Protect users from malicious attachments by using Safe Attachments
People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. Safe Attachments is a feature in Microsoft Defender for Office 365 that:
- opens every attachment of a supported file type in a special hypervisor environment.
- checks to see if the attachment is malicious.
- takes appropriate action against malicious attachments to protect your organization.
Safe Attachments protects organizations by detecting malicious attachments even before the system applies anti-virus signatures. Safe Attachments analyzes attachments that are common targets for malicious content. For example, different versions of Office files such as Word, PowerPoint, and Excel, PDFs, executable file types, and Flash files.
Let’s examine how Safe Attachments works:
- Selecting attachments to test. Safe Attachments works on email attachments received from both senders within an organization and external senders who are outside the organization. The feature protects an organization according to policies set by its Microsoft 365 administrators or security administrators. When a Safe Attachments policy is in place and someone covered by that policy views their email in Microsoft 365, Safe Attachments checks the email attachments and takes appropriate action based on the policy.
- Attachment testing. Safe Attachments tests attachments in virtual environments that run different versions of the Windows operating system and applications. During testing, it executes, or "detonates" the attachments. They then undergo behavioral analysis to determine if the file executes malicious behavior. For example, a malicious attachment might install a Trojan horse. Or, it might install a virus that makes changes to the registry or system settings. These types of viruses result in the system and network being more vulnerable to attack.
Note
Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides.
Safe Attachments policies control Safe Attachments protection for email messages. There's no default Safe Attachments policy. However, Safe Attachments' Built-in protection preset security policy provides protection to all recipients not defined in custom Safe Attachments policies. You can also create Safe Attachments policies that apply to specific users, group, or domains.
Additional reading. For more information, see:
- Preset security policies in EOP and Microsoft Defender for Office 365.
- Set up Safe Attachments policies in Microsoft Defender for Office 365.
Safe Attachment scenarios
The following table describes common scenarios for Safe Attachments in Microsoft 365 organizations that include Microsoft Defender for Office 365.
| Scenario | Result |
|---|---|
| Fabrikam has no Safe Attachments policies configured. | Even though Fabrikam doesn't have any custom Safe Attachments policies in place, Safe Attachments' Built-in protection preset security policy protects all the company's users. This policy applies to all recipients not defined in custom Safe Attachments policies. |
| Lee's organization has a Safe Attachments policy that applies only to Finance employees. Lee is a member of the Sales department. | Safe Attachments' Built-in protection preset security policy protects Lee and the rest of the Sales department. This policy applies to all recipients not defined in custom Safe Attachments policies. |
| Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that included an attachment. | Safe Attachments protects Jean due to that custom Safe Attachments policy. Typically, it takes about 30 minutes for a new policy to take effect. |
| Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients. | Safe Attachments protects Chris due to the custom Safe Attachments policies. If the external recipients are in a Microsoft 365 organization, then Safe Attachments protects the forwarded messages. |
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”