Office 365 ATP safe attachments

ATP safe attachments (along with ATP safe links) is part of Office 365 Advanced Threat Protection (ATP). The ATP safe attachments feature checks to see if email attachments are malicious, and then takes action to protect your organization. The ATP safe attachments feature protects your organization according to ATP safe attachments policies that are set by your Office 365 global or security administrators.

Beginning in late November 2017 and over the next several weeks, ATP protection is being extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams. To learn more, see Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams

Note: ATP safe attachments is included in Advanced Threat Protection, which is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.

In this article:

How it works

The ATP safe attachments feature checks email attachments for people in your organization. When an ATP safe attachments policy is in place and someone covered by that policy views their email in Office 365, their email attachments are checked and appropriate actions are taken, based on your ATP safe attachments policies. Depending on how your policies are defined, people can continue working without ever knowing they were sent malicious files.

The following table describes two examples of ATP safe attachments at work.

Example 1: Email attachment

Example 2: File in SharePoint Online

Suppose that Lee receives an email message that has an attachment. It is not obvious to Lee whether that attachment is safe or actually contains malware designed to steal the Lee's user credentials. In Lee's organization, a security administrator defined an ATP safe attachments policy a few days ago.

With the ATP safe attachments feature, the email attachment is opened and tested in a virtual environment before Lee receives it. If the attachment is determined to be malicious, it will be removed automatically. If the attachment is safe, it will open as expected when Lee clicks on it.

Suppose that Jean received a file and uploaded it into a library in SharePoint Online. Jean shares the link to the file with the rest of the team, not knowing that the file is actually malicious. Fortunately, ATP for SharePoint, OneDrive, and Microsoft Teams detects the malicious file and blocks it.

A few days later, Chris goes to open the document. Although Chris can see the file is there, Chris cannot open or download it, which prevents Chris's computer from being infected by the malicious file.

ATP safe attachments policies can be applied to specific people or groups in your organization, or to your entire domain. To learn more, see Set up ATP safe attachments policies in Office 365.

How to get ATP safe attachments

The ATP safe attachments feature is part of Advanced Threat Protection, which is included in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.

The ATP safe attachments feature applies when:

How to know if ATP safe attachments protection is in place

ATP safe attachments policies must be defined in order for ATP safe attachments protection to be in place.

One good way to see how the service is working is by viewing reports for Advanced Threat Protection.

In addition, the following table describes some example scenarios. In all of these cases, we assume the organization has Office 365 Enterprise E5, which includes Advanced Threat Protection.

Example scenario

Does ATP safe attachments protection apply in this case?

Pat's organization has Office 365 Enterprise E5, but no one has defined any policies for ATP safe attachments yet.

No. Although the feature is available, at least one ATP safe attachments policy must be defined in order for ATP safe attachments protection to be in place.

Lee is an employee in the sales department at Contoso. Lee's organization has an ATP safe attachments policy in place that applies to finance employees only.

No. In this case, finance employees would have ATP safe attachments protection, but other employees, including the sales department, would not until policies that include those groups are defined.

Yesterday, an Office 365 administrator at Jean's organization set up an ATP safe attachments policy that applies to all employees. Earlier today, Jean received an email message that includes an attachment.

Yes. In this example, Jean has a license for Advanced Threat Protection, and an ATP safe attachments policy that includes Jean has been defined. It typically takes about 30 minutes for a new policy to take effect across datacenters; since a day has passed in this case, the policy should be in effect.

Chris's organization has Office 365 Enterprise E5 with ATP safe attachments policies in place for everyone in the organization. Chris receives an email that has an attachment, and forwards the message to others who are outside the organization.

ATP safe attachments protection is in place for messages that Chris receives. If the recipients' organizations also have ATP safe attachments policies in place, then the message that Chris forwards would be subject to those policies when the forwarded message arrives.

Jamie's organization has ATP safe attachments policies in place, and ATP for SharePoint, OneDrive, and Microsoft Teams has been turned on. Jamie assumes that every file in SharePoint Online has been scanned and is safe to open or download.

ATP safe attachments protection is in place according to the policies that are defined; however, this does not mean that every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams is scanned. (To learn more, see ATP for SharePoint, OneDrive, and Microsoft Teams.)

Submitting files for malware analysis

If you receive a file that you want to ask Microsoft to analyze, visit Submit a file for malware analysis.

Related topics

Office 365 Advanced Threat Protection
Set up ATP safe attachments policies in Office 365
ATP for SharePoint, OneDrive, and Microsoft Teams
ATP safe links in Office 365
ATP anti-phishing capabilities in Office 365
View the reports for Advanced Threat Protection

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×