Safe Attachments - Microsoft Defender for Office 365 (2024)

Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).

Safe Attachments protection for email messages is controlled by Safe Attachments policies. Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365. You can also create Safe Attachments policies that apply to specific users, group, or domains. For instructions, see Set up Safe Attachments policies in Microsoft Defender for Office 365.

The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).

Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see Where is your data located?

Safe Attachments policy settings

This section describes the settings in Safe Attachments policies:

• Recipient filters: Conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required. You can use the following recipient filters for conditions and exceptions:

  • Users: One or more mailboxes, mail users, or mail contacts in the organization.
  • Groups:
    • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
    • The specified Microsoft 365 Groups.
  • Domains: One or more of the configured accepted domains in Microsoft 365. The recipient's primary email address is in the specified domain.

  You can use a condition or exception only once, but the condition or exception can contain multiple values:

  • Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>):

    • Conditions: If the recipient matches any of the specified values, the policy is applied to them.
    • Exceptions: If the recipient matches any of the specified values, the policy isn't applied to them.

  • Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.

    See Also

    Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Microsoft Defender for Office 365

  • Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:

  • Users: [email protected]

  • Groups: Executives

    The policy is applied to [email protected] only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.

• Safe Attachments unknown malware response: This setting controls the action for Safe Attachments malware scanning in email messages. The available options are described in the following table:

  Option	Effect	Use when you want to:
  Off	Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by anti-malware protection in EOP.	Turn scanning off for selected recipients. Prevent unnecessary delays in routing internal mail. This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders. ZAP will not quarantine messages if Safe Attachments is turned off and a malware signal is not received. For details, see Zero-hour auto purge
  Monitor	Delivers messages with attachments and then tracks what happens with detected malware. Delivery of safe messages might be delayed due to Safe Attachments scanning.	See where detected malware goes in your organization.
  Block	Prevents messages with detected malware attachments from being delivered. Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.¹ Automatically blocks future instances of the messages and attachments. Delivery of safe messages might be delayed due to Safe Attachments scanning.	Protects your organization from repeated attacks using the same malware attachments. This is the default value, and the recommended value in Standard and Strict preset security policies.
  Dynamic Delivery	Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.¹ For details, see the Dynamic Delivery in Safe Attachments policies section later in this article.	Avoid message delays while protecting recipients from malicious files.

  ¹ Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy. Users can't release their own messages that were quarantined as malware by Safe Attachments, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

• Redirect messages with detected attachments: Enable redirect and Send messages that contain monitored attachments to the specified email address: For the Monitor action only, send messages that contain malware attachments to the specified internal or external email address for analysis and investigation.

  The recommendation for Standard and Strict policy settings is to enable redirection. For more information, see Safe Attachments settings.

• Priority: If you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied (the highest priority policy for that recipient).

  For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

Dynamic Delivery in Safe Attachments policies

The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

If an attachment is found to be malicious, the message is quarantined.

Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.

If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery previewer on your mobile device, try opening the message in Outlook on the web (formerly known as Outlook Web App) using your mobile browser.

Here are some considerations for Dynamic Delivery and forwarded messages:

• If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.
• If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments will be delivered without any Safe Attachments scanning or attachment placeholders.

There are scenarios where Dynamic Delivery is unable to replace attachments in messages. These scenarios include:

• Messages in public folders.
• Messages that are routed out of and then back into a user's mailbox using custom rules.
• Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.
• Inbox rules move the message out of the Inbox into a different folder.
• Deleted messages.
• The user's mailbox search folder is in an error state.
• Exchange Online organizations where Exclaimer is enabled. To resolve this issue, see KB4014438.
• S/MIME) encrypted messages.
• You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, Safe Links in Microsoft Defender for Office 365 is able to scan Office file attachments that contain URLs (if Safe Links scanning of support Office apps is turned on in the applicable Safe Links policy).

Submitting files for malware analysis

• If you receive a file that you want to send to Microsoft for analysis, see Submit malware and non-malware to Microsoft for analysis.
• If you receive an email message (with or without an attachment) that you want to submit to Microsoft for analysis, see Report messages and files to Microsoft.