Office 365 ATP safe attachments

ATP safe attachments (along with ATP safe links) is part of Office 365 Advanced Threat Protection (ATP). The ATP safe attachments feature checks to see if email attachments are malicious, and then takes action to protect your organization. The ATP safe attachments feature protects your organization according to ATP safe attachments policies that are set by your Office 365 global or security administrators.

Beginning in late November 2017 and over the next several weeks, ATP protection is being extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams. To learn more, see Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams.

Note: The ATP safe attachments feature is only available in Advanced Threat Protection, included in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.

In this article:

How it works

The ATP safe attachments feature checks email attachments for people in your organization. When an ATP safe attachments policy is in place and someone covered by that policy views their email in Office 365, their email attachments are checked and appropriate actions are taken, based on your ATP safe attachments policies. Depending on how your policies are defined, people can continue working without ever knowing they were sent malicious files.

EXAMPLE    Suppose that Lee receives an email message that has an attachment. It is not obvious to Lee whether that attachment is safe or actually contains malware designed to steal the Lee's user credentials. In Lee's organization, a security administrator defined an ATP safe attachments policy a few days ago. Now, with the ATP safe attachments feature, the email attachment is opened and tested in a virtual environment before Lee receives it. If the attachment is determined to be malicious, it will be removed automatically. If the attachment is safe, it will open as expected when Lee clicks on it.

ATP safe attachments policies can be applied to specific people or groups in your organization, or to your entire domain. To learn more, see Set up ATP safe attachments policies in Office 365.

How to get ATP safe attachments

The ATP safe attachments feature is part of Advanced Threat Protection, which is included in Office 365 Enterprise E5. Advanced Threat Protection can also be purchased as an add-on to Office 365 Enterprise E1 or Office 365 Enterprise E3. For more information about plan options, see Compare All Office 365 for Business Plans

The ATP safe attachments feature applies when:

How to know if ATP safe attachments protection is in place

ATP safe attachments policies must be defined in order for ATP safe attachments protection to be in place. The following table describes a few example scenarios. In all of these cases, we assume the organization has Office 365 Enterprise E5, which includes Advanced Threat Protection.

Example scenario

Does ATP safe attachments protection apply in this case?

Pat's organization has Office 365 Enterprise E5, but no one has defined any policies for ATP safe attachments yet.

No. Although the feature is available, at least one ATP safe attachments policy must be defined in order for ATP safe attachments protection to be in place.

Lee is an employee in the sales department at Contoso. Lee's organization has an ATP safe attachments policy in place that applies to finance employees only.

No. In this case, finance employees would have ATP safe attachments protection, but other employees, including the sales department, would not until policies that include those groups are defined.

Yesterday, an Office 365 administrator at Jean's organization set up an ATP safe attachments policy that applies to all employees. Earlier today, Jean received an email message that includes an attachment.

Yes. In this example, Jean has a license for Advanced Threat Protection, and an ATP safe attachments policy that includes Jean has been defined. It typically takes about 30 minutes for a new policy to take effect across datacenters; since a day has passed in this case, the policy should be in effect.

Chris's organization has Office 365 Enterprise E5 with ATP safe attachments policies in place for everyone in the organization. Chris receives an email that has an attachment, and forwards the message to others who are outside the organization.

ATP safe attachments protection is in place for messages that Chris receives. If the recipients' organizations also have ATP safe attachments policies in place, then the message that Chris forwards would be subject to those policies when the forwarded message arrives.

After your organization has set up ATP safe attachments policies and turned on ATP for SharePoint Online, OneDrive for Business, and Microsoft Teams, you can see how the service is working by viewing reports for Advanced Threat Protection.

Submitting files for malware analysis

If you receive a file that you want to ask Microsoft to analyze, visit Submit a file for malware analysis.

Related topics

Office 365 Advanced Threat Protection
Set up ATP safe attachments policies in Office 365
ATP safe links in Office 365
View the reports for Advanced Threat Protection

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×