Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
 

Applies to

• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender for Office 365 provides an additional layer of protection for files that have already been scanned asynchronously by the common virus detection engine in Microsoft 365. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams helps detect and block existing files that are identified as malicious in team sites and document libraries.

Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is not enabled by default. To turn it on, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

How Safe Attachments for SharePoint, OneDrive, and Microsoft Teams works

When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and identifies a file as malicious, the file is locked using direct integration with the file stores. The following image shows an example of a malicious file detected in a library.

Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But they can delete the blocked file.

Here's an example of what a blocked file looks like on a mobile device:


By default, people can download a blocked file. Here's what downloading a blocked file looks like on a mobile device:


 

SharePoint Online admins can prevent people from downloading malicious files. For instructions, see Use SharePoint Online PowerShell to prevent users from downloading malicious files.

To learn more about the user experience when a file has been detected as malicious, see What to do when a malicious file is found in SharePoint Online, OneDrive, or Microsoft Teams.
 

View information about malicious files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams will show up in reports for Microsoft Defender for Office 365 and in Explorer (and real-time detections).

As of May 2018, when a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine. For more information, see Manage quarantined files in Defender for Office 365.

Keep these points in mind

• Defender for Office 365 will not scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This is by design. Files are scanned asynchronously. The process uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.

• Make sure your SharePoint sites are configured to use the Modern experience. Defender for Office 365 protection applies whether the Modern experience or the Classic view is used; however, visual indicators that a file is blocked are available only in the Modern experience.

Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is part of your organization's overall threat protection strategy, which includes anti-spam and anti-malware protection in Exchange Online Protection (EOP), as well as Safe Links and Safe Attachments in Microsoft Defender for Office 365. To learn more, see Protect against threats in Office 365.

Recommended content

• Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365

  Admins can learn how to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, including how to set alerts for detected files.

• Get started using Attack simulation training - Office 365

  Admins can learn how to use Attack simulation training to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.

• Safe Documents in Microsoft Defender for Office 365 - Office 365

  Learn about Safe Documents in Microsoft 365 E5 or Microsoft 365 E5 Security.

• Security dashboard overview - Office 365

  Use the new Security Dashboard to review Office 365 Threat Protection Status, and view and act on security alerts.

• Attack Simulator in the Security & Compliance Center - Office 365

  Admins can learn how to use Attack Simulator in the Security & Complance Center to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.

• Security Incident Response - Office 365

  This solution tells you what the most common cybersecurity attacks might look like in Microsoft 365 and how to respond to them

• Microsoft Defender for Office 365 - Office 365

  Microsoft Defender for Office 365 includes Safe Attachments, Safe Links, advanced anti-phishing tools, reporting tools and threat intelligence capabilities.

• Simulate a phishing attack with Microsoft Defender for Office 365 - Office 365

  Admins can learn how to simulate phishing attacks and train their users on phishing prevention using Attack simulation training in Microsoft Defender for Office 365.