Safe Attachments in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).

Safe Attachments protection for email messages is controlled by Safe Attachments policies. Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365. You can also create Safe Attachments policies that apply to specific users, group, or domains. For instructions, see Set up Safe Attachments policies in Microsoft Defender for Office 365.

The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).

Scenario Result
Pat's Microsoft 365 E5 organization has no Safe Attachments policies configured. Pat is protected by Safe Attachments due to the Built-in protection preset security policy that applies to all recipients who aren't otherwise defined in Safe Attachments policies.
Lee's organization has a Safe Attachments policy that applies only to finance employees. Lee is a member of the sales department. Lee and the rest of the sales department are protected by Safe Attachments due to the Built-in protection preset security policy that applies to all recipients who aren't otherwise defined in Safe Attachments policies.
Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that included an attachment. Jean is protected by Safe Attachments due to that custom Safe Attachments policy.

Typically, it takes about 30 minutes for a new policy to take effect.
Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients. Chris is protected by Safe Attachments.

If the external recipients are in a Microsoft 365 organization, then the forwarded messages are also protected by Safe Attachments.

Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see Where is your data located?

Note

The following features are located in the global settings of Safe Attachments policies in the Microsoft Defender portal. But, these settings are enabled or disabled globally, and don't require Safe Attachments policies:

Tip

As a companion to this article, see our Microsoft Defender for Office 365 setup guide to review best practices and to protect against email, link, and collaboration threats. Features include Safe Links, Safe Attachments, and more. For a customized experience based on your environment, you can access the Microsoft Defender for Office 365 automated setup guide in the Microsoft 365 admin center.

Safe Attachments policy settings

This section describes the settings in Safe Attachments policies:

  • Recipient filters: Conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required. You can use the following recipient filters for conditions and exceptions:

    • Users: One or more mailboxes, mail users, or mail contacts in the organization.
    • Groups:
      • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
      • The specified Microsoft 365 Groups.
    • Domains: One or more of the configured accepted domains in Microsoft 365. The recipient's primary email address is in the specified domain.

    You can use a condition or exception only once, but the condition or exception can contain multiple values:

    • Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>):

      • Conditions: If the recipient matches any of the specified values, the policy is applied to them.
      • Exceptions: If the recipient matches any of the specified values, the policy isn't applied to them.
    • Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.

    • Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:

    • Users: [email protected]

    • Groups: Executives

      The policy is applied to [email protected] only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.

  • Safe Attachments unknown malware response: This setting controls the action for Safe Attachments malware scanning in email messages. The available options are described in the following table:

    Option Effect Use when you want to:
    Off Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by anti-malware protection in EOP. Turn scanning off for selected recipients.

    Prevent unnecessary delays in routing internal mail.

    This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders. ZAP will not quarantine messages if Safe Attachments is turned off and a malware signal is not received. For details, see Zero-hour auto purge
    Monitor Delivers messages with attachments and then tracks what happens with detected malware.

    Delivery of safe messages might be delayed due to Safe Attachments scanning.
    See where detected malware goes in your organization.
    Block Prevents messages with detected malware attachments from being delivered.

    Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.¹

    Automatically blocks future instances of the messages and attachments.

    Delivery of safe messages might be delayed due to Safe Attachments scanning.
    Protects your organization from repeated attacks using the same malware attachments.

    This is the default value, and the recommended value in Standard and Strict preset security policies.
    Dynamic Delivery Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete.

    Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.¹

    For details, see the Dynamic Delivery in Safe Attachments policies section later in this article.
    Avoid message delays while protecting recipients from malicious files.

    ¹ Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy. Users can't release their own messages that were quarantined as malware by Safe Attachments, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

  • Redirect messages with detected attachments: Enable redirect and Send messages that contain monitored attachments to the specified email address: For the Monitor action only, send messages that contain malware attachments to the specified internal or external email address for analysis and investigation.

    The recommendation for Standard and Strict policy settings is to enable redirection. For more information, see Safe Attachments settings.

  • Priority: If you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied (the highest priority policy for that recipient).

    For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

Dynamic Delivery in Safe Attachments policies

Note

Dynamic Delivery works only for Exchange Online mailboxes.

The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

If an attachment is found to be malicious, the message is quarantined.

Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.

If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery previewer on your mobile device, try opening the message in Outlook on the web (formerly known as Outlook Web App) using your mobile browser.

Here are some considerations for Dynamic Delivery and forwarded messages:

  • If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.
  • If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments will be delivered without any Safe Attachments scanning or attachment placeholders.

There are scenarios where Dynamic Delivery is unable to replace attachments in messages. These scenarios include:

  • Messages in public folders.
  • Messages that are routed out of and then back into a user's mailbox using custom rules.
  • Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.
  • Inbox rules move the message out of the Inbox into a different folder.
  • Deleted messages.
  • The user's mailbox search folder is in an error state.
  • Exchange Online organizations where Exclaimer is enabled. To resolve this issue, see KB4014438.
  • S/MIME) encrypted messages.
  • You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, Safe Links in Microsoft Defender for Office 365 is able to scan Office file attachments that contain URLs (if Safe Links scanning of support Office apps is turned on in the applicable Safe Links policy).

Submitting files for malware analysis