Attackers can use malicious attachments to gain access to sensitive information, steal credentials, or install malware on a victim's computer.

Safe Attachments is a feature in Microsoft Defender for Office 365 that helps protect against these types of attacks by scanning email attachments for potential threats before they are delivered to a user's mailbox. 

Enabling Safe Attachments through Office Protect will enable the setting with the Block option: messages containing malicious attachments won't be delivered and will be quarantined. If the attachment is deemed safe, the user will be able to open/download it. Delivery of safe messages might be delayed due to Safe Attachments scanning.

Safe Attachments is only available with Microsoft Defender for Office 365.
According to Microsoft licensing terms, licenses must be acquired for all users that access SharePoint, OneDrive for Business, or Teams, if Safe Attachments protection for SharePoint, OneDrive for Business, or Teams is turned on.

In the Set section, you can configure one of the following options when you apply the setting:

  • Disabled:
    • Removes Office Protect Safe Attachments policy
    • Disables all other Safe Attachments policies enabled on the tenant
  • Enabled
    • Creates the Office Protect Safe Attachments policy
    • Disables other Safe Attachments policies enabled on the tenant
  • Do not modify (Ignore): We will not monitor nor attempt to modify the organization’s Safe Attachments policies. We recommend using this if you prefer using a customized Safe Attachments policy in Defender, so Office Protect does not overwrite your customization.


Safe Attachments policies are available in the Microsoft 365 Defender Security portal, in Policies & rules - Threat policies - Safe Attachments

Operation to look for in the Unified Audit Logs: New-SafeAttachmentPolicy

Microsoft’s Documentation on Safe Links:

Microsoft Defender for Office 365 licensing terms: