Attachment detonation, Block, Dynamic Delivery, quarantine, file stores, and evidence

Defender for Office 365 Safe Attachments Policy Design Guide

Design attachment protection that contains malicious files without creating unexplained delivery failures. Determine the policy that actually applies, choose Block or Dynamic Delivery from the recipient workflow, govern scan-error behavior and quarantine permissions, protect SharePoint, OneDrive, and Teams file stores, evaluate Safe Documents licensing, alert on malicious files, and validate delivery, placeholders, quarantine, submissions, and recovery.

Built-in, Strict, Standard, evaluation, and custom policy precedenceOff, Monitor, Block, Dynamic Delivery, scan errors, and quarantineEmail, SharePoint, OneDrive, Teams, Safe Documents, alerts, testing, and rollback
Security professionals operating a physical Safe Attachments detonation, dynamic delivery, quarantine, and Microsoft 365 file protection laboratory
Safe Attachments detonates files after baseline malware scanning, routes malicious results to admin-controlled quarantine, and can use Dynamic Delivery placeholders while scanning supported Exchange Online mailboxes.

Operating objective

Detonate attachments before trust while preserving a supportable delivery path

Safe Attachments adds virtual-environment detonation after Microsoft 365 anti-malware scanning to detect malware, ransomware, phishing payloads, and previously unknown behavior. It is not a replacement for baseline anti-malware, endpoint protection, Safe Links, application control, backups, incident response, or user verification. Its value depends on effective policy coverage, action choice, quarantine mapping, client behavior, operational evidence, and follow-through on malicious or false-positive results.

There is no ordinary default Safe Attachments policy. Built-in protection covers recipients not already assigned to Strict, Standard, evaluation, or custom Safe Attachments policies. Microsoft recommends Block for Standard and Strict presets. Custom policies should exist only where a documented workflow needs different behavior such as Dynamic Delivery for Exchange Online mailboxes.

Global Safe Attachments settings for SharePoint, OneDrive, Teams and Safe Documents are separate from recipient Safe Attachments policies. A complete design therefore reconciles email policy/rule objects, global tenant controls, malicious-file download behavior, quarantine permissions, alerts, licensing, client/support experience, Explorer/reporting, submissions, and incident response.

Control statement: Before changing an action, scope, quarantine policy, scan-error behavior, redirect/monitor destination, file-store protection, malicious-download control, or Safe Documents setting, record the effective cohort, business impact, threat boundary, test cases, evidence, rollback, owner, and review date.

Effective policy precedence

Prove which action and quarantine policy protect each recipient

1. Strict preset

Highest precedence for included recipients, using Microsoft-managed Safe Attachments settings. Microsoft’s recommended profiles use Block; settings cannot be modified.

2. Standard preset

Applies after Strict and before evaluation/custom policies. Broad baseline for many users; keep scope and exclusions unambiguous.

3. Evaluation and custom

Evaluation precedes custom; custom policies apply by rule priority. In PowerShell, the policy holds actions while the associated rule holds recipients, state and priority.

4. Built-in protection

Provides Safe Attachments coverage for remaining recipients unless excluded. Built-in also sets recommended global file-store/Safe Documents values when applicable, but global settings remain independently modifiable.

Audit both objects: A Safe Attachments policy and its rule can become orphaned or mismatched when managed through PowerShell. Export and verify both `Get-SafeAttachmentPolicy` and `Get-SafeAttachmentRule` results.

Action decision matrix

Choose the delivery experience from threat tolerance and mailbox behavior

Action / controlWhat happensAppropriate useOperational risksRequired validation
OffSafe Attachments does not detonate attachments for the covered recipients; baseline anti-malware still applies.Exceptional narrowly scoped compatibility case only. Microsoft does not recommend Off for most users.Reduced zero-day/ransomware/phishing detection and no related ZAP quarantine when a Safe Attachments threat signal is absent.Owner, threat acceptance, exact recipients, compensating controls, expiry, negative test and removal plan.
MonitorMessages are delivered while detections are tracked; monitored detections can be redirected for analysis.Evaluation or evidence gathering before enforcement where business impact is understood.Malicious content can reach recipients; analyst mailbox becomes sensitive; redirection does not equal containment.Monitoring/redirect mailbox protection, alerting, investigation SLA, exposure handling and move-to-enforcement criteria.
BlockMessages with detected attachments are prevented from delivery and quarantined; repeated instances can be blocked.Microsoft default and recommended Standard/Strict behavior for broad protection.Safe-message delivery can wait for scanning; false positives require admin-controlled quarantine/submission operations.Latency, quarantine policy, notifications/request release, admin review, submission, delivery and incident tests.
Dynamic DeliveryMessage body is delivered with an attachment placeholder while scanning runs; safe files become available, malicious results quarantine the message.Exchange Online mailbox workflows where prompt body delivery is valuable and client/flow limitations are accepted.Placeholders, preview limitations, forwarding to unprotected recipients, public folders, rules, archive moves, encryption and signature services can create inconsistent experience.Mailbox/client matrix, supported file preview, forward protected/unprotected, rules/folders, mobile, scan completion, malicious quarantine and fallback.
Deliver when scan cannot completeControls whether mail is delivered when Safe Attachments cannot finish scanning.Only after an explicit availability-versus-threat decision and documented operational fallback.Fail-open can deliver unanalyzed files; fail-closed behavior can disrupt time-sensitive business mail.Simulated error/timeout where safe, queue/alert visibility, user/help-desk path, approval and rollback.
Quarantine policyDefines user visibility, request-release capability, notifications and admin workflow for malicious/phishing detections.Always map deliberately for Block or Dynamic Delivery.AdminOnlyAccessPolicy notifications are off by default; users cannot self-release Safe Attachments malware/phishing regardless of custom permissions.User/admin view, request release, notification, reviewer role, SLA, audit and expiration tests.

Twelve-step design and rollout runbook

Inventory, pilot, test, expand, and preserve failback evidence

Define outcomes and constraints

Record malware/ransomware/phishing goals, user cohorts, licensed services, mail latency tolerance, attachment-heavy workflows, public folders, hybrid/on-premises recipients, encryption/signature tools, file stores and incident ownership.

Export current state

Capture preset/evaluation/custom/Built-in scopes, Safe Attachments policy and rule objects, action/error/quarantine settings, global ATP settings, infected-file download state, Safe Documents, alerts and exceptions.

Reconcile effective coverage

Test representatives from executives, finance, general users, shared/resource mailboxes, service accounts, frontline users and exceptions. Resolve overlaps, priority, groups, exclusions and unlicensed recipients.

Choose profile and action

Use Standard/Strict presets where appropriate. Select Block for broad enforcement or justify Dynamic Delivery from a documented Exchange Online mailbox workflow. Avoid custom sprawl.

Design quarantine operations

Map malicious/phishing results to an admin-controlled policy, configure request-release/notification behavior intentionally, staff reviewers, define SLA/expiry handling and connect false positives to Microsoft submissions.

Decide scan-error behavior

Document availability versus threat exposure, monitoring/alerting, user/help-desk message, approval, incident path and rollback for cases where scanning cannot complete.

Test Dynamic Delivery edges

If used, test supported Outlook clients, PDFs/Office previews, mobile, forwarding to protected/unprotected recipients, public folders, Inbox rules, archive/moves, S/MIME, custom routing and signature services.

Configure file-store protection

Verify Safe Attachments for SharePoint, OneDrive and Teams, block infected-file download, use modern experience, configure alerts, document admin-only quarantine/investigation and test delete/recovery behavior.

Review Safe Documents

Confirm eligible licensing and Defender for Endpoint prerequisites, enable Safe Documents where appropriate, restrict protected-view click-through, test supported Office clients and document privacy/support impact.

Pilot representative cohorts

Use safe test files and approved simulation techniques. Measure latency, placeholders, preview, safe delivery, malicious quarantine, request release, alerts, submissions and client/help-desk cases.

Expand through acceptance gates

Wait for propagation, compare results to baseline, correct applications instead of turning protection off, publish user guidance, expand cohorts, and verify effective policy/rule state after each phase.

Close and schedule review

Seal before/after exports, tests, alerts, incidents, exceptions and rollback; remove orphaned objects; assign owners; set review cadence; and track custom-policy/Off/Monitor exit criteria.

Beyond email attachments

Protect collaboration files and Office documents as separate control planes

SharePoint, OneDrive, and Teams

Global Safe Attachments adds detonation and threat signals after common malware scanning. Malicious files remain listed but cannot normally be opened, copied, moved or shared; they can be deleted and, by default, downloaded.

Block infected-file download

Microsoft recommends setting the SharePoint tenant to disallow infected-file downloads. The setting affects users and administrators; preserve an isolated security-analysis process rather than relying on ordinary downloads.

Asynchronous, signal-based scanning

Microsoft explicitly notes not every file is scanned. File-store protection uses asynchronous processing, sharing/guest events, heuristics and threat signals. Do not treat an unblocked file as guaranteed safe.

Modern experience

Visual blocked-file indicators require the modern SharePoint experience. Test web, sync, mobile, Teams and guest experiences and ensure support can interpret locked-file states.

Alert and investigate

Create alerts for malicious file detections, staff ownership, connect Explorer/Real-time detections and quarantine, preserve file identifiers/evidence, and coordinate site/identity/endpoint response.

Safe Documents

Safe Documents evaluates Office files in Protected View for eligible Microsoft 365 licenses and Defender for Endpoint integration. Govern whether users may bypass Protected View when a file is found malicious.

Top Safe Attachments risks and misconfigurations

Failures that deliver malicious files, disrupt mail, or create false assurance

Custom policy never applies

Strict/Standard/evaluation or a higher-priority custom rule covers the recipient instead.

Policy and rule diverge

An orphaned, disabled or mismatched rule means the settings object has no intended recipients—or an old rule still applies.

Off or Monitor becomes permanent

Evaluation/compatibility settings remain in production without owner, expiry, compensating controls or enforcement plan.

Scan-error fail-open undocumented

Unanalyzed attachments can be delivered with no alert, user warning, investigation or business-risk acceptance.

Dynamic Delivery assumed universal

Public folders, on-premises recipients, rules, archive moves, encryption, signatures or unsupported previews create inconsistent behavior.

Quarantine mapping overlooked

Malicious items enter an unstaffed admin-only queue with no notification, request-release SLA or false-positive submission process.

File-store toggle treated as complete

Teams assume every SharePoint/OneDrive/Teams file is synchronously scanned and safe when unblocked.

Infected downloads remain allowed

Users or admins can download a malicious file that the service locked in the library.

No malicious-file alerts

Blocked files persist without an owner investigating users, sharing, related sites, identities or endpoints.

Safe Documents licensing assumed

Settings are enabled without confirming eligible licensing, endpoint integration, supported clients, click-through policy or validation.

Evidence and cadence

Measure protection, user impact, and recurring attachment risk

Configuration evidence

  • Preset/evaluation/custom/Built-in coverage
  • Policy and rule objects, action and priority
  • Error, quarantine, notification and monitor/redirect settings
  • Global file-store, infected-download and Safe Documents state
  • Alerts, roles, exceptions, licenses and owners

Validation evidence

  • Safe/malicious test messages and file identifiers
  • Latency, placeholder, preview and client results
  • Quarantine/request/submission/audit evidence
  • SharePoint/OneDrive/Teams blocked-file behavior
  • Alert, investigation, recovery and rollback tests

Useful metrics

  • Licensed recipients with verified effective coverage
  • Recipients on Off/Monitor/custom policies
  • Scan latency and Dynamic Delivery support cases
  • Malicious/false-positive files and repeat senders
  • Time to investigate file-store alerts and remove exceptions

Daily/event-driven

Investigate malicious detections, quarantine requests, false positives, alerts and business-critical delays.

Weekly

Review scan errors, latency, placeholders, file-store detections, submissions, incidents and exceptions.

Monthly

Reconcile effective coverage, policy/rule pairs, actions, quarantine, global settings, alerts, licensing and metrics.

Quarterly

Run full email/file-store/client tests, recertify custom/Off/Monitor use, Safe Documents and failback.

Frequently asked questions

Defender for Office 365 Safe Attachments FAQ

Which Safe Attachments action does Microsoft recommend?

Microsoft documents Block as the default and recommended action in Standard and Strict preset security policies. Dynamic Delivery can be appropriate for supported Exchange Online mailbox workflows when its limitations are tested and accepted.

Can users release Safe Attachments malware or phishing from quarantine?

No. Users cannot self-release messages quarantined as malware or phishing by Safe Attachments regardless of quarantine-policy configuration. A configured action can allow users to request administrator release.

How long does attachment scanning usually take?

Microsoft states scanning typically completes within 15 minutes. Actual performance varies; measure production latency and investigate outliers, scan errors and client placeholder behavior.

Does Dynamic Delivery work for every recipient and message path?

No. It works only for Exchange Online mailboxes and has documented limitations involving public folders, custom routing, folder moves, Inbox rules, deleted messages, search-folder errors, some signature services, S/MIME and unsupported recipients/previewers.

Does Safe Attachments scan every SharePoint, OneDrive, or Teams file?

No. Microsoft says file scanning is asynchronous and uses sharing/guest activity, heuristics and threat signals. An unblocked file is not a guarantee of safety.

Should users be allowed to download infected files from SharePoint?

Microsoft recommends configuring the SharePoint tenant to prevent users and admins from downloading files identified as malicious. Maintain a separate authorized isolated-analysis process for security investigations.

Detonate before trust

Build Safe Attachments protection that contains files and preserves business continuity

IT Perfection helps Orange County and Southern California organizations map effective Safe Attachments coverage, deploy Block or tested Dynamic Delivery, govern quarantine and scan errors, protect SharePoint, OneDrive and Teams, restrict malicious downloads, evaluate Safe Documents, configure alerts, validate clients, and preserve audit-ready evidence.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, malware analysis, incident investigation, legal/privacy review, licensing review, or tested recovery plan.