How to Enable and Configure Microsoft Defender for Office 365 Safe Attachments

Email remains one of the most common vectors for delivering malware — and traditional signature-based scanning simply cannot catch every threat. Safe Attachments in Microsoft Defender for Office 365 closes this gap by detonating email attachments in a virtual sandbox environment before they ever reach a recipient's inbox [1]. Going well beyond the built-in anti-malware scanning provided by Exchange Online Protection (EOP), Safe Attachments adds a critical layer of defense against zero-day threats and unknown malware [1].

A few things worth knowing upfront. All Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides, so your content never leaves your data boundary [1]. Even without any manual configuration, the Built-in protection preset security policy provides baseline Safe Attachments coverage to all recipients not already covered by Standard, Strict, or custom policies [1]. And if you have not yet licensed Defender for Office 365, Microsoft offers a free 90-day trial of Plan 2 features through the Defender portal trials hub [1].

This guide walks through every option for enabling, configuring, and verifying Safe Attachments across your Microsoft 365 environment.

Prerequisites and Required Permissions

Before configuring Safe Attachments policies, confirm the following requirements are in place:

Licensing. Your organization needs Microsoft Defender for Office 365 Plan 1 or Plan 2. Plan 1 covers Safe Attachments and Safe Links; Plan 2 adds advanced investigation and response capabilities [2].

Role assignments. Administrators who create or manage Safe Attachments policies must hold the Organization Management or Security Administrator role in the Microsoft Defender portal, or the Global Administrator or Security Administrator role in Microsoft Entra [2].

Audit logging. Audit logging must be enabled — it is on by default — for Safe Attachments for SharePoint, OneDrive, and Microsoft Teams to function properly [4].

PowerShell access. If you plan to manage policies via PowerShell, connect to Exchange Online PowerShell using the Connect-ExchangeOnline cmdlet before running any Safe Attachments commands [10].

Understanding Safe Attachments Actions: Off, Monitor, Block, and Dynamic Delivery

Every Safe Attachments policy requires you to select an unknown malware response action. There are four options, each with distinct behavior and trade-offs [1]:

Off. Disables Safe Attachments scanning entirely for the policy. Reserve this for cases where you need to temporarily exempt specific recipients from scanning — typically for troubleshooting.

Monitor. Delivers the message with its attachment regardless of the scanning result, but tracks what happens. This is the only action that supports redirecting messages with detected attachments to a specified email address for further analysis [2]. Monitor works well during an initial rollout when you want to observe detection rates before enforcing a blocking action.

Block. Prevents delivery of messages containing malicious attachments. The message and attachment are quarantined, and future instances of the same message-and-attachment combination are automatically blocked [1]. Microsoft recommends Block as the unknown malware response for both the Standard and Strict security baselines [5].

Dynamic Delivery. Delivers messages to the recipient immediately but replaces attachments with placeholder files until scanning completes — typically within 15 minutes [1]. If the attachment clears, it becomes available to the user; if it is flagged as malicious, the message is quarantined. This option minimizes mail delivery delays while still providing protection.

That said, Dynamic Delivery has notable limitations: it works only for Exchange Online mailboxes and does not support public folders, messages routed out and back into a mailbox via custom mail flow rules, deleted messages, or S/MIME encrypted messages [1].

For most organizations, Block is the right choice. It provides the strongest protection and aligns with both Microsoft's recommended settings and CISA's SCuBA minimum viable secure configuration baselines [5][11].

Option 1: Using Preset Security Policies (Recommended)

For the majority of organizations, Microsoft recommends using the Standard and Strict preset security policies rather than building custom policies from scratch [2]. These presets bundle Safe Attachments with other Defender for Office 365 protections, all configured to Microsoft's recommended settings.

Preset policies follow a defined evaluation order: Strict is evaluated first, then Standard, then any custom policies sorted by priority number (lower number equals higher priority), and finally the Built-in protection policy [2]. In practice, this means a user covered by the Strict preset will always receive Strict-level protections, even if a custom policy also targets them.

Both presets use Block as the unknown malware response action [5]. The default quarantine policy applied to Safe Attachments detections is AdminOnlyAccessPolicy, meaning only administrators can review, release, or delete quarantined messages [5]. End users cannot release messages quarantined as malware by Safe Attachments regardless of how the quarantine policy is configured — they can only request release [1].

This approach aligns with CISA's SCuBA project, which provides minimum viable secure configuration baselines for Microsoft 365 services including Defender for Office 365 [11]. If your organization does not need granular per-group policy variations, preset policies are the fastest path to strong protection.

Option 2: Creating Custom Safe Attachments Policies via the Defender Portal

When you need different Safe Attachments settings for different groups of users — say, a more permissive policy for a security research team — custom policies give you that flexibility.

Step 1: Open the Safe Attachments page. In the Microsoft Defender portal, navigate to the Safe Attachments policy page under Email & Collaboration > Policies & Rules > Threat policies [2].

Step 2: Create a new policy. Click Create and give your policy a descriptive name and optional description.

Step 3: Configure recipient filters. Target the policy to specific Users, Groups (distribution groups or mail-enabled security groups), or Domains. Conditions use AND logic — all specified conditions must match — while exceptions use OR logic, meaning any single exception excludes the recipient [2].

Step 4: Select the malware response action. Choose your unknown malware response. Block is recommended for most scenarios [5].

Step 5: Set priority. Assign a priority number to your custom policy. A lower number means higher priority [2]. Keep in mind that custom policies are always evaluated after Strict and Standard presets.

Step 6: Save and wait. New or updated policies may take up to 30 minutes to propagate across your environment [2].

Option 3: Deploying Safe Attachments Policies via PowerShell

PowerShell is ideal for automation, scripted deployments, and managing policies across multiple tenants. Creating a Safe Attachments policy in PowerShell is a two-step process [2].

Step 1: Connect to Exchange Online PowerShell.

Connect-ExchangeOnline

Step 2: Create the Safe Attachment policy. This defines the scanning behavior:

New-SafeAttachmentPolicy -Name "Contoso Block Policy" `
  -Action Block `
  -Enable $true

The -Action parameter accepts Off, Allow (Monitor), Block, or Replace (Dynamic Delivery) [7].

Step 3: Create the Safe Attachment rule. This associates the policy with specific recipients:

New-SafeAttachmentRule -Name "Contoso Block Rule" `
  -SafeAttachmentPolicy "Contoso Block Policy" `
  -RecipientDomainIs "contoso.com"

You can scope the rule using -SentTo for specific users, -SentToMemberOf for groups, or -RecipientDomainIs for entire domains [8].

As with portal-created policies, the same 30-minute propagation delay applies before the policy takes effect [2].

Enabling Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is a separate global setting, distinct from the email-focused policies described above [3]. When enabled, it detonates files stored in these services in a virtual environment, including checking password-protected files against lists of known passwords used by malicious actors [3].

When a file is identified as malicious, it is locked through direct integration with the file stores. Users cannot open, copy, move, or share a locked file — though they can still delete it [3]. Importantly, Defender for Office 365 does not scan every file. Files are evaluated asynchronously using sharing and guest activity events along with smart heuristics and threat signals [3].

The Built-in protection preset security policy enables this setting by default [5], but you can also enable it manually.

Via the Defender portal: Navigate to Settings > Email & Collaboration > Safe Attachments and toggle on the option for SharePoint, OneDrive, and Microsoft Teams.

Via PowerShell:

Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true

Microsoft also recommends blocking downloads of infected files by running the following SharePoint Online PowerShell command [4]:

Set-SPOTenant -DisallowInfectedFileDownload $true

This prevents users from downloading files that Safe Attachments has flagged as malicious, closing a potential gap where someone might download a harmful file before it can be remediated [12].

Setting Up Alerts and Verifying Your Configuration

With Safe Attachments enabled, the final step is making sure you have full visibility into what it detects.

Create an alert policy. Microsoft recommends creating an alert policy that notifies administrators when a malicious file is detected in SharePoint, OneDrive, or Teams [4]. Use the Detected malware in file activity trigger:

New-ProtectionAlert -Name "Malicious Files in Libraries" `
  -Category ThreatManagement `
  -ThreatType Activity `
  -Operation FileMalwareDetected `
  -NotifyUser "[email protected]"

Replace [email protected] with the email address of the administrator or security team distribution list that should receive notifications [4].

Verify policy status. Confirm your policies are active by reviewing them in the Defender portal under the Safe Attachments policy page, or by running Get-SafeAttachmentPolicy in PowerShell to check each policy's configuration and state.

Monitor the quarantine. Because the default quarantine policy is AdminOnlyAccessPolicy, end users will not see items quarantined by Safe Attachments [5]. Make it a habit to regularly review the quarantine in the Defender portal — both to release any false positives and to investigate detected threats.

Review threat reports. The Defender portal includes threat protection status reports that show Safe Attachments detection trends over time. Use these reports to confirm scanning is active and to spot patterns in the types of threats targeting your organization.

Validate against security baselines. CISA's SCuBA project provides additional validation benchmarks for Microsoft 365 security configurations [11]. Running your tenant against these baselines can surface gaps in your Safe Attachments setup and other Defender for Office 365 protections.

By combining preset or custom policies with SharePoint/OneDrive/Teams protection and proactive alerting, you establish a comprehensive defense against malicious attachments across your entire Microsoft 365 environment.