保险箱Microsoft Defender for Office 365Safe Attachments in Microsoft Defender for Office 365

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用对象Applies to

保险箱Microsoft Defender for Office 365中的附件为已由EOP Exchange Online Protection (中的反恶意软件保护扫描的电子邮件附件提供了) 。Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). 具体来说,保险箱附件使用虚拟环境在将电子邮件中的附件传递到收件人之前检查 (称为触发) 。 Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).

保险箱电子邮件的附件保护由附件保险箱控制。Safe Attachments protection for email messages is controlled by Safe Attachments policies. 没有默认的附件保险箱,因此,若要获取附件保险箱保护,需要创建一个或多个附件保险箱 策略There is no default Safe Attachments policy, so to get the protection of Safe Attachments, you need to create one or more Safe Attachments policies. 有关说明,请参阅在 Defender for 保险箱 中设置附件Office 365。For instructions, see Set up Safe Attachments policies in Defender for Office 365.

下表介绍了 Microsoft 365 Microsoft 365 和 Office 365 组织中包含 Microsoft Defender for Office 365 (的 保险箱 附件的方案,换句话说,在) 示例中,缺少许可) 。The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).



应用场景Scenario 结果Result
Pat 的Microsoft 365 E5未配置保险箱附件策略。Pat's Microsoft 365 E5 organization has no Safe Attachments policies configured. Pat 不受附件保险箱保护。Pat is not protected by Safe Attachments.

管理员必须至少创建一保险箱附件策略,保险箱附件保护才能处于活动状态。An admin must create at least one Safe Attachments policy for Safe Attachments protection to be active. 此外,如果 Pat 要受附件保护,则策略的条件必须保险箱 Pat。Furthermore, the conditions of the policy must include Pat if Pat is to be protected by Safe Attachments.

Lee 的组织具有仅适用于保险箱员工的邮件附件策略。Lee's organization has a Safe Attachments policy that applies only to finance employees. Lee 是销售部门的成员。Lee is a member of the sales department. Lee 不受附件保险箱保护。Lee is not protected by Safe Attachments.

财务员工受附件保险箱,但销售人员 (,) 员工则不受保护。Finance employees are protected by Safe Attachments, but sales employees (and other employees) are not.

昨天,一名用户(该邮件可能保险箱适用于所有员工)的"附件"策略。Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. 在今天较早的一天,用户收到一封包含附件的电子邮件。Earlier today, Jean received an email message that included an attachment. 百分之百受附件保险箱保护。Jean is protected by Safe Attachments.

通常,新策略需要大约 30 分钟才能生效。Typically, it takes about 30 minutes for a new policy to take effect.

Chris 的组织对组织保险箱具有长期附件策略。Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris 收到一封包含附件的电子邮件,然后将邮件转发给外部收件人。Chris receives an email that has an attachment, and then forwards the message to external recipients. Chis 受附件保险箱保护。Chis is protected by Safe Attachments.

如果外部收件人的组织中保险箱附件策略,则转发的邮件将受这些策略限制。If the external recipients also have Safe Attachments policies in their organization, then the forwarded messages are subject to those policies.

保险箱附件扫描发生在你的附件数据所在的Microsoft 365区域。Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. 有关数据中心地理位置的信息,请参阅 你的数据位于何处?For more information about datacenter geography, see Where is your data located?

备注

以下功能位于安全与合规中心内保险箱附件策略的&设置中。The following features are located in the global settings of Safe Attachments policies in the Security & Compliance Center. 但是,这些设置在全局启用或禁用,并且不需要保险箱附件策略:But, these settings are enabled or disabled globally, and don't require Safe Attachments policies:

保险箱附件策略设置Safe Attachments policy settings

本节介绍"附件保险箱中的设置:This section describes the settings in Safe Attachments policies:

  • 保险箱附件未知恶意软件响应:此设置控制对电子邮件保险箱附件恶意软件扫描的操作。Safe Attachments unknown malware response: This setting controls the action for Safe Attachments malware scanning in email messages. 下表介绍了可用选项:The available options are described in the following table:



选项Option 效果Effect 在需要时使用:Use when you want to:
关闭Off 附件不会通过"附件"扫描保险箱恶意软件。Attachments aren't scanned for malware by Safe Attachments. EOP 中的反恶意软件保护 仍可扫描邮件是否包含恶意软件Messages are still scanned for malware by anti-malware protection in EOP. 关闭所选收件人的扫描。Turn scanning off for selected recipients.

防止在路由内部邮件时出现不必要的延迟。Prevent unnecessary delays in routing internal mail.

建议大多数用户不要使用此选项。只应使用此选项为仅接收来自保险箱发件人的邮件的收件人关闭附件扫描。This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders.

监视器Monitor 传递带有附件的邮件,然后跟踪检测到的恶意软件发生的情况。Delivers messages with attachments and then tracks what happens with detected malware.

由于附件扫描,安全邮件保险箱延迟。Delivery of safe messages might be delayed due to Safe Attachments scanning.

查看组织中检测到的恶意软件的去向。See where detected malware goes in your organization.
阻止Block 阻止传递包含检测到的恶意软件附件的邮件。Prevents messages with detected malware attachments from being delivered.

邮件 被隔离, 其中只有管理员 (最终用户才能) 、释放或删除邮件。Messages are quarantined where only admins (not end-users) can review, release, or delete the messages.

自动阻止邮件和附件的未来实例。Automatically blocks future instances of the messages and attachments.

由于附件扫描,安全邮件保险箱延迟。Delivery of safe messages might be delayed due to Safe Attachments scanning.

保护组织免受使用相同的恶意软件附件的重复攻击。Protects your organization from repeated attacks using the same malware attachments.

这是默认值,以及 Standard 和 Strict 预设安全策略 中的建议值This is the default value, and the recommended value in Standard and Strict preset security policies.

ReplaceReplace 删除检测到的恶意软件附件。Removes detected malware attachments.

通知收件人附件已删除。Notifies recipients that attachments have been removed.

邮件 被隔离, 其中只有管理员 (最终用户才能) 、释放或删除邮件。Messages are quarantined where only admins (not end-users) can review, release, or delete the messages.

由于附件扫描,安全邮件保险箱延迟。Delivery of safe messages might be delayed due to Safe Attachments scanning.

提高收件人的可见性,即附件因检测到的恶意软件而被删除。Raise visibility to recipients that attachments were removed because of detected malware.
动态传递Dynamic Delivery 立即传递邮件,但使用占位符替换附件,保险箱附件扫描完成。Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete.

有关详细信息,请参阅本文稍后介绍保险箱中的动态传递策略部分。For details, see the Dynamic Delivery in Safe Attachments policies section later in this article.

避免邮件延迟,同时保护收件人免受恶意文件的攻击。Avoid message delays while protecting recipients from malicious files.

允许收件人在扫描进行时以安全模式预览附件。Enable recipients to preview attachments in safe mode while scanning is taking place.

  • 检测时重定向附件 :启用 重定向并将附件发送到以下电子邮件地址:对于阻止、监视或 替换 操作,将包含恶意软件附件的邮件发送到指定的内部或外部电子邮件地址进行分析和调查。Redirect attachment on detection: Enable redirect and Send the attachment to the following email address: For Block, Monitor, or Replace actions, send messages that contain malware attachments to the specified internal or external email address for analysis and investigation.

    对于"标准"和"严格"策略设置,建议启用重定向。The recommendation for Standard and Strict policy settings is to enable redirection. 有关详细信息,请参阅附件保险箱设置For more information, see Safe Attachments settings.

  • 如果附件的 恶意软件 扫描次数或出现错误,则应用上述选择:即使 保险箱 附件扫描无法完成,保险箱 附件未知恶意软件响应也对邮件执行指定的操作。Apply the above selection if malware scanning for attachments times out or error occurs: The action specified by Safe Attachments unknown malware response is taken on messages even when Safe Attachments scanning can't complete. 如果选择了"启用重定向",请 始终选择此选项Always select this option if you select Enable redirect. 否则,邮件可能会丢失。Otherwise, messages might be lost.

  • 收件人 筛选器:需要指定确定策略适用的收件人条件和例外。Recipient filters: You need to specify the recipient conditions and exceptions that determine who the policy applies to. 可以将这些属性用于条件和例外:You can use these properties for conditions and exceptions:

    • 收件人为The recipient is
    • 收件人域为The recipient domain is
    • 收件人为以下组的成员The recipient is a member of

    一次只能使用一个条件或例外,但条件或例外可以包含多个值。You can only use a condition or exception once, but the condition or exception can contain multiple values. 同一个条件或例外的多个值使用“或”逻辑(例如,<recipient1><recipient2>)。Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). 不同的条件或例外使用“和”逻辑(例如,<recipient1><member of group 1>)。Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • 优先级:如果创建多个策略,可以指定策略的应用顺序。Priority: If you create multiple policies, you can specify the order that they're applied. 没有两个策略可以具有相同的优先级,并且在应用第一个策略之后,策略处理将停止。No two policies can have the same priority, and policy processing stops after the first policy is applied.

    有关优先级顺序以及如何评估和应用多个策略的详细信息,请参阅电子邮件保护的顺序和优先级For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

"附件中的保险箱传递"策略Dynamic Delivery in Safe Attachments policies

备注

动态传递仅适用于Exchange Online邮箱。Dynamic Delivery works only for Exchange Online mailboxes.

附件策略中的保险箱传递操作旨在消除任何可能由附件扫描导致保险箱延迟。The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. 电子邮件正文通过每个附件的占位符传递给收件人。The body of the email message is delivered to the recipient with a placeholder for each attachment. 占位符将一直保留,直到发现附件是安全的,然后附件可以打开或下载。The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

如果发现附件是恶意附件,则隔离邮件。If an attachment is found to be malicious, the message is quarantined. 只有管理员 (最终用户) ,才能查看、释放或删除由附件扫描隔离保险箱的邮件。Only admins (not end-users) can review, release, or delete messages that were quarantined by Safe Attachments scanning. 有关详细信息,请参阅 以管理员角色管理隔离的邮件和文件For more information, see Manage quarantined messages and files as an admin.

大多数 PDF 和Office文档都可以在安全模式下预览,同时保险箱附件扫描正在进行中。Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. 如果附件与动态传递预览程序不兼容,收件人将看到附件的占位符,直到保险箱附件扫描完成。If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.

如果使用的是移动设备,并且 PDF 未在移动设备上的动态传递预览器中呈现,请尝试使用移动浏览器在 Outlook 网页版中打开 (以前称为 Outlook Web App) 。If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery previewer on your mobile device, try opening the message in Outlook on the web (formerly known as Outlook Web App) using your mobile browser.

下面是动态传递和转发邮件的一些注意事项:Here are some considerations for Dynamic Delivery and forwarded messages:

  • 如果转发的收件人受使用"保险箱传递"选项的"附件"策略保护,则收件人将看到占位符,并能够预览兼容文件。If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.
  • 如果转发的收件人不受附件保险箱保护,则传递的邮件和附件将没有任何附件保险箱附件扫描或附件占位符。If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments will be delivered without any Safe Attachments scanning or attachment placeholders.

在某些情况下,动态传递无法替换邮件中的附件。There are scenarios where Dynamic Delivery is unable to replace attachments in messages. 这些情况包括:These scenarios include:

  • 公用文件夹中的邮件。Messages in public folders.
  • 使用自定义规则从用户邮箱路由出然后返回到用户邮箱的邮件。Messages that are routed out of and then back into a user's mailbox using custom rules.
  • 自动或手动 (移动的邮件) 云邮箱中移动到其他位置,包括存档文件夹。Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.
  • 收件箱规则将邮件从收件箱移到其他文件夹中。Inbox rules move the message out of the Inbox into a different folder.
  • 已删除邮件。Deleted messages.
  • 用户的邮箱搜索文件夹的状态为错误。The user's mailbox search folder is in an error state.
  • Exchange Online启用 Exclaimer 的组织。Exchange Online organizations where Exclaimer is enabled. 若要解决此问题,请参阅KB4014438。To resolve this issue, see KB4014438.
  • S/MIME) 加密邮件。S/MIME) encrypted messages.
  • 在 保险箱 附件策略中配置了动态传递操作,但收件人不支持动态传递 (例如,收件人是本地 Exchange 组织中邮箱) 。You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). 但是保险箱 Microsoft Defender for Office 365中的链接能够扫描包含 URL (的 Office 文件附件,具体取决于 保险箱Links的全局设置) 。However, Safe Links in Microsoft Defender for Office 365 is able to scan Office file attachments that contain URLs (depending on how the global settings for Safe Links are configured).

提交文件进行恶意软件分析Submitting files for malware analysis