DEMO: Configure Safe Attachments
Start course

This course shows how to set up Microsoft Defender for Microsoft 365 through a series of practical demonstrations from the Microsoft 365 platform. You will learn about some general cybersecurity practices before being shown how Microsoft Defender can help you implement them.

Learning Objectives

  • Understand how to protect against phishing, malware, and spam using Microsoft Defender
  • Learn about safe links and safe attachments and configure them
  • Learn how to enable zero-day malware protection

Intended Audience

This course is intended for those who wish to learn how to configure protection in Microsoft Defender for Office 365.


To get the most out of this course, you should have a basic understanding of Microsoft 365.


Hello, and welcome back. In this demonstration here, I'm gonna show you how to create a Safe Attachment policy. So on the screen here, I'm logged in as the global admin into my Security and Compliance page. And from here to create our policy, we do what we did with our other policies. We browse down to Threat Management and then select Policy. At this point, this page should look a little familiar, and we can see under Policies, we have Safe Attachments.

So we'll go ahead and select Safe Attachments. And then we can see on the Policy page for Safe Attachments, we don't have any default policies. So if we want to get the protection of Safe Attachments, we need to create a policy here. And that's what we're gonna do. So we'll go ahead and click Create.

Now, much in the same way that we did with our other policies, we have to provide some information about our policy. We need to provide a name, we need to specify the settings, we need to tell the policy who it applies to, we can then review our settings and create the policy. So I'm just going to call this policy Safe Attachments Policy. And again, the description is not mandatory, so I'll skip that. And then in the settings blade here, we have some choices to make.

The very first thing we have to do here is choose an option for Safe Attachments unknown malware response. Essentially, what this is is, this is the action we want the policy to take if it encounters unknown malware in an attachment. We can see here we have an option to leave it off, we can monitor, we can block, we can replace, or we can use this preview feature, which may or may not be there by the time you watch this course, and this preview feature is dynamic delivery.

Now, if we turn it off or if we leave it off, I should say, attachments aren't scanned for malware by Safe Attachments. They don't even get scanned. Now, I should mention though, when I say that, I mean that they're not scanned by this policy. They'd still be scanned for malware using the anti-malware protection. So keep that in mind. Remember, you have different levels of protection in each of these policies, and some of them overlap a little bit.

The Monitor option allows us to ensure that the messages get delivered with the attachments. But then what it'll do is it'll track what happens with the detected malware. When you select this option, delivery of these messages might get delayed due to the safe attachment scanning. That's going to happen. The Block option prevents the messages with any kind of detected malware attachments from being delivered.

Now, I should mention that, when you choose the Block option, messages are quarantined so that only admins can review, release or delete them. And what also happens is that future instances of the messages and attachments are also blocked. Now, the Replace option removes detected malware attachments. It also notifies the recipients that attachments have been removed. The messages are then quarantined, so an admin can review, release or delete the message. And then this Dynamic Delivery option, what this does is it delivers the message immediately, but it replaces the attachments with placeholders until safe attachment scanning is completed.

So basically it allows you to avoid message delays while still protecting recipients from malicious files. What we'll do here for this option is, we'll just turn it on and set it to Block, and then we have this option here for redirect attachment on deletion. Basically what this does is allow us to send any blocked or monitored or replaced attachments to a specific email address, maybe to an administrator.

If we hover over the icon here for Enable Redirect, this allows us to choose whether or not we want to have blocked or replaced messages with attachment, automatically redirected to a specific email address. And then, of course, you can specify the address you want to redirect to in this box here. And down the bottom here, we have this last option. And what this checkbox does, is allow us to apply the above selection, if malware scanning for attachments times out, or if there are errors.

Now, if we're enabling redirect here, we wanna have this turned on because if we don't, we could have some messages lost, if they are, in fact, timeouts or errors. Now, we're not gonna do any redirect here, so we'll uncheck this and we'll go ahead and click Next. And then, of course, we have the applied to section.

Again, we can either configure this policy so it applies to specific people or accepts certain people. What we're gonna do here is we're going to select the domain, and we'll Next it, and now we can review our settings and then finish the creation of the policy. So at this point, we now have a safe attachment policy applied to the users within our domain. And with that, you now know how to create a Safe Attachments policy using the Office 365 Security and Compliance Center.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.