Expand EOP protections by using Safe Attachments and Safe Links

  • 3 minutes

As organizations running Microsoft 365 receive email, the messages first pass through the frontline defenses provided by Exchange Online Protection (EOP). The Safe Attachments and Safe Links features within Microsoft Defender for Office 365 then analyze the mail for anything suspicious.

Safe Attachments

Microsoft 365 Safe Attachments is a feature that helps protect users from malicious attachments in emails. When a user receives an email with an attachment, Safe Attachments tests the file to determine if it's safe.

The following steps provide a brief overview of how Microsoft 365 Safe Attachments tests files:

  1. When an organization receives an email with an attachment, Safe Attachments strips the attachment from the email and sends it to the Microsoft 365 servers for analysis.
  2. Safe Attachments opens the attachment in a virtual environment and executes it in a sandboxed environment to check for any suspicious behavior or activity.
    • If it deems the attachment safe, it sends the email and attachment to the user's mailbox. The user can then download and open the file as usual.
    • If it deems the attachment as malicious, it blocks the attachment, and notifies the user of the threat. It then moves the email without the attachment to the user's Junk Email folder for further review.

The Safe Attachments feature also provides extra protection by using machine learning and artificial intelligence to identify new and emerging threats. If it suspects a file of being malicious, it sends it to a team of security experts for further analysis. Doing so helps to ensure that Microsoft 365 provides the highest level of protection against known and unknown threats.

Microsoft 365 Safe Links is a feature that helps protect users from malicious links in emails, documents, and other content. When a user selects a link, Safe Links tests the URL to determine if it's safe.

The following steps provide a brief overview of how Microsoft 365 Safe Links tests URLs:

  1. When a user selects a link, Safe Link sends the URL to the Microsoft 365 servers.
  2. Safe Links checks the URL against a list of known malicious URLs and domains.
    • If it finds a match, it blocks the link and notifies the user.
    • If it doesn't find the URL on the list, it opens the URL in a virtual environment to check for any suspicious behavior or activity.
      • If it deems the URL safe, it redirects the user to the original URL.
      • If it deems the URL to be malicious, it redirects the user to a warning page.

The Safe Links feature also provides extra protection by rewriting URLs to include a unique identifier. This process enables Microsoft 365 to track the link and block it if it becomes malicious in the future. This feature also helps protect users from zero-day attacks, where attackers create new malicious links that security researchers have yet to identify.

The following image illustrates what happens as mail flows through the EOP and Microsoft Defender for Office 365 anti-malware pipeline.

Diagram showing what happens as mail flows through the E O P and Microsoft Defender for Office 365 anti-malware pipeline.