Safe Attachments Report
Messages processed by Microsoft Defender Safe Attachments with verdicts. Shows blocked attachments, detonation results, and false positives across your Exchange Online environment.
Overview
The Safe Attachments Report provides details on email attachments that were scanned by Microsoft Defender for Office 365 Safe Attachments. This includes files that were detonated in a sandbox, blocked as malicious, or delivered after scanning.
Report Columns
| Column | Description |
|---|---|
| Date | Date the message was processed |
| Recipient | User who received the message |
| Sender | Sender email address |
| Subject | Message subject line |
| Attachment Name | Name of the scanned attachment |
| File Type | Extension and MIME type of the attachment |
| Verdict | Safe, Malicious, or Suspicious |
| Action Taken | Delivered, Blocked, Replaced, or Dynamic Delivery |
| Detonation | Whether the file was detonated in a sandbox |
| Scan Duration | Time taken to complete the scan |
Verdict Categories
- Safe — Attachment passed all scans and was delivered normally
- Malicious — Attachment identified as containing malware or exploit code
- Suspicious — Attachment exhibits suspicious behavior but not confirmed malicious
- Error — Scan could not complete; action depends on policy configuration
- Pending — Attachment is still being analyzed (Dynamic Delivery mode)
Action Summary
| Action | Description |
|---|---|
| Delivered | Attachment was clean and delivered to the recipient |
| Blocked | Attachment was malicious and the entire message was blocked |
| Replaced | Malicious attachment was removed; message delivered without it |
| Dynamic Delivery | Message delivered with placeholder while attachment is scanned |
Filters
- Date Range — Last 7 days, 30 days, 90 days, or custom
- Verdict — Safe, Malicious, Suspicious, Error
- Action — Delivered, Blocked, Replaced, Dynamic Delivery
- File Type — Filter by attachment extension
- Recipient — Filter by specific user or group
- Tenant — Filter by managed tenant
False Positive Management
If a legitimate attachment is incorrectly blocked:
- Review the detonation details for the specific attachment
- Submit the file to Microsoft for analysis via the admin portal
- Add a Tenant Allow entry if the file is confirmed safe
- Monitor for recurrence after the allow entry is created
API Reference
GET /api/reports/exchange/safe-attachments— Get Safe Attachments reportGET /api/reports/exchange/safe-attachments/summary— Get aggregate verdict countsPOST /api/reports/exchange/safe-attachments/export— Export report data
Last updated on