ES 10.0.6 / false/negative, no upload to Capture ATP
today I recieved a strange mail from "Heidelberg University" totally out of context. Sent through some service provider in Singapore. SPF could have this covered, but that's another story.
The strange thing is, that from all the attachments only the .png files got sent into the Capture ATP service, the bad files just went through. A manual upload to VirusTotal was detecting them both.
How come that Capture ATP isn't getting these files? File size is < 100 KB.
Events like this reduce the confidende once more.