Safe Attachments SHALL Be Enabled

Description

The Safe Attachments will scan messages for attachments with malicious content. It routes all messages and attachments that do not have a virus/malware signature to a special environment. The process then uses machine learning and analysis techniques to detect malicious intent. Enabling this feature may slow down message delivery to the user due to the scanning.

Policy

  • At least one Safe Attachments Policy SHALL include all agency domains—and by extension—all users.

  • The action for malware in email attachments SHALL be set to block.

  • Redirect emails with detected attachments to an agency-specified email SHOULD be enabled.

Licensing Considerations

This setting requires Defender for Office 365 Plan 1 or Plan 2 which can be purchased standalone or as part of the following bundles:

  • Defender for Office 365 Plan 1/2

  • Microsoft 365 Business Premium

  • Office 365 E5/A5/G5

  • Microsoft 365 E5/A5/G5

  • Microsoft 365 E5/A5/G5 Information Protection and Governance

  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

Set Up Instructions

Safe Attachments - Office 365 | Microsoft Learn

Set up Safe Attachments policies in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn

To configure safe attachments for Exchange Online, follow the instructions listed on Use the Microsoft 365 Defender portal to create Safe Attachments policies.

  1. Sign in to Microsoft 365 Defender.

  2. Under Email & collaboration, select Policies & rules.

  3. Select Threat policies.

  4. Under Policies, select Safe Attachments.

  5. Click Create to start a new policy.

  6. Give the new policy an appropriate name and description.

  7. Under domains, enter all organization tenant domains. All users under these domains will be added to the policy.

  8. Under Safe Attachments unknown malware response, select Block.

    Set the Quarantine policy to AdminOnlyAccessPolicy.

  9. Click Next, then Submit.

End-User Impact

Level: Medium

With this setting in place, there may be some latency in email flow while the attachment is being scanned before delivery. If the attachment is found to be malicious, the email will be blocked from sending.

Tips

None Currently

PowerShell Scripts

Set up Safe Attachments policies in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn

Security/ATP Implementation.ps1 at master · msp4msps/Security (github.com)

Videos

PreviousSafe Link Policies SHOULD Be EnabledNextIP Allow Lists SHOULD NOT be Implemented

Last updated