Setting Up Safe Attachments Policies in Microsoft Defender for Office 365

Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they’re delivered to recipients (a process known as detonation).

Safe Attachments protection for email messages is controlled by Safe Attachments policies. Although there’s no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren’t defined in the Standard or Strict preset security policies or in custom Safe Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365. You can also create Safe Attachments policies that apply to specific users, group, or domains. For instructions, see Set up Safe Attachments policies in Microsoft Defender for Office 365.

What do you need to know before you begin?

  • You open the Microsoft 365 Defender portal at To go directly to the Safe Attachments page, use
  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:
    • Microsoft 365 Defender role based access control (RBAC): configuration/security (manage) or configuration/security (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program.
    • Email & collaboration RBAC in the Microsoft 365 Defender portal and Exchange Online RBAC:
      • Create, modify, and delete policies: Membership in the Organization Management or Security Administrator role groups in Email & collaboration RBAC and membership in the Organization Management role group in Exchange Online RBAC.
      • Read-only access to policies: Membership in one of the following role groups:
        • Global Reader or Security Reader in Email & collaboration RBAC.
        • View-Only Organization Management in Exchange Online RBAC.
    • Azure AD RBAC: Membership in the Global AdministratorSecurity AdministratorGlobal Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
  • For our recommended settings for Safe Attachments policies, see Safe Attachments settings.
  • Allow up to 30 minutes for a new or updated policy to be applied.


Use the Microsoft 365 Defender portal to create Safe Attachments policies

  1. In the Microsoft 365 Defender portal at, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section.Or, to go directly to the Safe Attachments page, use
  2. On the Safe Attachments page, select  Create to start the new Safe Attachments policy wizard.
  3. On the Name your policy page, configure these settings:
    • Name: Enter a unique, descriptive name for the policy.
    • Description: Enter an optional description for the policy.

    When you’re finished on the Name your policy page, select Next.

  4. On the Users and domains page, identify the internal recipients that the policy applies to (recipient conditions):
    • Users: The specified mailboxes, mail users, or mail contacts.
    • Groups:
      • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).
      • The specified Microsoft 365 Groups.
    • Domains: All recipients in the specified accepted domains in your organization.

    Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select  next to the value.

    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (*) by itself to see all available values.

    Multiple values in the same condition use OR logic (for example, <recipient1> or <recipient2>). Different conditions use AND logic (for example, <recipient1> and <member of group 1>).

    • Exclude these users, groups, and domains: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.


    Multiple different types of conditions or exceptions are not additive; they’re inclusive. The policy is applied only to those recipients that match all of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values:

    • Users:
    • Groups: Executives

    The policy is applied to only if he’s also a member of the Executives group. If he’s not a member of the group, then the policy is not applied to him.

    Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to only if he’s also a member of the Executives group. If he’s not a member of the group, then the policy still applies to him.

    When you’re finished on the Users and domains page, select Next.

  5. On the Settings page, configure the following settings:
    • Safe Attachments unknown malware response: Select one of the following values:
      • Off
      • Monitor
      • Block: This is the default value, and the recommended value in Standard and Strict preset security policies.
      • Replace: This action will be deprecated. For more information, see MC424901.
      • Dynamic Delivery (Preview messages)

      These values are explained in Safe Attachments policy settings.

    • Quarantine policy: Select the quarantine policy that applies to messages that are quarantined by Safe Attachments (BlockReplace, or Dynamic Delivery). Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

      By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections by Safe Attachments policies. For more information about this quarantine policy, see Anatomy of a quarantine policy.


      Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see Create quarantine policies in the Microsoft 365 Defender portal.

      Users can’t release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

    • Redirect messages with detected attachments: If you select Enable redirect, you can specify an email address in the Send messages that contain monitored attachments to the specified email address box to send messages that contain malware attachments for analysis and investigation.


      Redirection is available only for the Monitor action. For more information, see MC424899.

    • Apply the Safe Attachments detection response if scanning can’t complete (timeout or errors): The action specified by Safe Attachments unknown malware response is taken on messages even when Safe Attachments scanning can’t complete.

    When you’re finished on the Settings page, select Next.

  6. On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.

    When you’re finished on the Review page, select Submit.

  7. On the New Safe Attachments policy created page, you can select the links to view the policy, view Safe Attachments policies, and learn more about Safe Attachments policies.

    When you’re finished on the New Safe Attachments policy created page, select Done.

    Back on the Safe Attachments page, the new policy is listed.

Use the Microsoft 365 Defender portal to view Safe Attachments policy details

In the Microsoft 365 Defender portal at, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section. To go directly to the Safe Attachments page, use

On the Safe Attachments page, the following properties are displayed in the list of policies:

  • Name
  • Status: Values are On or Off.
  • Priority: For more information, see the Set the priority of Safe Attachments policies section.

To change the list of policies from normal to compact spacing, select  Change list spacing to compact or normal, and then select  Compact list.

Use the  Search box and a corresponding value to find specific Safe Attachment policies.

Use  Export to export the list of policies to a CSV file.

Use  View reports to open the Threat protection status report.

Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.