Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

This article contains the steps for enabling and configuring Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

What do you need to know before you begin?

Step 1: Use the Microsoft 365 Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat policies > Safe Attachments in the Policies section. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.

  2. On the Safe Attachments page, click Global settings.

  3. In the Global settings fly out that appears, go to the Protect files in SharePoint, OneDrive, and Microsoft Teams section.

    Move the Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams toggle to the right Toggle on. to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

    When you're finished, click Save.

Use Exchange Online PowerShell to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

If you'd rather use PowerShell to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, connect to Exchange Online PowerShell and run the following command:

Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true

For detailed syntax and parameter information, see Set-AtpPolicyForO365.

By default, users can't open, move, copy, or share* malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, they can delete and download malicious files.

* If users go to Manage access, the Share option is still available.

To prevent users from downloading malicious files, connect to SharePoint Online PowerShell and run the following command:

Set-SPOTenant -DisallowInfectedFileDownload $true

Notes:

  • This setting affects both users and admins.
  • People can still delete malicious files.

For detailed syntax and parameter information, see Set-SPOTenant.

You can create an alert policy that notifies you and other admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alerts, see Alert policies.

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Alert policy. To go directly to the Alert policy page, use https://security.microsoft.com/alertpolicies.

  2. On the Alert policy page, click New alert policy.

  3. The New alert policy wizard opens in a fly out. On the Name your alert page, configure the following settings:

    • Name: Type a unique and descriptive name. For example, Malicious Files in Libraries.
    • Description: Type an optional description. For example, Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
    • Severity: Select Low, Medium, or High from the drop down list.
    • Category: Select Threat management from the drop down list.

    When you're finished, click Next.

  4. On the Create alert settings page, configure the following settings:

    • What do you want to alert on? section > Activity is > Select Detected malware in file from the drop down list.
    • How do you want the alert to be triggered? section: Leave the default value Every time an activity matches the rule selected.

    When you're finished, click Next.

  5. On the Set your recipients page, configure the following settings:

    • Verify Send email notifications is selected. In the Email recipients box, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
    • Daily notification limit: Leave the default value No limit selected.

    When you're finished, click Next.

  6. On the Review your settings page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can click Back or select the specific page in the wizard.

    In the Do you want to turn the policy on right away? section, leave the default value Yes, turn it on right away selected.

    When you're finished, click Finish.

Use Security & Compliance PowerShell to create an alert policy for detected files

If you'd rather use PowerShell to create the same alert policy as described in the previous section, connect to Security & Compliance PowerShell and run the following command:

New-ActivityAlert -Name "Malicious Files in Libraries" -Description "Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams" -Category ThreatManagement -Operation FileMalwareDetected -NotifyUser "admin1@contoso.com","admin2@contoso.com"

Note: The default Severity value is Low. To specify Medium or High, include the Severity parameter and value in the command.

For detailed syntax and parameter information, see New-ActivityAlert.

How do you know these procedures worked?

  • To verify that you've successfully turned on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, use either of the following steps:

    • In the Microsoft 365 Defender portal, go to Policies & rules > Threat Policies > Policies section > Safe Attachments, select Global settings, and verify the value of the Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams setting.

    • In Exchange Online PowerShell, run the following command to verify the property setting:

      Get-AtpPolicyForO365 | Format-List EnableATPForSPOTeamsODB
      

      For detailed syntax and parameter information, see Get-AtpPolicyForO365.

  • To verify that you've successfully blocked people from downloading malicious files, open SharePoint Online PowerShell, and run the following command to verify the property value:

    Get-SPOTenant | Format-List DisallowInfectedFileDownload
    

    For detailed syntax and parameter information, see Get-SPOTenant.

  • To verify that you've successfully configured an alert policy for detected files, use any of the following steps:

    • In the Microsoft 365 Defender portal, go to Policies & rules > Alert policy > select the alert policy, and verify the settings.

    • In Microsoft 365 Defender portal PowerShell, replace <AlertPolicyName> with the name of the alert policy, run the following command, and verify the property values:

      Get-ActivityAlert -Identity "<AlertPolicyName>"
      

      For detailed syntax and parameter information, see Get-ActivityAlert.

  • Use the Threat protection status report to view information about detected files in SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the View data by: Content > Malware view.