Set up Office 365 ATP Safe Attachments policies
- 4 minutes to read
-
Contributors
People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. And the last thing you want is a malicious attachment to get through, wreaking havoc for your organization. Fortunately, Office 365 Advanced Threat Protection (ATP) can help. You can set up ATP Safe Attachments policies to help ensure that your organization is protected against attacks by unsafe email attachments.
What to do
Review the prerequisites
Set up an ATP Safe Attachments policy
Learn about ATP Safe Attachments policy options
Step 1: Review the prerequisites
Make sure that your organization has Office 365 Advanced Threat Protection.
Make sure that you have the necessary permissions. To define (or edit) ATP policies, you must be assigned an appropriate role. Some examples are described in the following table:
Role Where/how assigned Office 365 Global Administrator The person who signs up to buy Office 365 is a global admin by default. (See About Office 365 admin roles to learn more.) Security Administrator Azure Active Directory admin center (https://aad.portal.azure.com) Exchange Online Organization Management Exchange admin center (https://outlook.office365.com/ecp)
or
PowerShell cmdlets (See Exchange Online PowerShell)To learn more about roles and permissions, see Permissions in the Office 365 Security & Compliance Center.
Learn about ATP Safe Attachments policy options (in this article). Some options, such as the Monitor or Replace options, can result in a minor delay of email while attachments are scanned. To avoid message delays, consider using Dynamic Delivery and previewing.
Allow up to 30 minutes for your new or updated policy to spread to all Office 365 datacenters.
Step 2: Set up (or edit) an ATP Safe Attachments policy
Go to https://protection.office.com and sign in with your work or school account.
In the Office 365 Security & Compliance Center, in the left navigation pane, under Threat management, choose Policy > Safe Attachments.
If you see Turn on ATP for SharePoint, OneDrive, and Microsoft Teams, we recommend that you select this option. This will enable Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams for your Office 365 environment.
Choose New (the New button resembles a plus sign ( +)) to start creating your policy.
Specify the name, description, and settings for the policy.
Example: To set up a policy called "no delays" that delivers everyone's messages immediately and then reattaches attachments after they're scanned, you might specify the following settings:In the Name box, type no delays.
In the Description box, type a description like, Delivers messages immediately and reattaches attachments after scanning.
In the response section, choose the Dynamic Delivery option. (Learn more about Dynamic Delivery and previewing with ATP Safe Attachments.)
In the Redirect attachment section, select the option to enable redirect and type the email address of your Office 365 global administrator, security administrator, or security analyst who will investigate malicious attachments.
In the Applied To section, choose The recipient domain is, and then select your domain. Choose Add, and then choose OK.
Choose Save.
Consider setting up multiple ATP Safe Attachments policies for your organization. These policies will be applied in the order they're listed on the ATP Safe Attachments page. After a policy has been defined or edited, allow at least 30 minutes for the polices to take effect throughout Microsoft datacenters.
Step 3: Learn about ATP Safe Attachments policy options
As you set up your ATP Safe Attachments policies, you choose from among many options, including Monitor, Block, Replace, Dynamic Delivery, and so on. In case you're wondering about what these options do, the following table summarizes each and its effect.
| Option | Effect | Use when you want to: |
|---|---|---|
| Off |
Does not scan attachments for malware Does not delay message delivery |
Turn scanning off for internal senders, scanners, faxes, or smart hosts that will only send known, good attachments Prevent unnecessary delays in routing internal mail This option is not recommended for most users. It enables you to turn ATP Safe Attachments scanning off for a small group of internal senders. |
| Monitor |
Delivers messages with attachments and then tracks what happens with detected malware |
See where detected malware goes in your organization |
| Block |
Prevents messages with detected malware attachments from proceeding Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages Blocks future messages and attachments automatically |
Safeguard your organization from repeated attacks using the same malware attachments |
| Replace |
Removes detected malware attachments Notifies recipients that attachments have been removed Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages |
Raise visibility to recipients that attachments were removed because of detected malware |
| Dynamic Delivery |
Delivers messages immediately Replaces attachments with a placeholder file until scanning is complete, and then reattaches the attachments if no malware is detected Includes attachment previewing capabilities for most PDFs and Office files during scanning Sends messages with detected malware to Quarantine where a security administrator or analyst can review and release (or delete) those messages Learn about Dynamic Delivery and previewing with ATP Safe Attachments |
Avoid message delays while protecting recipients from malicious files Enable recipients to preview attachments in safe mode while scanning is taking place |
| Enable redirect |
Applies when the Monitor, Block, or Replace option is chosen Sends attachments to a specified email address where security administrators or analysts can investigate |
Enable security administrators and analysts to research suspicious attachments |
Next steps
Once your ATP Safe Attachments policies are in place, you can see how ATP is working for your organization by viewing reports. See the following resources to learn more:
- View reports for Office 365 Advanced Threat Protection
- Use Explorer in the Security & Compliance Center
Stay on top of new features coming to ATP. visit the Microsoft 365 Roadmap and learn about new features that are being added to ATP.
Feedback
Send feedback about:
Loading feedback...