Skip to Content
EmailExchangeEmail SecuritySafe Attachments

Safe Attachments

Microsoft Defender for Office 365 Safe Attachments provides an additional layer of protection by opening email attachments in a secure sandbox environment to detect malicious behavior before delivery to user mailboxes.

Note: Safe Attachments is included with Microsoft Defender for Office 365 Plan 1 and Plan 2. Available in Microsoft 365 E5, E5 Security, or as an add-on.

How Safe Attachments Works

  1. Message Received — Email with attachment arrives at Exchange Online Protection.
  2. Basic Malware Scan — Standard anti-malware engines scan for known threats.
  3. Sandbox Detonation — Attachment opened in isolated VM to observe behavior.
  4. Behavior Analysis — Machine learning analyzes file actions for malicious indicators.
  5. Verdict and Delivery — Clean: delivered. Malicious: blocked/quarantined based on policy.

Note: Unlike signature-based scanning, detonation detects new malware by observing actual behavior in the sandbox (zero-day protection).

Policy Actions

Off

Safe Attachments disabled for recipients in this policy. Not recommended.

Monitor

Scan attachments but deliver regardless of result. Used for testing and gathering data before enabling blocking.

Block

Block messages with malicious attachments. Entire message is quarantined. Recipients don’t receive the email. Recommended.

Replace

Remove malicious attachment but deliver message body. Attachment replaced with notification that it was removed.

Dynamic Delivery

Deliver message immediately with placeholder attachment. Real attachment delivered after scan completes. Best user experience. Fastest option.

Dynamic Delivery

Dynamic Delivery minimizes email delays while maintaining protection:

  1. Immediate Delivery — Message body delivered instantly with placeholder for attachment.
  2. Preview Available — User can preview attachment if supported (Office docs, PDFs).
  3. Scan Completes — Attachment scanned in background (typically 1-2 minutes).
  4. Attachment Attached — If clean, real attachment replaces placeholder. If malicious, removed.

Note: Dynamic Delivery doesn’t work with some encrypted or password-protected files, or when the message is rights-protected.

SharePoint, OneDrive, Teams

Safe Attachments also protects files in SharePoint, OneDrive, and Teams:

File Scanning

Files uploaded to SharePoint and OneDrive are scanned asynchronously. Malicious files are blocked from being downloaded or synced.

Teams Protection

Files shared in Teams chats and channels are protected since they’re stored in SharePoint/OneDrive.

Global Setting Required

Safe Attachments for SharePoint, OneDrive, and Teams is a global setting that must be enabled separately from email policies.

Policy Configuration

Recipients

Define which users, groups, or domains the policy applies to. Use conditions and exceptions to target specific recipients.

Action

Select Monitor, Block, Replace, or Dynamic Delivery for unknown malware detection response.

Redirect

Optionally redirect blocked messages to an admin mailbox for review instead of quarantine.

Priority

Set policy priority. Lower numbers have higher priority. First matching policy is applied.

Detection and Response

Quarantine

Blocked messages are quarantined for admin review. Can be released if determined to be false positive.

Threat Explorer

View Safe Attachments detections in Threat Explorer. See file hash, detection reason, and affected users.

Zero-Hour Auto Purge

If attachment is later identified as malicious, ZAP removes it from mailboxes retroactively.

Alerts

Configure alert policies to notify admins when Safe Attachments detects malware.

Best Practices

  • Use Dynamic Delivery — Provides protection without email delays. Best user experience.
  • Enable for all users — Apply Safe Attachments protection organization-wide.
  • Enable for SharePoint/OneDrive/Teams — Turn on the global setting for file protection in collaboration apps.
  • Review quarantine regularly — Check quarantine for false positives and release legitimate messages.

API Reference

GET /api/exchange/safe-attachments-policies List Safe Attachments policies

POST /api/exchange/safe-attachments-policies Create Safe Attachments policy

GET /api/exchange/safe-attachments-detections Get detection history

PUT /api/exchange/safe-attachments-global Update global settings (SPO/OD/Teams)

GET /api/exchange/quarantine?type=safe-attachments List quarantined items

Last updated on
Restricted UsersSafe Links