8.4 Safe Attachments Policies

90 minutes · Module 8

Safe Attachments Policies

By the end of this subsection, you will understand sandbox detonation modes, know when to use Dynamic Delivery vs Block, configure Safe Attachments for SharePoint/OneDrive/Teams, and verify detonation results with KQL.

How Safe Attachments works

Safe Attachments opens email attachments in an isolated sandbox (a virtual machine) and observes their behavior. If the file tries to execute code, modify the registry, download additional files, or phone home to a C2 server, it is classified as malicious and blocked.

This catches zero-day malware that signature-based scanning misses — the file has never been seen before, so it has no signature, but its behavior in the sandbox reveals malicious intent.

Detonation modes

Mode	Behavior	User experience	Best for
Block	Email is held until detonation completes. Malicious = quarantined. Clean = delivered.	Delay of 30 seconds to 2 minutes on every email with attachments	Maximum security, acceptable for most environments
Dynamic Delivery	Email body delivered immediately. Attachment placeholder shown until detonation completes. Clean = placeholder replaced with real attachment.	No email delivery delay. Attachment available within 1-2 minutes.	Environments where email delivery speed is critical
Monitor	Email delivered immediately. Attachment detonated in background. Malicious = logged but NOT blocked.	No delay, no blocking	Testing only — never for production
Replace	Attachment removed and notification inserted in email body	User sees notification instead of attachment	High-security environments

Dynamic Delivery is the best balance for most organizations

Block mode is the most secure but introduces noticeable email delay. Dynamic Delivery provides the same detection without the delay — users receive the email body immediately and can read it while the attachment detonates. The only scenario where Block is clearly superior: environments where users must not see any part of a phishing email (military, classified). For commercial organizations, Dynamic Delivery is the correct choice.

Safe Attachments for SharePoint, OneDrive, and Teams

Email attachments are not the only file vector. Attackers upload malicious files to SharePoint or share them via Teams. Safe Attachments for SPO/OD/Teams scans files uploaded to these services and blocks access to files identified as malicious.

Configuration: In Threat policies, enable “Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams.” This is a global setting — it applies to all sites and channels.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
// Verify Safe Attachments detections
EmailAttachmentInfo
| where TimeGenerated > ago(30d)
| where ThreatTypes has "Malware"
| summarize
    MalwareCount = count(),
    UniqueFiles = dcount(SHA256),
    FileTypes = make_set(FileType, 10)
    by bin(TimeGenerated, 1d)
| sort by TimeGenerated asc

Expected Output

Date	MalwareCount	UniqueFiles	FileTypes
Mar 15	3	2	["docm","xlsm"]
Mar 18	12	1	["docm"]

What to look for: March 18 shows 12 detections of a single unique file (same SHA256) — this is a malware campaign distributing the same macro-enabled document to multiple recipients. The "docm" and "xlsm" file types are macro-enabled Office documents — the primary malware delivery format. File types like "exe" or "scr" are caught by anti-malware before reaching Safe Attachments.

Safe Documents for Office clients

Safe Documents extends sandbox detonation to files opened in Protected View on desktop Office apps. When a user opens a Word, Excel, or PowerPoint file from the internet or an email attachment, Office opens it in Protected View (read-only). Safe Documents scans the file while it is in Protected View. If the file is clean, the user can click “Enable Editing.” If malicious, the file is blocked.

This catches a common attack vector: a user downloads a macro-enabled document from a website (not email), opens it in Word, and the macro detonation in Safe Documents catches the malware before the user enables editing.

Safe Documents requires M365 E5

Safe Documents is not included in Defender for Office 365 P1 or P2 standalone — it requires the full M365 E5 license. If you are on E5, it is enabled by default. Verify in Threat policies that it is active.

Detonation verdict verification

After configuring Safe Attachments, verify it is working by checking detonation results:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
EmailAttachmentInfo
| where TimeGenerated > ago(7d)
| where ThreatTypes != ""
| summarize
    Detections = count(),
    UniqueHashes = dcount(SHA256),
    FileTypes = make_set(FileType),
    Actions = make_set(DeliveryAction)
    by ThreatTypes
| sort by Detections desc

Expected Output

ThreatTypes	Detections	UniqueHashes	FileTypes	Actions
Malware	8	3	["docm","xlsm"]	["Blocked"]
Phish	2	2	["html"]	["Blocked"]

What to look for: All malware detections should show "Blocked" in the Actions column. If you see "Delivered" for a malware detection, your Safe Attachments policy may be in Monitor mode instead of Block or Dynamic Delivery. The file types (docm, xlsm = macro-enabled Office) and HTML (phishing form attachments) are the most common attack vectors.

Try it yourself

A user reports that email attachments are arriving with a 3-minute delay. They want Safe Attachments disabled for their mailbox. How do you respond?

Do not disable Safe Attachments. Instead, switch the policy from Block mode to Dynamic Delivery mode. The user receives the email body immediately and the attachment becomes available after detonation (typically 30-90 seconds). This eliminates the perceived delay while maintaining full protection.

If the user is already on Dynamic Delivery and still experiencing delays, the issue may be network latency or a specific file type that takes longer to detonate. Investigate with the EmailAttachmentInfo table to check detonation times for their recent emails. Creating per-user exceptions to security policy is almost never the correct answer.

Check your understanding

1. Why is Dynamic Delivery preferred over Block mode for most organizations?

Dynamic Delivery provides the same detection capability (sandbox detonation) without delaying email body delivery. Users can read the email immediately while the attachment detonates in the background. Block mode delays the entire email by 30 seconds to 2 minutes — noticeable and frustrating at scale.

Dynamic Delivery is more secure

Block mode does not work with Safe Links

Same security, better user experience. The only trade-off: in Dynamic Delivery, users see the email body before detonation completes. If the email body itself contains social engineering (urgent instructions to open the attachment), users may be primed to click the attachment the moment it becomes available.

← 8.3 Safe Links Policies 8.5 Zero-Hour Auto Purge (ZAP) →