Safe Attachments in Office 365 ATP

Important

Welcome to Microsoft Defender for Office 365, the new name for Office 365 Advanced Threat Protection. Read more about this and other updates in Microsoft delivers unified SIEM and XDR to modernize security operations. We'll be updating names in products and in the docs in the near future.

Safe Attachments in Office 365 Advanced Threat Protection (ATP) provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).

Safe Attachments protection for email messages is controlled by Safe Attachments policies. There is no default Safe Attachments policy, so to get the protection of Safe Attachments, you need to create one or more Safe Attachments policies. For instructions, see Set up Safe Attachments policies in ATP.

The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include ATP (in other words, lack of licensing is never an issue in the examples).


Scenario Result
Pat's Microsoft 365 E5 organization has no Safe Attachments policies configured. Pat is not protected by Safe Attachments.

An admin must create at least one Safe Attachments policy for Safe Attachments protection to be active. Furthermore, the conditions of the policy must include Pat if Pat is to be protected by Safe Attachments.
Lee's organization has a Safe Attachments policy that applies only to finance employees. Lee is a member of the sales department. Lee is not protected by Safe Attachments.

Finance employees are protected by Safe Attachments, but sales employees (and other employees) are not.
Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that included an attachment. Jean is protected by Safe Attachments.

Typically, it takes about 30 minutes for a new policy to take effect.
Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients. Chis is protected by Safe Attachments.

If the external recipients also have Safe Attachments policies in their organization, then the forwarded messages are subject to those policies.

Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see Where is your data located?

Note

The following features are located in the global settings are of Safe Attachments policies in the Security & Compliance Center, but these settings are enabled or disabled globally, and don't require Safe Attachments policies:

Safe Attachments policy settings

This section describes the settings in Safe Attachments policies:

  • Safe Attachments unknown malware response: This setting controls the action for Safe Attachments malware scanning in email messages. The available options are described in the following table:

Option Effect Use when you want to:
Off Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by anti-malware protection in EOP. Turn scanning off for selected recipients.

Prevent unnecessary delays in routing internal mail.

This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders.
Monitor Delivers messages with attachments and then tracks what happens with detected malware.

Delivery of safe messages might be delayed due to Safe Attachments scanning.
See where detected malware goes in your organization.
Block Prevents messages with detected malware attachments from being delivered.

Messages are quarantined where only admins (not end-users) can review, release, or delete the messages.

Automatically blocks future instances of the messages and attachments.

Delivery of safe messages might be delayed due to Safe Attachments scanning.
Protects your organization from repeated attacks using the same malware attachments.

This is the default value, and the recommended value in Standard and Strict preset security policies.
Replace Removes detected malware attachments.

Notifies recipients that attachments have been removed.

Messages are quarantined where only admins (not end-users) can review, release, or delete the messages.

Delivery of safe messages might be delayed due to Safe Attachments scanning.
Raise visibility to recipients that attachments were removed because of detected malware.
Dynamic Delivery Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete.

For details, see the Dynamic Delivery in Safe Attachments policies section later in this topic.
Avoid message delays while protecting recipients from malicious files

Enable recipients to preview attachments in safe mode while scanning is taking place
  • Redirect attachment on detection: Enable redirect and Send the attachment to the following email address: For Block, Monitor, or Replace actions, send messages that contain malware attachments to the specified internal or external email address for analysis and investigation.

    The recommendation for Standard and Strict policy settings is to enable redirection. For more information, see Safe Attachments settings.

  • Apply the above selection if malware scanning for attachments times out or error occurs: The action specified by Safe Attachments unknown malware response is taken on messages even when Safe Attachments scanning can't complete. Always select this option if you select Enable redirect. Otherwise, messages might be lost.

  • Recipient filters: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

    • The recipient is
    • The recipient domain is
    • The recipient is a member of

    You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • Priority: If you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied.

    For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

Dynamic Delivery in Safe Attachments policies

Note

Dynamic Delivery works only for Exchange Online mailboxes.

The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

If an attachment is found to be malicious, the message is quarantined. Only admins (not end-users) can review, release, or delete messages that were quarantined by Safe Attachments scanning. For more information, see Manage quarantined messages and files as an admin.

Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.

If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery previewer on your mobile device, try opening the message in Outlook on the web (formerly known as Outlook Web App) using your mobile browser.

Here are some considerations for Dynamic Delivery and forwarded messages:

  • If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.

  • If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments will be delivered without any Safe Attachments scanning or attachment placeholders.

There are scenarios where Dynamic Delivery is unable to replace attachments in messages. These scenarios include:

  • Messages in public folders.

  • Messages that are routed out of and then back into a user's mailbox using custom rules.

  • Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.

  • Deleted messages.

  • The user's mailbox search folder is in an error state.

  • Exchange Online organizations where Exclaimer is enabled. To resolve this, see KB4014438.

  • S/MIME) encrypted messages.

  • You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, Safe Links in Office 365 ATP is able to scan Office file attachments that contain URLs (depending on how the global settings for Safe Links are configured).

Submitting files for malware analysis