Create Safe Attachment policies using Microsoft Defender for Office 365
- 5 minutes
Safe Attachments is a feature in Microsoft Defender for Office 365. When inbound email messages arrive at an organization, Exchange Online Protection (EOP) scans the messages for malware. The Safe Attachments service then uses a virtual environment to check attachments in the messages. It makes this check before message delivery to recipients.
There's no built-in or default Safe Attachments policy. To implement Safe Attachments scanning of email message attachments, you must create one or more Safe Attachments policies. You can configure Safe Attachments policies in either:
- Microsoft Defender XDR
- Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online
- Standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Defender for Office 365 add-on subscriptions
Note
Microsoft 365 Defender is now Microsoft Defender XDR (Extended Detection and Response).
To implement a Safe Attachments policy, you must configure:
The Safe Attachments policy. Specifies the actions for unknown malware detections. For example:
- Send messages with malware attachments to a specified email address.
- Deliver messages if Safe Attachments scanning can't complete.
The Safe Attachments rule. Specifies the priority and recipient filters (who the policy applies to).
The difference between these two elements isn't obvious when you manage Safe Attachments policies in Microsoft Defender XDR:
- When you create a Safe Attachments policy, you're actually creating a Safe Attachments rule and the associated Safe Attachments policy at the same time using the same name for both.
- When you modify a Safe Attachments policy, settings related to the name, priority, enabled or disabled status, and recipient filters modify the Safe Attachments rule. All other settings modify the associated Safe Attachments policy.
- When you remove a Safe Attachments policy, the system removes both the Safe Attachments rule and the associated Safe Attachments policy.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately. The next unit in this training examines this feature.
To create, modify, and delete Safe Attachments policies, you must be a member of:
- The Organization Management or Security Administrator role groups in the Microsoft Defender portal.
- The Organization Management role group in Exchange Online.
Creating a custom Safe Attachments policy in Microsoft Defender XDR
Creating a custom Safe Attachments policy in Microsoft Defender XDR creates the Safe Attachments rule and the associated Safe Attachments policy at the same time using the same name for both.
In the Microsoft 365 admin center, select Show All in the left-hand navigation pane, and then under Admin centers, select Security.
In the Microsoft Defender portal, select Policies & rules in the left-hand navigation pane.
On the Policies & rules page, select Threat policies.
On the Threat policies page, under the Policies section, select Safe Attachments.
On the Safe Attachments page, select Create.
The New Safe Attachments policy wizard opens. On the Name your policy page, configure the following settings:
- Name. Enter a unique, descriptive name for the policy.
- Description. Enter an optional description for the policy.
On the Users and domains page, configure which internal users, groups, and domains the policy applies to and then select Next. At least one condition is required. You can use the following recipient filters for conditions and exceptions:
- Users. If you enter one or more mailboxes, mail users, or mail contacts in the organization, then the policy applies to those users.
- Groups. If you enter any Microsoft 365 groups, distribution groups, or mail-enabled security groups, then the policy applies to the members of those groups. Dynamic distribution groups aren't supported.
- Domains. If you enter one or more of the organization's accepted domains in Microsoft 365, then the policy applies to recipients whose primary email address is in the specified domain.
- Exclude these users, groups, and domains. If you select this checkbox, another set of User, Groups, and Domain fields appear that allow you to define exceptions to the Users, Groups, and Domains conditions that you previously specified.
You can use a condition or exception only once, but the condition or exception can contain multiple values:
Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>):
- Conditions: If the recipient matches any of the specified values, the policy is applied to them.
- Exceptions: If the recipient matches any of the specified values, the policy isn't applied to them.
Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.
Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
- Users: stacy@contoso.com
- Groups: Executives
In this example, the policy is applied to stacy@contoso.com only if Stacy is also a member of the Executives group. Otherwise, the system doesn't apply the policy to Stacy.
On the Settings page that appears, configure the following settings and then select Next:
Safe Attachments unknown malware response. Select one of the following values:
- Off. Safe Attachments doesn't scan attachments for malware. However, anti-malware protection in EOP still scans messages for malware. Microsoft doesn't typically recommend that you select this value for normal activity. However, some organizations use this value to turn scanning off for internal senders, scanners, faxes, or smart hosts that only send known, good attachments.
- Monitor. Delivers messages with attachments and then tracks what happens with detected malware. Safe Attachments scanning might delay delivery of safe messages. An organization might use this value when analyzing who receives detected messages within the company.
- Block. Prevents delivery of messages with detected malware attachments. Messages are quarantined where only admins (not end users) can review, release, or delete the messages. Automatically blocks future instances of the messages and attachments. Safe Attachments scanning might delay delivery of safe messages. This value safeguards an organization from repeated attacks using the same malware attachments. This option is the recommended (and default) value.
- Dynamic Delivery (Preview Feature). Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. It then reattaches the attachments if it didn't detect malware. This option includes attachment previewing capabilities for most PDFs and Office files during scanning. It sends messages with detected malware to Quarantine, where a Security Administrator or Security Analyst can review and release (or delete) those messages. Using this value avoids message delays while protecting recipients from malicious files. It also enables recipients to preview attachments in safe mode while scanning is taking place.
The Safe Attachments policy settings article examines these values in greater detail.
Quarantine policy. This setting determines what happens to messages that are quarantined by the Safe Attachments protection. It defines the actions users can take on quarantined messages and whether they receive notifications about these messages. The available options include:
- AdminOnlyAccessPolicy (default). This policy restricts access to quarantined messages to administrators only. Users don't receive notifications about quarantined messages, and only administrators can review, release, or delete these messages. This policy is typically used for high-confidence phishing and malware detections to ensure that only qualified personnel handle potentially dangerous content.
- DefaultFullAccessPolicy. This policy allows users to have full access to their quarantined messages without receiving notifications. Users can review, release, or delete their quarantined messages as they see fit. This policy provides users with autonomy over their quarantined messages. It enables them to manage these messages directly without waiting for administrative action.
- DefaultFullAccessWithNotificationPolicy. Under this policy, users receive notifications about quarantined messages. They have the ability to review and manage their quarantined messages, which include actions like releasing or deleting messages. This policy is applied to standard and strict protection preset profiles and is designed to empower users to take action on their quarantined messages while still being informed about potential threats.
Redirect messages with detected attachments. If you select Enable redirect, you can specify an email address in the Send messages that contain monitored attachments to the specified email address box. The system sends messages containing malware attachments to this address for analysis and investigation. The Enable redirect option only supports the Monitor action.
Note
The recommendation for Standard and Strict policy settings is to enable redirection. For more information, see Safe Attachments settings.
On the Review page that appears, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or select the specific page in the wizard. Once you verify the accuracy of the settings, select Submit.
On the New Safe Attachments policy created page, select Done.
Knowledge check
Choose the best response for the following question.