In organizations with Microsoft Defender for Office 365, Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams in the Microsoft Defender portal or in Exchange Online PowerShell.
Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: Membership in the Organization Management or Security Administrator role groups.
Microsoft Entra permissions: Membership in the the following roles gives users the required permissions and permissions for other features in Microsoft 365.
Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: Global Administrator* or Security Administrator.
Use SharePoint Online PowerShell to prevent people from downloading malicious files: Global Administrator* or SharePoint Administrator.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Verify that audit logging is enabled for your organization (it's on by default). For instructions, see Turn auditing on or off.
Allow up to 30 minutes for the settings to take effect.
Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
On the Safe Attachments page, select
Global settings.
In the Global settings flyout that opens, go to the Protect files in SharePoint, OneDrive, and Microsoft Teams section.
Move the Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams toggle to the right
to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
When you're finished in the Global settings flyout, select Save.
Use Exchange Online PowerShell to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
If you'd rather use PowerShell to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, connect to Exchange Online PowerShell and run the following command:
Step 2: (Recommended) Use SharePoint Online PowerShell to prevent users from downloading malicious files
By default, users can't open, move, copy, or share* malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, they can delete and download malicious files.
* If users go to Manage access, the Share option is still available.
For detailed syntax and parameter information, see Set-SPOTenant.
Step 3 (Recommended) Use the Microsoft Defender portal to create an alert policy for detected files
You can create an alert policy that notifies admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alert policies, see Alert policies in the Microsoft Defender portal.
On the Alert policy page, select
New alert policy to start the new alert policy wizard.
On the Name your alert, categorize it, and choose a severity page, configure the following settings:
Name: Type a unique and descriptive name. For example, Malicious Files in Libraries.
Description: Type an optional description. For example, Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
Severity: Select Low, Medium, or High from the dropdown list.
Category: Select Threat management from the dropdown list.
When you're finished on the Name your alert, categorize it, and choose a severity page, select Next.
On the Choose an activity, conditions and when to trigger the alert page, configure the following settings:
What do you want to alert on? section > Activity is > Common user activities section > Select Detected malware in file from the dropdown list.
How do you want the alert to be triggered? section: Select Every time an activity matches the rule.
When you're finished on the Choose an activity, conditions and when to trigger the alert page, select Next.
On the Decide if you want to notify people when this alert is triggered page, configure the following settings:
Verify Opt-in for email notifications is selected. In the Email recipients box, select one or more admins who should receive notification when a malicious file is detected.
Daily notification limit: Leave the default value No limit selected.
When you're finished on the Decide if you want to notify people when this alert is triggered page, select Next.
On the Review your settings page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
In the Do you want to turn the policy on right away? section, select Yes, turn it on right away.
When you're finished n the Review your settings page, select Submit.
On this page, you can review the alert policy in read-only mode.
When you're finished, select Done.
Back on the Alert policy page, the new policy is listed.
Use Security & Compliance PowerShell to create an alert policy for detected files
If you'd rather use PowerShell to create the same alert policy as described in the previous section, connect to Security & Compliance PowerShell and run the following command:
New-ActivityAlert -Name "Malicious Files in Libraries" -Description "Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams" -Category ThreatManagement -Operation FileMalwareDetected -NotifyUser "admin1@contoso.com","admin2@contoso.com"
Note: The default Severity value is Low. To specify Medium or High, include the Severity parameter and value in the command.
For detailed syntax and parameter information, see New-ActivityAlert.
How do you know these procedures worked?
To verify that you've successfully turned on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, use either of the following steps:
In the Microsoft Defender portal, go to Policies & rules > Threat Policies > Policies section > Safe Attachments, select Global settings, and verify the value of the Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams setting.
In Exchange Online PowerShell, run the following command to verify the property setting:
To verify that you've successfully blocked people from downloading malicious files, open SharePoint Online PowerShell, and run the following command to verify the property value:
In Security & Compliance PowerShell, replace <AlertPolicyName> with the name of the alert policy, run the following command, and verify the property values:
Get-ActivityAlert -Identity "<AlertPolicyName>"
For detailed syntax and parameter information, see Get-ActivityAlert.
Use the Threat protection status report to view information about detected files in SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the View data by: Content > Malware view.
This module examines how to manage Safe Attachments in your Microsoft 365 tenant by creating and configuring policies and using transport rules to disable a policy from taking effect in certain scenarios. MS-102