Skip to content

Safe Attachments

The purpose of this policy is to add a layer of protection to attachments both in received email and within other Microsoft applications such as SharePoint, OneDrive, and Teams. This in addition to protections provided by the anti-malware policy. Anti-malware relies on threat definitions whereas safe attachments relies on detonation of the attachments in a virtual environment.

Considerations before deployment

Note that unlike anti-phishing, anti-spam, and anti-malware, the "default" policy, known as "built-in protection", is not modifiable, and it is difficult to find how this policy is configured. For this reason it is advisable to make a custom policy targeting all of your domains to be your new "default" policy. You will be able to modify it and see its protections.

Global settings

This page also has global settings near the create policy button, so you can extend your safe attachment protection out to files in SharePoint, OneDrive, and Teams. The three settings and their generally recommended configurations are included below:

  • ✅ Turn on Defender for Office 365 for SharePoint, OneDrive, and Teams
  • ✅ Turn on Safe Documents for Office clients
    • ❌ Allow people to click through Protected View even if Safe Documents identified the file as malicious

Policy Configuration

This policy is pretty basic and straightforward, a pilot policy is perfectly fine but usually changes you are making are chances to protect your users and not up for much debate.

Scoping users, groups, and domains

Pay attention to the conditions on custom policies, they are evaluated together because of the AND statements. If you put a user and a group, the user must be a member of the group and anyone else who is a member of that group will not be included in this policy unless they are listed on the user list.

Safe Attachments detection response

There are four options for this setting, Block is the normal recommendation for most environments.

  • Off
    • Anti-malware still applies but no further protection is provided
  • Monitor
    • MDO will deliver malicious attachments and track what happens to them
  • Block
    • Blocks the attachments
  • Dynamic Delivery
    • Messages that go through safe attachments are delayed due to the scanning, dynamic delivery delivers the email with an attachment denoting a scan is in progress. The message is then redelivered once the scan is completed with the attachment assuming it contained no malware.
    • Typically, the email delay is less than a minute, so it is really advisable to choose the Block setting. If the attachment contained malware, there is a possibility the contents or links in the message could be questionable as well.
    • This also opens you up to questions for where is my attachment while the scanning is occurring or where is my email once it's been quarantined because it had malware.

Redirect attachments

You can configure this setting, but it only applies when the Monitor setting is used for the detection response.

Quarantine policy

Here you can specify the quarantine policy to apply to messages detected as malware. Regardless of the quarantine policy selected here a user can not release the message on their own. An admin will have to approve the release of the message. By default, the AdminOnlyAccessPolicy is specified, depending on the policy you specify users will be able to see these quarantined messages but again the Allow recipients to release a message from quarantine option is never honored for malware. And admin must release the message.