1. Strict preset
Highest precedence for included recipients, using Microsoft-managed Safe Attachments settings. Microsoft’s recommended profiles use Block; settings cannot be modified.
Attachment detonation, Block, Dynamic Delivery, quarantine, file stores, and evidence
Design attachment protection that contains malicious files without creating unexplained delivery failures. Determine the policy that actually applies, choose Block or Dynamic Delivery from the recipient workflow, govern scan-error behavior and quarantine permissions, protect SharePoint, OneDrive, and Teams file stores, evaluate Safe Documents licensing, alert on malicious files, and validate delivery, placeholders, quarantine, submissions, and recovery.

Operating objective
Safe Attachments adds virtual-environment detonation after Microsoft 365 anti-malware scanning to detect malware, ransomware, phishing payloads, and previously unknown behavior. It is not a replacement for baseline anti-malware, endpoint protection, Safe Links, application control, backups, incident response, or user verification. Its value depends on effective policy coverage, action choice, quarantine mapping, client behavior, operational evidence, and follow-through on malicious or false-positive results.
There is no ordinary default Safe Attachments policy. Built-in protection covers recipients not already assigned to Strict, Standard, evaluation, or custom Safe Attachments policies. Microsoft recommends Block for Standard and Strict presets. Custom policies should exist only where a documented workflow needs different behavior such as Dynamic Delivery for Exchange Online mailboxes.
Global Safe Attachments settings for SharePoint, OneDrive, Teams and Safe Documents are separate from recipient Safe Attachments policies. A complete design therefore reconciles email policy/rule objects, global tenant controls, malicious-file download behavior, quarantine permissions, alerts, licensing, client/support experience, Explorer/reporting, submissions, and incident response.
Control statement: Before changing an action, scope, quarantine policy, scan-error behavior, redirect/monitor destination, file-store protection, malicious-download control, or Safe Documents setting, record the effective cohort, business impact, threat boundary, test cases, evidence, rollback, owner, and review date.
Effective policy precedence
Highest precedence for included recipients, using Microsoft-managed Safe Attachments settings. Microsoft’s recommended profiles use Block; settings cannot be modified.
Applies after Strict and before evaluation/custom policies. Broad baseline for many users; keep scope and exclusions unambiguous.
Evaluation precedes custom; custom policies apply by rule priority. In PowerShell, the policy holds actions while the associated rule holds recipients, state and priority.
Provides Safe Attachments coverage for remaining recipients unless excluded. Built-in also sets recommended global file-store/Safe Documents values when applicable, but global settings remain independently modifiable.
Audit both objects: A Safe Attachments policy and its rule can become orphaned or mismatched when managed through PowerShell. Export and verify both `Get-SafeAttachmentPolicy` and `Get-SafeAttachmentRule` results.
Action decision matrix
| Action / control | What happens | Appropriate use | Operational risks | Required validation |
|---|---|---|---|---|
| Off | Safe Attachments does not detonate attachments for the covered recipients; baseline anti-malware still applies. | Exceptional narrowly scoped compatibility case only. Microsoft does not recommend Off for most users. | Reduced zero-day/ransomware/phishing detection and no related ZAP quarantine when a Safe Attachments threat signal is absent. | Owner, threat acceptance, exact recipients, compensating controls, expiry, negative test and removal plan. |
| Monitor | Messages are delivered while detections are tracked; monitored detections can be redirected for analysis. | Evaluation or evidence gathering before enforcement where business impact is understood. | Malicious content can reach recipients; analyst mailbox becomes sensitive; redirection does not equal containment. | Monitoring/redirect mailbox protection, alerting, investigation SLA, exposure handling and move-to-enforcement criteria. |
| Block | Messages with detected attachments are prevented from delivery and quarantined; repeated instances can be blocked. | Microsoft default and recommended Standard/Strict behavior for broad protection. | Safe-message delivery can wait for scanning; false positives require admin-controlled quarantine/submission operations. | Latency, quarantine policy, notifications/request release, admin review, submission, delivery and incident tests. |
| Dynamic Delivery | Message body is delivered with an attachment placeholder while scanning runs; safe files become available, malicious results quarantine the message. | Exchange Online mailbox workflows where prompt body delivery is valuable and client/flow limitations are accepted. | Placeholders, preview limitations, forwarding to unprotected recipients, public folders, rules, archive moves, encryption and signature services can create inconsistent experience. | Mailbox/client matrix, supported file preview, forward protected/unprotected, rules/folders, mobile, scan completion, malicious quarantine and fallback. |
| Deliver when scan cannot complete | Controls whether mail is delivered when Safe Attachments cannot finish scanning. | Only after an explicit availability-versus-threat decision and documented operational fallback. | Fail-open can deliver unanalyzed files; fail-closed behavior can disrupt time-sensitive business mail. | Simulated error/timeout where safe, queue/alert visibility, user/help-desk path, approval and rollback. |
| Quarantine policy | Defines user visibility, request-release capability, notifications and admin workflow for malicious/phishing detections. | Always map deliberately for Block or Dynamic Delivery. | AdminOnlyAccessPolicy notifications are off by default; users cannot self-release Safe Attachments malware/phishing regardless of custom permissions. | User/admin view, request release, notification, reviewer role, SLA, audit and expiration tests. |
Twelve-step design and rollout runbook
Record malware/ransomware/phishing goals, user cohorts, licensed services, mail latency tolerance, attachment-heavy workflows, public folders, hybrid/on-premises recipients, encryption/signature tools, file stores and incident ownership.
Capture preset/evaluation/custom/Built-in scopes, Safe Attachments policy and rule objects, action/error/quarantine settings, global ATP settings, infected-file download state, Safe Documents, alerts and exceptions.
Test representatives from executives, finance, general users, shared/resource mailboxes, service accounts, frontline users and exceptions. Resolve overlaps, priority, groups, exclusions and unlicensed recipients.
Use Standard/Strict presets where appropriate. Select Block for broad enforcement or justify Dynamic Delivery from a documented Exchange Online mailbox workflow. Avoid custom sprawl.
Map malicious/phishing results to an admin-controlled policy, configure request-release/notification behavior intentionally, staff reviewers, define SLA/expiry handling and connect false positives to Microsoft submissions.
Document availability versus threat exposure, monitoring/alerting, user/help-desk message, approval, incident path and rollback for cases where scanning cannot complete.
If used, test supported Outlook clients, PDFs/Office previews, mobile, forwarding to protected/unprotected recipients, public folders, Inbox rules, archive/moves, S/MIME, custom routing and signature services.
Verify Safe Attachments for SharePoint, OneDrive and Teams, block infected-file download, use modern experience, configure alerts, document admin-only quarantine/investigation and test delete/recovery behavior.
Confirm eligible licensing and Defender for Endpoint prerequisites, enable Safe Documents where appropriate, restrict protected-view click-through, test supported Office clients and document privacy/support impact.
Use safe test files and approved simulation techniques. Measure latency, placeholders, preview, safe delivery, malicious quarantine, request release, alerts, submissions and client/help-desk cases.
Wait for propagation, compare results to baseline, correct applications instead of turning protection off, publish user guidance, expand cohorts, and verify effective policy/rule state after each phase.
Seal before/after exports, tests, alerts, incidents, exceptions and rollback; remove orphaned objects; assign owners; set review cadence; and track custom-policy/Off/Monitor exit criteria.
Beyond email attachments
Global Safe Attachments adds detonation and threat signals after common malware scanning. Malicious files remain listed but cannot normally be opened, copied, moved or shared; they can be deleted and, by default, downloaded.
Microsoft recommends setting the SharePoint tenant to disallow infected-file downloads. The setting affects users and administrators; preserve an isolated security-analysis process rather than relying on ordinary downloads.
Microsoft explicitly notes not every file is scanned. File-store protection uses asynchronous processing, sharing/guest events, heuristics and threat signals. Do not treat an unblocked file as guaranteed safe.
Visual blocked-file indicators require the modern SharePoint experience. Test web, sync, mobile, Teams and guest experiences and ensure support can interpret locked-file states.
Create alerts for malicious file detections, staff ownership, connect Explorer/Real-time detections and quarantine, preserve file identifiers/evidence, and coordinate site/identity/endpoint response.
Safe Documents evaluates Office files in Protected View for eligible Microsoft 365 licenses and Defender for Endpoint integration. Govern whether users may bypass Protected View when a file is found malicious.
Top Safe Attachments risks and misconfigurations
Strict/Standard/evaluation or a higher-priority custom rule covers the recipient instead.
An orphaned, disabled or mismatched rule means the settings object has no intended recipients—or an old rule still applies.
Evaluation/compatibility settings remain in production without owner, expiry, compensating controls or enforcement plan.
Unanalyzed attachments can be delivered with no alert, user warning, investigation or business-risk acceptance.
Public folders, on-premises recipients, rules, archive moves, encryption, signatures or unsupported previews create inconsistent behavior.
Malicious items enter an unstaffed admin-only queue with no notification, request-release SLA or false-positive submission process.
Teams assume every SharePoint/OneDrive/Teams file is synchronously scanned and safe when unblocked.
Users or admins can download a malicious file that the service locked in the library.
Blocked files persist without an owner investigating users, sharing, related sites, identities or endpoints.
Settings are enabled without confirming eligible licensing, endpoint integration, supported clients, click-through policy or validation.
Evidence and cadence
Investigate malicious detections, quarantine requests, false positives, alerts and business-critical delays.
Review scan errors, latency, placeholders, file-store detections, submissions, incidents and exceptions.
Reconcile effective coverage, policy/rule pairs, actions, quarantine, global settings, alerts, licensing and metrics.
Run full email/file-store/client tests, recertify custom/Off/Monitor use, Safe Documents and failback.
Authoritative resources and related guidance
Frequently asked questions
Microsoft documents Block as the default and recommended action in Standard and Strict preset security policies. Dynamic Delivery can be appropriate for supported Exchange Online mailbox workflows when its limitations are tested and accepted.
No. Users cannot self-release messages quarantined as malware or phishing by Safe Attachments regardless of quarantine-policy configuration. A configured action can allow users to request administrator release.
Microsoft states scanning typically completes within 15 minutes. Actual performance varies; measure production latency and investigate outliers, scan errors and client placeholder behavior.
No. It works only for Exchange Online mailboxes and has documented limitations involving public folders, custom routing, folder moves, Inbox rules, deleted messages, search-folder errors, some signature services, S/MIME and unsupported recipients/previewers.
No. Microsoft says file scanning is asynchronous and uses sharing/guest activity, heuristics and threat signals. An unblocked file is not a guarantee of safety.
Microsoft recommends configuring the SharePoint tenant to prevent users and admins from downloading files identified as malicious. Maintain a separate authorized isolated-analysis process for security investigations.
Detonate before trust
IT Perfection helps Orange County and Southern California organizations map effective Safe Attachments coverage, deploy Block or tested Dynamic Delivery, govern quarantine and scan errors, protect SharePoint, OneDrive and Teams, restrict malicious downloads, evaluate Safe Documents, configure alerts, validate clients, and preserve audit-ready evidence.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, malware analysis, incident investigation, legal/privacy review, licensing review, or tested recovery plan.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.