Attackers can use malicious attachments to gain access to sensitive information, steal credentials, or install malwares on a victim's computer.
Safe Attachments is a feature in Microsoft Defender for Office 365 that helps protect against these types of attacks by scanning email attachments for potential threats before they are delivered to a user's mailbox.
Enabling Safe Attachments through Office Protect will enable the setting with the Dynamic Delivery option: messages containing attachments will be delivered immediately, but the attachments will be replaced with placeholders until the scan is complete. If the attachment is deemed safe, the user will be able to open/download it. If the message if found to be malicious, it will be quarantined.
Safe Attachments is only available with Microsoft Defender for Office 365.
According to Microsoft licensing terms, licenses must be acquired for all users that access SharePoint, OneDrive for Business, or Teams, if Safe Attachments protection for SharePoint, OneDrive for Business, or Teams is turned on.
In the Set section, you can configure one of the following options when you apply the setting:
- Removes Office Protect Safe Attachments policy
- Disables all other Safe Attachments policies enabled on the tenant
- Creates the Office Protect Safe Attachments policy
- Disables other Safe Attachments policies enabled on the tenant
- Do not modify (Ignore): We will not monitor nor attempt to modify the organization’s Safe Attachments policies. We recommend using this if you prefer using a customized Safe Attachments policy in Defender, so Office Protect does not overwrite your customization.
Safe Attachments policies are available in the Microsoft 365 Defender Security portal, in Policies & rules - Threat policies - Safe Attachments.
Operation to look for in the Unified Audit Logs: New-SafeAttachmentPolicy
Microsoft’s Documentation on Safe Links: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about?view=o365-worldwide
Microsoft Defender for Office 365 licensing terms: https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms