Set up Office 365 ATP safe attachments policies

People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. And the last thing you want is a malicious attachment to get through, wreaking havoc for your organization. Fortunately, Office 365 Advanced Threat Protection can help. You can set up an ATP safe attachments policy to help ensure that your organization is protected against attacks by unsafe email attachments.

Note: The ATP safe attachments features are only available in Advanced Threat Protection, available with Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.

What to do:

  1. Review the prerequisites

  2. Set up an ATP safe attachments policy

  3. Learn more about policy options

Review the prerequisites

  • Make sure that you are a member of either the Hygiene Management or Organization Management role group so that you have the necessary permissions to set up a ATP safe attachments policy. For more information, see Feature permissions in Exchange Online Protection (EOP) on TechNet.

  • Learn more about ATP safe attachments policy options (in this article). Note that some options, such as the Monitor or Replace options, can result in a minor delay of email while attachments are scanned. To avoid message delays, consider using dynamic delivery and previewing.

  • Plan to spend about 5-15 minutes to set up your first ATP safe attachments policy.

  • Allow up to 30 minutes for your new or updated policy to spread to all Office 365 datacenters.

Set up an ATP safe attachments policy

You can set up a ATP safe attachments policy using either the Office 365 Security & Compliance Center or the Exchange admin center (EAC). We recommend using the Office 365 Security & Compliance Center.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the Office 365 Security & Compliance Center, in the left navigation pane, under Threat management, choose PolicySafe attachments.

  3. If you see Turn on ATP for SharePoint, OneDrive, and Microsoft Teams, we recommend that you select this option. This will enable Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams for your Office 365 environment.

  4. Choose New (the New button resembles a plus sign (+)).

  5. Specify the name, description, and settings for your policy.

    Example: To set up a policy called "no delays" that delivers everyone's messages immediately and then reattaches attachments after they're scanned, you might specify the following settings:

    • In the Name box, type no delays.

    • In the Description box, type a description like, Delivers messages immediately and reattaches attachments after scanning.

    • In the response section, choose the Dynamic Delivery option. (Learn more about dynamic delivery and previewing with ATP safe attachments)

    • In the Redirect attachment section, select the option to enable redirect and type the email address of your Office 365 global administrator, security administrator, or security analyst who will investigate malicious attachments.

    • In the Applied To section, choose The recipient domain is, and then select your domain. Choose Add, and then choose OK.

  6. Choose Save.

You will likely set up multiple ATP safe attachments policies for your organization. These policies will be applied in the order they're listed on the ATP safe attachments page. After a policy has been defined or edited, allow at least 30 minutes for the polices to take effect throughout Microsoft datacenters.

Learn about ATP safe attachments policy options

As you set up your ATP safe attachments policies, you have many options from which to choose, as described in the following table.

Option

Effect

Use when you want to:

Off

Does not scan attachments for malware

Does not delay message delivery

Turn scanning off for internal senders, scanners, faxes, or smart hosts that will only send known, good attachments

Prevent unnecessary delays in routing internal mail

Note: This option is not recommended for most users. It enables you to turn ATP safe attachments scanning off for a small group of internal senders.

Monitor

Delivers messages with attachments and then tracks what happens with detected malware

See where detected malware goes in your organization

Block

Prevents messages with detected malware attachments from proceeding

Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages

Blocks future messages and attachments automatically

Safeguard your organization from repeated attacks using the same malware attachments

Replace

Removes detected malware attachments

Notifies recipients that attachments have been removed

Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages

Raise visibility to recipients that attachments were removed because of detected malware

Dynamic Delivery

Delivers messages immediately

Replaces attachments with a placeholder file until scanning is complete, and then reattaches the attachments if no malware is detected

Includes attachment previewing capabilities for most PDFs and Office files during scanning

Sends messages with detected malware to Quarantine where a security administrator or analyst can review and release (or delete) those messages

Learn about dynamic delivery and previewing with ATP safe attachments

Avoid message delays while protecting recipients from malicious files

Enable recipients to preview attachments in safe mode while scanning is taking place

Enable redirect

Applies when the Monitor, Block, or Replace option is chosen

Sends attachments to a specified email address where security administrators or analysts can investigate

Enable security administrators and analysts to research suspicious attachments

Related topics

Office 365 Advanced Threat Protection
ATP safe attachments in Office 365
ATP safe links in Office 365
Set up ATP safe links policies in Office 365
View the reports for Advanced Threat Protection
View the reports for Exchange Online Protection

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×