Safe Attachments in Microsoft Defender for Office 365

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Applies to

Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).

Safe Attachments protection for email messages is controlled by Safe Attachments policies. Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in custom Safe Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365. You can also create Safe Attachments policies that apply to specific users, group, or domains. For instructions, see Set up Safe Attachments policies in Microsoft Defender for Office 365.

The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).



Scenario Result
Pat's Microsoft 365 E5 organization has no Safe Attachments policies configured. Pat is protected by Safe Attachments due to the Built-in protection preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.
Lee's organization has a Safe Attachments policy that applies only to finance employees. Lee is a member of the sales department. Lee and the rest of the sales department are protected by Safe Attachments due to the Built-in protection preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.
Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that included an attachment. Jean is protected by Safe Attachments due to that custom Safe Attachments policy.

Typically, it takes about 30 minutes for a new policy to take effect.

Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients. Chis is protected by Safe Attachments.

If the external recipients in a Microsoft 365 organization, then the forwarded messages are also protected by Safe Attachments.

Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see Where is your data located?

Note

The following features are located in the global settings of Safe Attachments policies in the Microsoft 365 Defender portal. But, these settings are enabled or disabled globally, and don't require Safe Attachments policies:

Safe Attachments policy settings

This section describes the settings in Safe Attachments policies:

  • Safe Attachments unknown malware response: This setting controls the action for Safe Attachments malware scanning in email messages. The available options are described in the following table:



Option Effect Use when you want to:
Off Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by anti-malware protection in EOP. Turn scanning off for selected recipients.

Prevent unnecessary delays in routing internal mail.

This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders.

Monitor Delivers messages with attachments and then tracks what happens with detected malware.

Delivery of safe messages might be delayed due to Safe Attachments scanning.

See where detected malware goes in your organization.
Block Prevents messages with detected malware attachments from being delivered.

Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.*

Automatically blocks future instances of the messages and attachments.

Delivery of safe messages might be delayed due to Safe Attachments scanning.

Protects your organization from repeated attacks using the same malware attachments.

This is the default value, and the recommended value in Standard and Strict preset security policies.

Replace Removes detected malware attachments.

Notifies recipients that attachments have been removed.

Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.*

Delivery of safe messages might be delayed due to Safe Attachments scanning.

Raise visibility to recipients that attachments were removed because of detected malware.
Dynamic Delivery Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete.

Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.*

For details, see the Dynamic Delivery in Safe Attachments policies section later in this article.

Avoid message delays while protecting recipients from malicious files.

* Admins can create and assign quarantine policies in Safe Attachments policies that define what users are allowed to do to quarantined messages. For more information, see Quarantine policies.

  • Redirect attachment on detection: Enable redirect and Send the attachment to the following email address: For Block, Monitor, or Replace actions, send messages that contain malware attachments to the specified internal or external email address for analysis and investigation.

    The recommendation for Standard and Strict policy settings is to enable redirection. For more information, see Safe Attachments settings.

  • Apply the above selection if malware scanning for attachments times out or error occurs: The action specified by Safe Attachments unknown malware response is taken on messages even when Safe Attachments scanning can't complete. Always select this option if you select Enable redirect. Otherwise, messages might be lost.

  • Recipient filters: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

    • The recipient is
    • The recipient domain is
    • The recipient is a member of

    You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • Priority: If you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied.

    For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

Dynamic Delivery in Safe Attachments policies

Note

Dynamic Delivery works only for Exchange Online mailboxes.

The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

If an attachment is found to be malicious, the message is quarantined.

Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.

If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery previewer on your mobile device, try opening the message in Outlook on the web (formerly known as Outlook Web App) using your mobile browser.

Here are some considerations for Dynamic Delivery and forwarded messages:

  • If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.
  • If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments will be delivered without any Safe Attachments scanning or attachment placeholders.

There are scenarios where Dynamic Delivery is unable to replace attachments in messages. These scenarios include:

  • Messages in public folders.
  • Messages that are routed out of and then back into a user's mailbox using custom rules.
  • Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.
  • Inbox rules move the message out of the Inbox into a different folder.
  • Deleted messages.
  • The user's mailbox search folder is in an error state.
  • Exchange Online organizations where Exclaimer is enabled. To resolve this issue, see KB4014438.
  • S/MIME) encrypted messages.
  • You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, Safe Links in Microsoft Defender for Office 365 is able to scan Office file attachments that contain URLs (depending on how the global settings for Safe Links are configured).

Submitting files for malware analysis