Set up Office 365 ATP Safe Attachments policies

People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. And the last thing you want is a malicious attachment to get through, wreaking havoc for your organization. Fortunately, Office 365 Advanced Threat Protection (ATP) can help. You can set up ATP Safe Attachments policies to help ensure that your organization is protected against attacks by unsafe email attachments.

What to do

  1. Review the prerequisites

  2. Set up an ATP Safe Attachments policy

  3. Learn about ATP Safe Attachments policy options

Review the prerequisites

Set up an ATP Safe Attachments policy

You can set up an ATP Safe Attachments policy using either the Office 365 Security & Compliance Center or the Exchange admin center (EAC). We recommend using the Office 365 Security & Compliance Center.

  1. As a global administrator or security administrator, go to https://protection.office.com and sign in with your work or school account.

  2. In the Office 365 Security & Compliance Center, in the left navigation pane, under Threat management, choose Policy > Safe Attachments.

  3. If you see Turn on ATP for SharePoint, OneDrive, and Microsoft Teams, we recommend that you select this option. This will enable Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams for your Office 365 environment.

  4. Choose New (the New button resembles a plus sign ( +)) to start creating your policy.

  5. Specify the name, description, and settings for the policy.

    Example: To set up a policy called "no delays" that delivers everyone's messages immediately and then reattaches attachments after they're scanned, you might specify the following settings:

  • In the Name box, type no delays.

  • In the Description box, type a description like, Delivers messages immediately and reattaches attachments after scanning.

  • In the response section, choose the Dynamic Delivery option. (Learn more about dynamic delivery and previewing with ATP Safe Attachments.)

  • In the Redirect attachment section, select the option to enable redirect and type the email address of your Office 365 global administrator, security administrator, or security analyst who will investigate malicious attachments.

  • In the Applied To section, choose The recipient domain is, and then select your domain. Choose Add, and then choose OK.

  1. Choose Save.

Consider setting up multiple ATP Safe Attachments policies for your organization. These policies will be applied in the order they're listed on the ATP Safe Attachments page. After a policy has been defined or edited, allow at least 30 minutes for the polices to take effect throughout Microsoft datacenters.

Learn about ATP Safe Attachments policy options

As you set up your ATP Safe Attachments policies, you choose from among many options, including Monitor, Block, Replace, Dynamic Delivery, and so on. In case you're wondering about what these options do, the following table summarizes each and its effect.

Option Effect Use when you want to:
Off
Does not scan attachments for malware
Does not delay message delivery
Turn scanning off for internal senders, scanners, faxes, or smart hosts that will only send known, good attachments
Prevent unnecessary delays in routing internal mail
> [!IMPORTANT]> This option is not recommended for most users. It enables you to turn ATP Safe Attachments scanning off for a small group of internal senders.
Monitor
Delivers messages with attachments and then tracks what happens with detected malware
See where detected malware goes in your organization
Block
Prevents messages with detected malware attachments from proceeding
Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages
Blocks future messages and attachments automatically
Safeguard your organization from repeated attacks using the same malware attachments
Replace
Removes detected malware attachments
Notifies recipients that attachments have been removed
Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages
Raise visibility to recipients that attachments were removed because of detected malware
Dynamic Delivery
Delivers messages immediately
Replaces attachments with a placeholder file until scanning is complete, and then reattaches the attachments if no malware is detected
Includes attachment previewing capabilities for most PDFs and Office files during scanning
Sends messages with detected malware to Quarantine where a security administrator or analyst can review and release (or delete) those messages
Learn about dynamic delivery and previewing with ATP Safe Attachments
Avoid message delays while protecting recipients from malicious files
Enable recipients to preview attachments in safe mode while scanning is taking place
Enable redirect
Applies when the Monitor, Block, or Replace option is chosen
Sends attachments to a specified email address where security administrators or analysts can investigate
Enable security administrators and analysts to research suspicious attachments

Office 365 Advanced Threat Protection

ATP Safe Attachments in Office 365

ATP Safe Links in Office 365

Set up ATP Safe Links policies in Office 365

View the reports for Advanced Threat Protection

Permissions in the Office 365 Security & Compliance Center