Safe Attachments - Microsoft Defender for Office 365 (original) (raw)

Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by Anti-malware protection. Specifically, Safe Attachments uses a virtual environment to check attachments in email messages for harmful attachments (for example, malware, ransomware, and phishing) before they're delivered to recipients (a process known as detonation).

Tip

Typically, email attachment scanning completes within 15 minutes. Sometimes, it takes longer due to retry delays and processing time to analyze the file in the virtual environment.

Safe Attachments protection for email messages is controlled by Safe Attachments policies. Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies). For more information, see Preset security policies. You can also create Safe Attachments policies that apply to specific users, group, or domains. For instructions, see Set up Safe Attachments policies in Microsoft Defender for Office 365.

The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).

Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see Where is your data located?

Safe Attachments policy settings

This section describes the settings in Safe Attachments policies:

• Recipient filters: Conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required. You can use the following recipient filters for conditions and exceptions:
  • Users: One or more mailboxes, or mail users in the organization.
  • Groups:
    * Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
    * The specified Microsoft 365 Groups (dynamic membership groups in Microsoft Entra ID aren't supported).
  • Domains: One or more of the configured accepted domains in Microsoft 365. The recipient's primary email address is in the specified domain.
    You can use a condition or exception only once, but the condition or exception can contain multiple values:
  • Multiple values of the same condition or exception use OR logic (for example, or ):
    * Conditions: If the recipient matches any of the specified values, the policy is applied to them.
    * Exceptions: If the recipient matches any of the specified values, the policy isn't applied to them.
  • Different types of exceptions use OR logic (for example, or or ). If the recipient matches any of the specified exception values, the policy isn't applied to them.
  • Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
  • Users: romain@contoso.com
  • Groups: Executives
    The policy is applied to romain@contoso.com only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.
• Safe Attachments unknown malware response: This setting controls the action for Safe Attachments threat scanning in email messages. The available options are described in the following table:

  Option	Effect	Use when you want to:
  Off	Attachments aren't scanned for threats by Safe Attachments (for example, malware, ransomware, and phishing). Messages are still scanned for malware by Anti-malware protection.	Turn scanning off for selected recipients. Prevent unnecessary delays in routing internal mail. This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders. ZAP doesn't quarantine messages if Safe Attachments is turned off and a threat signal isn't received. For details, see Zero-hour auto purge
  Monitor	Delivers messages with attachments and then tracks what happens with detected threats. Delivery of safe messages might be delayed due to Safe Attachments scanning.	See where detected messages go in your organization.
  Block	Prevents messages with detected attachments from being delivered. Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.¹ Automatically blocks future instances of the messages and attachments. Delivery of safe messages might be delayed due to Safe Attachments scanning.	Protects your organization from repeated attacks using the same attachments. This value is the default, and the recommended value in Standard and Strict preset security policies.
  Dynamic Delivery	Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.¹ For details, see the Dynamic Delivery in Safe Attachments policies section later in this article.	Avoid message delays while protecting recipients from malicious files.
  ¹ Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy. Users can't release their own messages quarantined as malware or phishing by Safe Attachments, regardless of how the quarantine policy is configured. If the policy is configured for users to release these quarantined messages, users are instead allowed to request the release of these quarantined messages.

• Redirect messages with detected attachments: Enable redirect and Send messages that contain monitored attachments to the specified email address: For the Monitor action only, send messages that contain detected attachments to the specified internal or external email address for analysis and investigation.
  The recommendation for Standard and Strict policy settings is to enable redirection. For more information, see Safe Attachments settings.
• Priority: If you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied (the highest priority policy for that recipient).
  For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

Dynamic Delivery in Safe Attachments policies

Note

Dynamic Delivery works only for Exchange Online mailboxes.

The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

If an attachment is found to be malicious, the message is quarantined.

Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients see a placeholder for the attachment until Safe Attachments scanning is complete.

If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery previewer on your mobile device, try opening the message in Outlook on the web (formerly known as Outlook Web App) using your mobile browser.

Here are some considerations for Dynamic Delivery and forwarded messages:

• If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.
• If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments are delivered without any Safe Attachments scanning or attachment placeholders.

There are scenarios where Dynamic Delivery is unable to replace attachments in messages. These scenarios include:

• Messages in public folders.
• Messages that are routed out of and then back into a user's mailbox using custom rules.
• Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.
• Inbox rules move the message out of the Inbox into a different folder.
• Deleted messages.
• The user's mailbox search folder is in an error state.
• Exchange Online organizations where Exclaimer is enabled. To resolve this issue, see KB4014438.
• S/MIME) encrypted messages.
• You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, Safe Links in Microsoft Defender for Office 365 is able to scan Office file attachments that contain URLs (if Safe Links scanning of support Office apps is turned on in the applicable Safe Links policy).

Submit files for analysis

• If you receive a file that you want to send to Microsoft for analysis, see Submit malware and non-malware to Microsoft for analysis.
• If you receive an email message (with or without an attachment) that you want to submit to Microsoft for analysis, see Report messages and files to Microsoft.