Related Articles
- Configure Anti-Phishing Policies in Microsoft Defender for Office 365
- Enable and Configure Safe Links Policies
- Enable and Configure Safe Attachments Policies
- Configure Anti-Malware Policies in Microsoft 365
- Configure Spoof Intelligence and Anti-Spoofing Protection in Microsoft 365
- Enable DKIM for Exchange Online
- Disable Legacy Authentication for Exchange Online
- Using Preset Security Policies in Microsoft Defender for Office 365
Enable and Configure Safe Attachments Policies
Overview
Safe Attachments is a feature of Microsoft Defender for Office 365 that protects users from malicious email attachments by detonating files inside a virtual sandbox environment before delivery.
Unlike basic anti-malware scanning that relies on signatures, Safe Attachments analyzes file behavior to detect threats that may not yet be widely known.
If you are searching for:
- Enable Safe Attachments Office 365
- Defender attachment sandbox setup
This guide explains what Safe Attachments is, why it is important, and how to configure it properly.
Why Safe Attachments Is Important
Email attachments remain one of the primary delivery methods for:
- Ransomware
- Macro-based malware
- Weaponized PDFs
- Trojan loaders
- Malicious script files
Safe Attachments uses sandbox detonation to execute suspicious files in a controlled environment and analyze their behavior before the file reaches the user.
This significantly reduces the risk of malicious file delivery.
Licensing Requirements
Safe Attachments requires:
- Microsoft Defender for Office 365 Plan 1
- Microsoft Defender for Office 365 Plan 2
- Microsoft 365 Business Premium (includes Plan 1)
- Microsoft 365 E5 (includes Plan 2)
Exchange Online Protection (EOP) alone does not include Safe Attachments.
How Safe Attachments Works
File Detonation Process
When an email with an attachment is received:
- The file is routed to Microsoft’s sandbox environment.
- The file is executed in a virtual machine.
- Behavioral analysis is performed.
- The file is classified as malicious or safe.
- Action is taken based on policy configuration.
This process is known as sandbox detonation.
Behavioral analysis detects:
- Suspicious process creation
- Registry modifications
- Network callbacks
- Exploit behavior
- Script execution
How to Enable and Configure Safe Attachments
Step 1: Navigate to Safe Attachments Settings
-
Go to Microsoft 365 Defender Portal
https://security.microsoft.com -
Navigate to:
Email & Collaboration → Policies & Rules → Threat Policies → Safe Attachments
Step 2: Review or Create a Safe Attachments Policy
You may see:
- Preset security policies (Standard or Strict)
- Custom Safe Attachments policies
Preset policies are recommended as a starting point. Custom policies allow granular control.
Click Create to define a new policy if needed.
Key Configuration Options
Dynamic Delivery
Dynamic Delivery allows the email body to be delivered immediately while the attachment is scanned in the background.
If the attachment is later determined to be malicious:
- It is removed or replaced with a warning.
Benefits:
- Reduces user delivery delay
- Improves user experience
- Maintains protection during scanning
Recommended: Enable Dynamic Delivery in most environments.
Monitor vs Block
Safe Attachments supports different actions:
Monitor
- File is delivered.
- Detection is logged.
- No immediate blocking action.
Used for:
- Testing policies
- Pilot deployments
Block
- Malicious file is removed.
- Message may be quarantined.
- User access is prevented.
Recommended: Use Block for production environments.
Policy Assignment (Scope)
Define:
- Specific users
- Groups
- Domains
Best practice:
- Apply Safe Attachments to all users
- Consider stricter policies for high-risk departments
- Ensure no mail flow rules override attachment scanning
Reporting and Investigation
Security analysts can review:
- Detonated file results
- Detection verdicts
- Threat Explorer (Plan 2)
- Quarantine reports
Search by:
- File name
- File hash
- Sender
- Detection type
Common Misconfigurations
- Safe Attachments only enabled for limited users
- Monitor mode left enabled in production
- Dynamic delivery disabled unnecessarily
- Preset policies overridden by weaker custom rules
- Not applied to internal emails
Limitations to Understand
Safe Attachments focuses on file-based threats.
However:
- It analyzes file behavior, not user interaction.
- Embedded links inside documents may not be malicious at detonation time.
- A document may contain URLs that later redirect to malicious sites.
- Zero-day link-based threats inside attachments may not be detected if the file itself behaves benignly.
Safe Attachments primarily detects malicious file behavior, not all future URL redirections triggered by user clicks.
Extending Protection for Advanced and Zero-Day Threats
While Safe Attachments reduces malicious file delivery risk, additional controls may be required for:
- Zero-day threats
- Weaponized links embedded in documents
- Delayed payload activation
- Social engineering-driven user interaction
Browser isolation technologies provide an additional containment layer by opening attachments or extracted links in a controlled remote environment instead of directly on the endpoint.
For example:
With the CyberCheck360 Outlook add-on, users can open attachments or suspicious links inside files in an isolated browser session. This helps contain threats even if:
- The file itself appears safe
- Embedded links become malicious later
- The threat relies on user interaction rather than file behavior
A layered approach combining:
- Safe Attachments (sandbox detonation)
- Safe Links (time-of-click URL scanning)
- Browser isolation (post-click containment)
provides stronger protection against advanced phishing and zero-day campaigns.
Frequently Asked Questions (FAQ)
What is the difference between Safe Attachments and Safe Links?
Safe Attachments analyzes file attachments in a sandbox.
Safe Links scans URLs at time-of-click.
Does Safe Attachments delay email delivery?
If Dynamic Delivery is enabled, the message body is delivered immediately while attachments are scanned in the background.
Is Safe Attachments included in Exchange Online Protection?
No. It requires Defender for Office 365 Plan 1 or Plan 2.
Should I use Monitor or Block mode?
Use Monitor for testing.
Use Block in production environments to prevent malicious file delivery.
Can Safe Attachments detect zero-day threats?
It can detect unknown threats based on behavior analysis.
However, threats that rely on user interaction or malicious links embedded in otherwise benign documents may require additional containment controls.
Summary
Safe Attachments is a critical protection layer in Microsoft Defender for Office 365. It prevents malicious file delivery through sandbox detonation and behavioral analysis.
To ensure effective protection:
- Enable Safe Attachments across all users
- Configure Dynamic Delivery
- Use Block mode in production
- Monitor detonation results regularly
For enhanced protection against zero-day link-based threats embedded within documents, consider layering sandbox analysis with browser isolation technologies such as CyberCheck360 Safe Browsing for links and files.
A layered security model provides stronger resilience against modern attachment-based phishing attacks.