365 Defender – Safe attachments’ policy & Safe Documents

As you all know, attackers, use widely malicious attachments to perform “Initial access”.

Safe attachments is one of our defences in order to prevent that in our Environment

Safe Attachments provides an additional layer to the Antimalware Exchange protection.

Safe Attachment works with Machine Learning in order to protect your users inbox

Policies may take around 30 minutes to apply .

Safe attachments blade also contains “Safe documents” which is standard security requirement in tenants & important to ensure is enabled

Creating your Safe Attachments Policy

  • Go for the 365 Defender blade , get policies and rules & open “Threat policies”

  • In Threat policies, select Safe attachments

  • Create your policy
  • Assign to a user or groups

In Settings is where you can tune what you want to do with your Tenant / Users.

I personally recommend “Dynamic Delivery”. As it’s the one that I consider impact less the users towards false positives. Is balanced and the attachments even malicious will not land on the user mailbox.

The user will expect not to open the files until are safely scanned

Depends on your Security Requirements . If you want to directly Apply a quarantine policy then use block

In regards Redirection of detected attachments. I personally dont use this setting for safety reasons

To apply the policy just click in Submit

Configure Safe Documents in your Global Settings !

  • Requires E5 Licence
  • Click on global Settings on the safe attachments blade

It is recommended to enable these settings so 365 defender protects Sharepoint, OneDrive, and MS Teams independently of Safe attachments. (Options are applied—Tenant Wide)

Report Safe attachments

You can monitor reports of the feature in the 365 blade—Reports . Section—Email / Collaboration—Threat Protection.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.