Sign In
In this module

AD2.3 Safe Attachments: Sandboxing Before Delivery

5-6 hours · Module 2 · Free
Operational Objective
Email attachments remain one of the most effective malware delivery mechanisms. A weaponised Word document, Excel spreadsheet, or PDF can execute code the moment a user opens it — downloading additional payloads, establishing persistence, and compromising the endpoint before any antivirus has a chance to react. EOP catches known malware by signature matching, but it misses polymorphic malware, new variants, and documents that use legitimate features (macros, DDE, OLE) to download payloads from external sources. Safe Attachments opens every attachment in a sandbox before delivering it to the user — if the attachment executes code, connects to external servers, or exhibits malicious behavior, it's blocked before the user ever sees it. This subsection walks you through configuring Safe Attachments with dynamic delivery so users get their emails immediately while attachments are scanned in the background.
Deliverable: A production Safe Attachments policy configured with dynamic delivery, tested, and deployed to all users — sandboxing every attachment before it reaches inboxes.
Estimated completion: 25 minutes
SAFE ATTACHMENTS — DYNAMIC DELIVERY MODE 1. EMAIL ARRIVES Attachment detected Email body delivered NOW Attachment placeholder shown "Attachment is being scanned" No email delay for user 2. SANDBOX SCAN Attachment opened in VM Macros executed Network activity monitored File system changes tracked Typically 1-5 minutes CLEAN Attachment delivered to inbox Placeholder replaced with file MALICIOUS Attachment blocked User notified · Admin alerted Email body still in inbox DELIVERY MODES Dynamic: body now, attach later ✓ Block: hold entire email until done Replace: deliver without attachment Monitor: scan but don't block Use Dynamic Delivery

Figure AD2.3 — Safe Attachments with Dynamic Delivery. The email body is delivered immediately. The attachment is sandboxed in a VM — macros executed, network connections monitored, file system changes tracked. Clean attachments are delivered after scanning (1-5 minutes). Malicious attachments are blocked. Users experience minimal delay.

Creating the Safe Attachments policy

Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Safe Attachments. Click "Create" to build a new policy.

Name: "Safe Attachments — All Users"

Users and domains: Include → All recipients.

Settings:

Safe Attachments unknown malware response: Select Dynamic Delivery. This is the recommended setting for most organizations. The email body arrives immediately — the user can read the message and see that an attachment exists. The attachment is held for sandbox scanning (typically 1-5 minutes) and then delivered if clean. If malicious, the attachment is blocked and the user receives a notification.

The other options exist for specific use cases. "Block" holds the entire email (body and attachment) until scanning completes — this is more secure but creates noticeable email delays. "Replace" delivers the email without the attachment and appends a notification — useful for environments where users should never receive unknown attachments. "Monitor" scans but doesn't block — useful during initial deployment to measure the impact without affecting email flow. For production deployment, Dynamic Delivery is the right choice: it minimizes user impact while providing full protection.

Redirect attachment on detection: Enable this and enter your admin email address (or a shared mailbox you monitor). When Safe Attachments blocks a malicious attachment, a copy is sent to this address for review. This gives you visibility into what's being blocked without needing to check the portal daily — the blocked attachments come to you.

Apply the above selection if scanning times out or errors occur: Enable this. If the sandbox scan fails or times out, the attachment is treated as if it were malicious (blocked). Better to delay a legitimate attachment than to deliver a potentially malicious one because the scanner had a hiccup.

Click "Submit" to create the policy.

What Dynamic Delivery looks like for users

When a user receives an email with an attachment while scanning is in progress, they see the email body normally. In place of the attachment, they see a placeholder: "Safe Attachments is scanning this attachment. It will be available shortly." If they're using Outlook desktop, the placeholder updates automatically when scanning completes — the attachment appears without the user needing to do anything.

If the user needs the attachment urgently and scanning hasn't completed, they wait. This is the one scenario where Safe Attachments creates user friction. The wait is typically 1-5 minutes for standard Office documents, and up to 10 minutes for complex files or password-protected archives. Communicate this to users during deployment: "Attachments may take a few extra minutes to appear. This is because they're being scanned for malware in a secure sandbox before delivery."

If scanning completes and the attachment is clean, it appears normally. If the attachment is malicious, it's removed and the user receives a notification: "An attachment in this email has been blocked because it was found to contain malicious content." The email body remains in the inbox — only the attachment is removed.

Monitoring Safe Attachments effectiveness

After deploying the policy, track its effectiveness through two channels.

The redirect mailbox. Every blocked attachment is sent to your redirect address. Check this mailbox weekly. Each blocked attachment tells you: what type of malware is targeting your organization (ransomware droppers, credential stealers, remote access trojans), which file formats attackers are using (Word macros, Excel 4.0 macros, PDF exploits, ISO/IMG container files), and which users are being targeted (is it random or focused on specific departments?). Over time, this data shapes your security awareness messaging — if 80% of blocked attachments are Word documents with macros, your user training should emphasise "never enable macros in unexpected documents."

The Defender reports. Navigate to security.microsoft.com → Reports → Email & collaboration → Threat protection status. Filter by "Detection type: Safe Attachments." This shows the volume of attachments scanned, the percentage blocked, and the file types involved. Track this monthly — a sudden spike in blocked attachments may indicate a targeted campaign.

You can also verify Safe Attachments is working via PowerShell by checking the transport rules and policy assignment:

Connect-ExchangeOnline
Get-SafeAttachmentPolicy | Select-Object Name, Action, Enable, Redirect, RedirectAddress | Format-List

This confirms your policy settings are active. The Action should show "DynamicDelivery" and Redirect should be "True" with your admin mailbox as the RedirectAddress. Run this check after any configuration change to verify the settings took effect.

Expand for Deeper Context

Safe Attachments sandbox detonation is more sophisticated than traditional antivirus. The sandbox is a fully instrumented virtual machine that opens the attachment and observes its behavior. For a Word document with a macro, the sandbox enables macros and watches what happens: does the macro execute PowerShell? Does it download a file from an external URL? Does it modify the registry or create a scheduled task? For a PDF, the sandbox renders it and watches for JavaScript execution, external URL fetches, and exploit attempts against the PDF reader.

This behavioral approach catches malware that signature-based scanning misses — including polymorphic malware that changes its signature on every delivery, zero-day exploits that haven't been reported yet, and legitimate documents weaponised with embedded scripts. The tradeoff is time: sandbox detonation takes 1-10 minutes versus milliseconds for signature matching. Dynamic Delivery eliminates this tradeoff for the user by delivering the email body immediately and holding only the attachment.

Password-protected attachments present a challenge for Safe Attachments. If the password is included in the email body, Safe Attachments can extract it and use it to open the attachment in the sandbox. If the password is provided separately (by phone, text, or a different email), Safe Attachments can't open the attachment and it's delivered unscanned. Attackers know this — they password-protect malicious documents and provide the password in the email body. Safe Attachments can handle this common pattern, but it's worth knowing the limitation.

Extending Safe Attachments to SharePoint, OneDrive, and Teams

Safe Attachments can also scan files uploaded to SharePoint Online, OneDrive for Business, and Microsoft Teams. This is a separate setting from the email policy. Navigate to security.microsoft.com → Policies & rules → Threat policies → Safe Attachments → Global settings.

Enable "Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams." This scans files when they're uploaded — if a user uploads a malicious file to a SharePoint document library or shares it via OneDrive, Safe Attachments blocks the file before other users can download it.

This is particularly important for shared document libraries where multiple users access the same files. A single malicious file uploaded by a compromised account (or received from an external collaborator via guest access) can spread to every user who opens the shared library. Safe Attachments for SharePoint/OneDrive/Teams prevents this lateral spread.

Compliance Myth: "Safe Attachments slows down email delivery too much for business use"
Dynamic Delivery eliminates the email delivery delay entirely — the email body arrives immediately, and only the attachment is held for 1-5 minutes of scanning. Users can read the message, reply, and take action while the attachment scans in the background. For the vast majority of business email, the attachment is not needed in the first 5 minutes after delivery. The perceived delay is minimal, and the alternative — malware delivered directly to the inbox — is incomparably worse. If a specific business process genuinely requires sub-second attachment delivery (extremely rare), you can exclude that specific sender or domain from Safe Attachments while keeping it enabled for everyone else.
Decision point

After deploying Safe Attachments, a senior engineer reports that ZIP files containing CAD drawings from a manufacturing partner are being delayed by 8-10 minutes for scanning, and the delays are affecting production timelines. The partner sends 5-10 of these files per day. What do you do?

Option A: Disable Safe Attachments for the engineer's mailbox.

Option B: Add the partner's email domain to a transport rule that bypasses Safe Attachments for messages from that specific domain.

Option C: Add the partner's email domain to the Safe Attachments policy exception list, document the exception with the justification and a quarterly review date, and monitor the partner's domain for compromise indicators.

The correct answer is Option C. Disabling Safe Attachments for the engineer removes protection from all senders, not just the trusted partner. A transport rule bypass is more targeted but harder to audit. The policy exception list is the correct mechanism — it's documented, visible in the policy configuration, and auditable. The quarterly review is essential because trusted partner domains do get compromised — if the partner's email is breached, their domain becomes a vector for malware delivery, and your exception becomes a gap. Monitor accordingly.

Try it: Create and test your Safe Attachments policy

Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Safe Attachments. Create the policy with Dynamic Delivery, redirect to your admin mailbox, and apply to all recipients.

After the policy propagates (15-30 minutes), test it: send yourself an email with a Word document or PDF attachment. After receiving the email, note the delay before the attachment appears. It should be 1-5 minutes for a standard document. If the attachment appears instantly with no delay, the policy may not be applying — check the policy scope.

Then enable the SharePoint/OneDrive/Teams setting in Global settings. Upload a test file to a SharePoint document library and verify it's scanned (check the file properties for a "Virus scan" status).

Check your admin mailbox for any redirected malicious attachments — if Safe Attachments has already blocked something since you enabled the policy, you'll see it there.

A user receives an email with a Word document attached. Safe Attachments is configured with Dynamic Delivery. The user opens the email immediately and sees the body but the attachment shows "Being scanned." After 3 minutes, the attachment disappears and the user receives a notification that it was blocked. What happened?
The sandbox opened the document, detected malicious macro behavior (such as downloading a payload from an external server), and blocked the attachment — the email body remains in the inbox — Correct. This is Dynamic Delivery working exactly as designed. The document was opened in the sandbox VM, the macro executed, the sandbox observed malicious behavior (external download, code execution), and the attachment was blocked. The user never opened the malicious document. The email body stays because it's safe — only the weaponised attachment is removed.
Safe Attachments timed out and blocked the attachment as a precaution — Possible if scanning took longer than expected, but a 3-minute scan that results in a "blocked" notification (rather than a timeout notification) indicates the sandbox detected specific malicious behavior, not a timeout.
EOP detected a known malware signature in the attachment — No. EOP scans at delivery time before Safe Attachments. If EOP caught it, the email would have been quarantined before delivery, not delivered with the attachment removed later.
The user must have triggered the block by previewing the attachment — No. Users cannot preview attachments during Dynamic Delivery scanning. The placeholder prevents any user interaction with the attachment until scanning is complete.
Operational Artifact — Safe Attachments Policy Configuration Reference
Your Safe Attachments policy: Dynamic Delivery mode, applied to all recipients, redirect enabled to your admin mailbox, timeout protection enabled (block on timeout), SharePoint/OneDrive/Teams scanning enabled via Global settings. Document this alongside your Safe Links policy and conditional access policies. The redirect mailbox is your early warning system — blocked attachments arriving there mean active threats are targeting your organization. Check it weekly as part of your monitoring cadence.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →