View information about malicious files detected in SharePoint, OneDrive, or Microsoft Teams

Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams protects your organization from malicious files in document libraries and team sites. When a malicious file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. Read this article to learn how to view information about detected files and what actions to take.

Tip

In order to perform the tasks described in this article, you must have the necessary permissions assigned in the Office 365 Security & Compliance Center.

View reports with information about detected files

To view status and detailed information about files that were detected by Office 365 ATP, you can use the Threat protection status report.

  1. In the Office 365 Security & Compliance Center, choose Reports > Dashboard > Threat protection status.

  2. In the upper right corner of the report, choose View details table.

  3. View the list of files that were detected in the report.

  4. Select an item in the list to view detailed information, including actions taken, the file name, the file path, and more.

  5. Choose the Advanced Analysis tab to view information, such as observed behavior and analysis details.

Tip

To learn more about available reports, see View reports for Office 365 Advanced Threat Protection.

View and take action on files in quarantine

  1. In the Office 365 Security & Compliance Center, choose Threat management > Review > Quarantine.

  2. In the upper left corner, change the filter from Email to Content.

  3. Select an item in the list to view detailed information, including the file's URL.

  4. Choose an available action.

  • Choose Release & report to unblock the file.

    Select Send report to Microsoft to report the file as a false positive to Microsoft.

  • Choose Download file to investigate the file further.

  • Choose Delete to remove the file from the list of quarantined items. If you choose this option, you must also delete the file from its respective library in SharePoint Online, OneDrive for Business, or Microsoft Teams. This option does not unblock a file from being opened or shared.

  1. Choose Close to close the details for a selected item.

Tip

To learn more about managing quarantined files, see Manage quarantined messages and files as an administrator in Office 365.

Office 365 Advanced Threat Protection

View the reports for Office 365 Advanced Threat Protection

Permissions in the Office 365 Security & Compliance Center