On Day 27 of Cybersecurity Awareness Month, discover how Safe Attachments in Microsoft 365 Defender can be utilized to boost your organization’s security. Stay tuned for more blogs in our M365 Cybersecurity blog series.

Have you heard about the recent phishing campaign that began in late August 2023? In this attack, cybercriminals used Microsoft Teams messages to distribute the DarkGate Loader malware. They employed two compromised external Office 365 accounts to send phishing messages to various organizations. These messages tricked recipients into opening a harmful attachment named ‘Changes to the vacation schedule.’

Indeed, it’s alarming! We can’t ignore the risks associated with the attachments we share and access daily in the digital realm. These attachments can become weapons for hackers to exploit in attacks on organizations.

Let’s face it: the future is now. We are already living in a cyber society, so we need to stop ignoring it or pretending that it is not affecting us.

– Marco Ciapelli

As Marco says, we need to face cyber attacks. Though we can’t defend and prevent every attack, it’s essential to bolster our primary defenses. This is where Safe Attachments in Microsoft 365 Defender step into action to protect against these threats. Let’s dive into the world of Safe Attachments in Microsoft Defender and discover their key role in Microsoft 365, along with the best ways to use them.


Safe Attachments in Microsoft 365 Defender

Safe Attachments is a supplementary safeguard within Microsoft 365 Defender designed to protect attachments and enhance email security. These email attachments undergo initial scanning by the anti-malware protection in Exchange Online. It utilizes a virtual environment to perform a secondary inspection of email attachments, ensuring they are secure before they reach their intended recipients.

Notably, there is no predefined policy for Safe Attachments. However, the preset security policies in EOP come with a built-in protection feature that extends Safe Attachments protection to all users. This means that even users who are not explicitly added within strict and standard preset security policies, or custom Safe Attachments policies still benefit from this added layer of security.

Safe Attachments has evolved beyond its initial role in email protection. It is now accessible in several critical domains, expanding its protective capabilities to:

  • SharePoint Online
  • OneDrive
  • Microsoft Teams
  • Exchange Online

These integrations represent an enhancement of Safe Attachments’ coverage, ensuring a comprehensive layer of security across various Microsoft 365 services beyond just email protection.


Safe Attachments Policies in Microsoft 365

It’s important to recognize that though built-in protection offers a basic security level, custom policies are often necessary. These custom policies are crucial for aligning security measures with an organization’s specific requirements, risk profile, & compliance standards, thereby enhancing protection and adaptability. Now, let’s delve into the following settings which are essential for creating Safe Attachments policies:

  • Users & Groups: Specify users and groups in Safe Attachments policies to expedite email delivery and ensure exclusive access to sensitive documents only for authorized personnel.
  • Safe Attachments Unknown Malware Response:
    • Off: Disabling Safe Attachments bypasses malware scans, expediting internal email delivery for swift document exchange among trusted colleagues.
      NOTE: Microsoft does not recommend disabling Safe Attachments policies, as it will impact Zero-hour Auto Purge in Exchange Online, preventing message quarantine.
    • Monitor: Select this option to investigate malware behavior, allowing message delivery with attachments and tracking malware activity.
    • Block: This option prevents delivery of messages with malware attachments, guarding against recurring attacks.
    • Dynamic Delivery: It enables quick message delivery with attachment placeholders until Safe Attachments scanning finishes. Malicious attachments are quarantined, and admins can manage quarantined malicious attachments by default.
  • Redirect Messages with detected attachments: When ‘Monitor’ option is chosen in ‘Safe Attachments unknown malware response,’ admins can send messages with malware attachments to a designated email address for investigation.
  • Priority: Microsoft offers policy prioritization when creating multiple policies depending on the order and precedence of email protection. Policies cannot have the same priority level, and processing stops after the first policy is applied.

NOTE: The Safe Attachments policy settings discussed above are exclusive to Safe Attachments protection for email messages.


Safe Attachments for SharePoint, OneDrive and Microsoft Teams

Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is a global features that can be enabled or disabled globally without the need for Safe Attachments policies.

Safe Attachments strengthens security in SharePoint Online, OneDrive, and Microsoft Teams through proactive identification and blocking of malicious files. This involves an initial step of asynchronous scanning using Microsoft 365’s virus detection engine, followed by the files being opened in a secure virtual environment for further analysis.


How Safe Attachments in Microsoft 365 Increase Security?

Get to know how Safe Attachments in Microsoft Defender enhances email security and helps to secure other Microsoft 365 services as well. Let’s explore the real-life scenarios for various services listed below.

Microsoft 365 Email Security:

  1. Phishing email with malicious attachment: An employee receives an email that appears to be from their bank, but it contains an attachment with a banking Trojan. Safe Attachments detect malicious attachments and blocks them, preventing a potential financial breach.
  1. New ransomware variant: Locky, a well-known ransomware, spreads through malicious email attachments, encrypting victims’ files and demanding decryption ransom. Safe Attachments analyzes attachments in real-time, including those with the new ransomware variant, safeguarding employees from zero-day threats.
  1. Remote work security: As employees work from home or use personal devices for work, they may be more susceptible to email threats. Safe Attachments ensures that their email attachments are scanned and protected, regardless of their location or device.
  1. High-volume email traffic: In organizations with high email traffic, Safe Attachments policies ensures that all attachments are scanned in real-time to detect and block potential threats without causing delays in email delivery using the dynamic delivery feature.
  1. Supply chain attacks: Emails containing attachments from third-party suppliers or vendors can be a source of supply chain attacks. Safe Attachments can scan and protect against such threats to the organization.


Microsoft 365 Security (SharePoint, OneDrive, and Microsoft Teams)

  1. Malicious file upload in Microsoft Teams: A user’s attempt to upload a file with a hidden malware payload in a Microsoft Teams channel poses a security threat to the platform and its users. However, Safe Attachments scans the file in real-time and blocks it, thereby preventing the malware from spreading within the team.
  1. Suspicious file sharing in SharePoint Online: In a SharePoint document library, Safe Attachments checks files for malware or suspicious content before allowing or blocking the sharing action with external collaborators.
  1. Infected file in OneDrive: If an employee unintentionally uploads a malware-infected document to their OneDrive, Safe Attachments quickly identifies the threat, isolates the file, and alerts the user about the security risk.
  1. Password-protected files in SharePoint: Password-protected files stored in a SharePoint document library are subjected to Safe Attachments’ scrutiny, where they are checked against known passwords and threat actor patterns to ensure they are secure for access.
  1. Phishing email with SharePoint link: An employee receives an email containing a seemingly legitimate link to a SharePoint document. Safe Attachments, in conjunction with Safe Links, checks the link’s destination for any malicious content and blocks access if it’s a phishing attempt.


Best Practices for Safe Attachments in Microsoft 365 Defender to Maximize Protection

Safe Attachments in Microsoft 365 Defender is a valuable security feature that helps protect your organization from malicious email attachments. To maximize security when using Safe Attachments, consider implementing the following best practices:

  1. Ensure that the Safe Attachments is enabled for SharePoint, OneDrive and MS Teams
  2. Optimize email security with custom Safe Attachments policies in Microsoft Defender
  3. Use Dynamic Delivery in Safe Attachment policies to reduce email delays
  4. Safeguard against malicious downloads with SharePoint Online PowerShell
  5. Implement proactive security: create alert policies for detected malicious files
  6. Test custom Safe Attachments policies for security without disruption


1.Ensure that the Safe Attachments is enabled for SharePoint, OneDrive and Microsoft Teams

It’s essential to activate Safe Attachments for SharePoint, OneDrive and Microsoft Teams to enhance data security in the organization. Please note that this feature is not enabled by default in Microsoft 365. So, navigate through the path below to enable Safe Attachments for SharePoint, OneDrive and Microsoft Teams.

Microsoft 365 Defender 🡢 Email & collaboration 🡢 Policies & rules 🡢 Threat policies 🡢 Policies 🡢 Safe Attachments 🡢 Global settings

Safe Attachments in Microsoft 365

Enabling Safe Attachments across these platforms will bolster your defenses against threats. For an automated approach with precise control, use theSet-AtpPolicyForO365 cmdlet, which allows you to activate Safe Attachments for SharePoint Online, OneDrive, and Microsoft Teams. To get started, connect to Exchange Online PowerShell and execute the command below.


2. Optimize Email Security with Custom Safe Attachments Policies in Microsoft Defender

While preset security policies in Microsoft 365 Defender offer Safe Attachments protection, it’s vital to set up custom Safe Attachment policies in Microsoft 365 for tightened email security. These tailored policies mandate advanced analysis and sandboxing for specific file types or categories. They can be applied to user groups or situations where sensitive files are encountered, proactively safeguarding critical data and reducing security risks.


3. Use Dynamic Delivery in Safe Attachments Policies to Reduce Email Delays

Enabling dynamic delivery in Microsoft 365 Defender’s Safe Attachments is a crucial security practice. It accelerates email delivery by using attachment placeholders, ensuring quick access for users and reducing interruptions. Harmful attachments are instantly quarantined for enhanced security and data protection.

Dynamic delivery option of Safe Attachments in Microsoft 365


4. Safeguard against Malicious Downloads with SharePoint Online PowerShell

Safe Attachments in Microsoft 365 Defender protects users from opening, moving, copying, or sharing malicious files by default. However, users can still delete and download infected files if detected as infected.

To prevent users from downloading malicious files, connect to SharePoint Online PowerShell and run the following command:

Thus, you can stop infected file downloads from SharePoint Online using this PowerShell method.


5. Implement Proactive Security: Create Alert Policies for Detected Malicious Files

Creating alert policies for detecting malicious files by Safe Attachments in SharePoint, OneDrive, and Microsoft Teams is an essential best practice. These platforms form the foundation for communication and personal data storage, thereby making these policies a necessity rather than an option. They facilitate quick incident response and enhance the overall security of these services.


6. Test Custom Safe Attachment Policies for Security Without Disruption

It is vital to thoroughly test custom Safe Attachment policies to ensure they perform as intended. This testing phase is essential as it helps prevent potential disruptions to workflows and minimizes the likelihood of an increase in help-desk calls resulting from policy implementation.


In a nutshell, implementing Microsoft 365 Defender Safe Attachments in your organization is a critical step to enhance security. Furthermore, by adhering to the Microsoft Teams security measures you can ensure comprehensive protection. Additionally, adopting best security practices for email fortifies email security. I hope this blog has provided you with valuable insights into how Safe Attachments enhances Microsoft 365 security. If you have any questions or concerns, please reach out through the comments section.