Skip to main content
All CollectionsHow To Remediate Security IssuesSecuring Your EmailAdvanced Protection
How to activate email pre-screening for malicious content in Microsoft 365
How to activate email pre-screening for malicious content in Microsoft 365
Updated over a year ago

Create help article for screening emails

Use the Microsoft 365 Defender portal to create Safe Attachments policies

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section.Or, to go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.

  2. On the Safe Attachments page, select Create to start the new Safe Attachments policy wizard.

  3. On the Name your policy page, configure these settings:

    • Name: Enter a unique, descriptive name for the policy.

    • Description: Enter an optional description for the policy.

    When you're finished on the Name your policy page, select Next.

  4. On the Users and domains page, identify the internal recipients that the policy applies to (recipient conditions):Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select remove next to the value.

    • Users: The specified mailboxes, mail users, or mail contacts.

    • Groups:

      • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).

      • The specified Microsoft 365 Groups.

    • Domains: All recipients in the specified accepted domains in your organization.

    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (*) by itself to see all available values.

    Multiple values in the same condition use OR logic (for example, <recipient1> or <recipient2>). Different conditions use AND logic (for example, <recipient1> and <member of group 1>).

    • Exclude these users, groups, and domains: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

    Important

    Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied only to those recipients that match all of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values:

    The policy is applied to [email protected] only if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

    Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to [email protected] only if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

    When you're finished on the Users and domains page, select Next.

  5. On the Settings page, configure the following settings:

    • Safe Attachments unknown malware response: Select one of the following values:

      • Off

      • Monitor

      • Block: This is the default value, and the recommended value in Standard and Strict preset security policies.

      • Replace: This action will be deprecated. For more information, see MC424901.

      • Dynamic Delivery (Preview messages)

      These values are explained in Safe Attachments policy settings.

    • Quarantine policy: Select the quarantine policy that applies to messages that are quarantined by Safe Attachments (Block, Replace, or Dynamic Delivery). Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

      By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections by Safe Attachments policies. For more information about this quarantine policy, see Anatomy of a quarantine policy.

      Note

      Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see Create quarantine policies in the Microsoft 365 Defender portal.

      Users can't release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

    • Redirect messages with detected attachments: If you select Enable redirect, you can specify an email address in the Send messages that contain monitored attachments to the specified email address box to send messages that contain malware attachments for analysis and investigation.

      Note

      Redirection is available only for the Monitor action. For more information, see MC424899.

    • Apply the Safe Attachments detection response if scanning can't complete (timeout or errors): The action specified by Safe Attachments unknown malware response is taken on messages even when Safe Attachments scanning can't complete.

    When you're finished on the Settings page, select Next.

  6. On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.

    When you're finished on the Review page, select Submit.

  7. On the New Safe Attachments policy created page, you can select the links to view the policy, view Safe Attachments policies, and learn more about Safe Attachments policies.

    When you're finished on the New Safe Attachments policy created page, select Done.

    Back on the Safe Attachments page, the new policy is listed.

Did this answer your question?