Office 365 ATP Safe Attachments

Overview of Office 365 ATP Safe Attachments

ATP Safe Attachments (along with ATP Safe Links) is part of Office 365 Advanced Threat Protection (ATP). The ATP Safe Attachments feature checks to see if email attachments are malicious, and then takes action to protect your organization. The ATP Safe Attachments feature protects your organization according to ATP Safe Attachments policies that are set by your Office 365 global or security administrators.

ATP protection can also be extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams. To learn more, see Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams.

How it works

The ATP Safe Attachments feature checks email attachments for people in your organization. When an ATP Safe Attachments policy is in place and someone covered by that policy views their email in Office 365, their email attachments are checked and appropriate actions are taken, based on your ATP Safe Attachments policies. Depending on how your policies are defined, people can continue working without ever knowing they were sent malicious files.

Here are two examples of ATP Safe Attachments at work.

  • Example 1: Email attachment Suppose that Lee receives an email message that has an attachment. It is not obvious to Lee whether that attachment is safe or actually contains malware designed to steal Lee's user credentials. In Lee's organization, a security administrator defined an ATP Safe Attachments policy a few days ago. With the ATP Safe Attachments feature, the email attachment is opened and tested in a virtual environment before Lee receives it. If the attachment is determined to be malicious, it will be removed automatically. If the attachment is safe, it will open as expected when Lee clicks on it.

  • Example 2: File in SharePoint Online Suppose that Jean received a file and uploaded it into a library in SharePoint Online. Jean shares the link to the file with the rest of the team, not knowing that the file is actually malicious. Fortunately, ATP for SharePoint, OneDrive, and Microsoft Teams detects the malicious file and blocks it. A few days later, Chris goes to open the document. Although Chris can see the file is there, Chris cannot open or share it, which prevents Chris's computer and others from the malicious file.

ATP Safe Attachments scanning takes place in the same region where your Office 365 data resides. For more information about data center geography, see Where is your data located?

ATP Safe Attachments policies can be applied to specific people or groups in your organization, or to your entire domain. In addition, ATP Safe Attachments policies can be configured to use placeholder attachments while actual attachments are being scanned. To learn more, see Set up ATP Safe Attachments policies in Office 365.

How to get ATP Safe Attachments

First, make sure your subscription includes Advanced Threat Protection. ATP is included in in subscriptions, such as Microsoft 365 Enterprise, Microsoft 365 Business, Office 365 Enterprise E5, Office 365 Education A5, etc. If your organization has an Office 365 subscription that does not include Office 365 ATP, you can potentially purchase ATP as an add-on. For more information, see Office 365 Advanced Threat Protection plans and pricing and the Office 365 Advanced Threat Protection Service Description.

Next, make sure your ATP Safe Attachments policies are defined. (See Set up Office 365 ATP Safe Attachments policies) ATP Safe Attachments features are active when:

To define (or edit) ATP policies, you must be assigned an appropriate role. Some examples are described in the following table:

Role Where/how assigned
Office 365 Global Administrator The person who signs up to buy Office 365 is a global admin by default. (See About Office 365 admin roles to learn more.)
Security Administrator Azure Active Directory admin center (https://aad.portal.azure.com)
Exchange Online Organization Management Exchange admin center (https://outlook.office365.com/ecp)
or
PowerShell cmdlets (See Exchange Online PowerShell)

How to know if ATP Safe Attachments protection is in place

After you have defined (or reviewed) your ATP Safe Attachments policies, one good way to see how the service is working is by viewing reports for Advanced Threat Protection.

The following table describes some example scenarios. In all of these cases, we assume the organization has an Office 365 subscription that includes Advanced Threat Protection.

Example scenario Does ATP Safe Attachments protection apply in this case?
Pat's organization has Office 365 Enterprise E5, but no one has defined any policies for ATP Safe Attachments yet.
No. Although the feature is available, at least one ATP Safe Attachments policy must be defined in order for ATP Safe Attachments protection to be in place.
Lee is an employee in the sales department at Contoso. Lee's organization has an ATP Safe Attachments policy in place that applies to finance employees only.
No. In this case, finance employees would have ATP Safe Attachments protection, but other employees, including the sales department, would not until policies that include those groups are defined.
Yesterday, an Office 365 administrator at Jean's organization set up an ATP Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that includes an attachment.
Yes. In this example, Jean has a license for Advanced Threat Protection, and an ATP Safe Attachments policy that includes Jean has been defined. It typically takes about 30 minutes for a new policy to take effect across datacenters; since a day has passed in this case, the policy should be in effect.
Chris's organization has Office 365 Enterprise E5 with ATP Safe Attachments policies in place for everyone in the organization. Chris receives an email that has an attachment, and forwards the message to others who are outside the organization.
ATP Safe Attachments protection is in place for messages that Chris receives. If the recipients' organizations also have ATP Safe Attachments policies in place, then the message that Chris forwards would be subject to those policies when the forwarded message arrives.
Jamie's organization has ATP Safe Attachments policies in place, and ATP for SharePoint, OneDrive, and Microsoft Teams has been turned on. Jamie assumes that every file in SharePoint Online has been scanned and is safe to open or download.
ATP Safe Attachments protection is in place according to the policies that are defined; however, this does not mean that every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams is scanned. (To learn more, see ATP for SharePoint, OneDrive, and Microsoft Teams.)

Submitting files for malware analysis