-being-marked-as-spam-in-EOP-and-Office-365-74aaade0-efc0-46ac-b949-f2d1d59256fa

    Also, please review the spam filter settings in the Admin center. Please refer to the guide below for more information on ZAP of Office365.

    https://support.office.com/en-us/article/Zero-hour-auto-purge-protection-against-spam-and-malware-96deb75f-64e8-4c10-b570-84c99c674e15

    Please let us know how it goes after changing the settings in Office365. We will be happy to take a look again. 

  • Profile Image
    cbna 
    Answered on October 05, 2017 at 04:36 PM

    No way to make an exception if in Malware quarantine instead of Spam or change transport rules. If you "Release" from quarantine it strips attachment, but noticed if you "Release and Report" as false positive it does keep attachment.  That is sufficient solution for now and does not appear it was filtering all submissions, only a subset.



  • Profile Image
    Jeffrey Hunt
    Answered on October 10, 2017 at 12:47 PM

    I'm currently experiencing the same issue in that a subset of reports that get submitted daily are being flagged by Exchange Online (Office 365) as containing malware with a malicious payload.  This has only been occurring for the last 4-5 days.  What would cause Exchange Online to suddenly start flagging JotForm .pdf attachments as malware?


    1507653901malware.jpg

  • Profile Image
    Nik_C
    Answered on October 10, 2017 at 01:12 PM

    I could happen that Microsoft did some changes in how they are filtering messages, so it could happen that the name of the PDF is triggering the Office365 to mark them as Malware.

    Did you try the above solution from the cbna user, with "Release and report"?