• You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
• You need to be assigned permissions before you can do the procedures in this article. You have the following options:
  • Microsoft 365 Defender role based access control (RBAC): configuration/security (manage) or configuration/security (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program.
  • Email & collaboration RBAC in the Microsoft 365 Defender portal and Exchange Online RBAC:
    • Create, modify, and delete policies: Membership in the Organization Management or Security Administrator role groups in Email & collaboration RBAC and membership in the Organization Management role group in Exchange Online RBAC.
    • Read-only access to policies: Membership in one of the following role groups:
      • Global Reader or Security Reader in Email & collaboration RBAC.
      • View-Only Organization Management in Exchange Online RBAC.
  • Azure AD RBAC: Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
• For our recommended settings for Safe Attachments policies, see Safe Attachments settings.
• Allow up to 30 minutes for a new or updated policy to be applied.

 

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section.Or, to go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
2. On the Safe Attachments page, select  Create to start the new Safe Attachments policy wizard.
3. On the Name your policy page, configure these settings:
   • Name: Enter a unique, descriptive name for the policy.
   • Description: Enter an optional description for the policy.

   When you’re finished on the Name your policy page, select Next.

4. On the Users and domains page, identify the internal recipients that the policy applies to (recipient conditions):
   • Users: The specified mailboxes, mail users, or mail contacts.
   • Groups:
     • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).
     • The specified Microsoft 365 Groups.
   • Domains: All recipients in the specified accepted domains in your organization.

   Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select  next to the value.

   For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (*) by itself to see all available values.

   Multiple values in the same condition use OR logic (for example, <recipient1> or <recipient2>). Different conditions use AND logic (for example, <recipient1> and <member of group 1>).

   • Exclude these users, groups, and domains: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

    Important

   Multiple different types of conditions or exceptions are not additive; they’re inclusive. The policy is applied only to those recipients that match all of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values:

   • Users: romain@contoso.com
   • Groups: Executives

   The policy is applied to romain@contoso.com only if he’s also a member of the Executives group. If he’s not a member of the group, then the policy is not applied to him.

   Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com only if he’s also a member of the Executives group. If he’s not a member of the group, then the policy still applies to him.

   When you’re finished on the Users and domains page, select Next.

5. On the Settings page, configure the following settings:
   • Safe Attachments unknown malware response: Select one of the following values:
     • Off
     • Monitor
     • Block: This is the default value, and the recommended value in Standard and Strict preset security policies.
     • Replace: This action will be deprecated. For more information, see MC424901.
     • Dynamic Delivery (Preview messages)

     These values are explained in Safe Attachments policy settings.

   • Quarantine policy: Select the quarantine policy that applies to messages that are quarantined by Safe Attachments (Block, Replace, or Dynamic Delivery). Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

     By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections by Safe Attachments policies. For more information about this quarantine policy, see Anatomy of a quarantine policy.

      Note

     Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see Create quarantine policies in the Microsoft 365 Defender portal.

     Users can’t release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

   • Redirect messages with detected attachments: If you select Enable redirect, you can specify an email address in the Send messages that contain monitored attachments to the specified email address box to send messages that contain malware attachments for analysis and investigation.

      Note

     Redirection is available only for the Monitor action. For more information, see MC424899.

   • Apply the Safe Attachments detection response if scanning can’t complete (timeout or errors): The action specified by Safe Attachments unknown malware response is taken on messages even when Safe Attachments scanning can’t complete.

   When you’re finished on the Settings page, select Next.

6. On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.

   When you’re finished on the Review page, select Submit.

7. On the New Safe Attachments policy created page, you can select the links to view the policy, view Safe Attachments policies, and learn more about Safe Attachments policies.

   When you’re finished on the New Safe Attachments policy created page, select Done.

   Back on the Safe Attachments page, the new policy is listed.

In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.

On the Safe Attachments page, the following properties are displayed in the list of policies:

• Name
• Status: Values are On or Off.
• Priority: For more information, see the Set the priority of Safe Attachments policies section.

To change the list of policies from normal to compact spacing, select  Change list spacing to compact or normal, and then select  Compact list.

Use the  Search box and a corresponding value to find specific Safe Attachment policies.

Use  Export to export the list of policies to a CSV file.

Use  View reports to open the Threat protection status report.

Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.