Skip to main content

Previously, in Part 1 of this Office 365 Advanced Threat Protection 101 article series, we explored how to take your first steps into making your mailboxes more secure by reducing the amount of phishing e-mails sent to your users with ATP Anti-Phishing policies. Now in Part 2, we will explore ATP Safe Attachments, which checks to see if email attachments or files are malicious and protects your organization according to the ATP Safe Attachments policy configured by you, the Office 365 administrator.

In this article, we’ll discuss how to create an ATP Safe Attachment policy and how to enable ATP protection to files in Microsoft SharePoint Online, OneDrive for Business, and Microsoft Teams. Note that I won’t be going into detail of how ATP Safe Attachments works in this article, as Microsoft has already made a great article here.

In this scenario, I’m assuming you have an Office 365 tenant with Exchange Online, and you’ve already purchased ATP licenses and have assigned them to your users.

Enabling SharePoint, OneDrive, and Microsoft Teams Protection

Similar to my previous article on ATP Anti-Phishing Policies, we’ll want to head over to the Office 365 Security & Compliance Center, then go Threat Management, then go to Policy in the side navigation bar. Then click on the ATP Safe Attachments tile.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Safe Attachments

At the Safe Attachments policy page, the first thing you want to do is turn on ATP for SharePoint, One Drive, and Teams. This will just add another layer of protection in case a malicious file is shared in one of these services.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Safe Attachments

Creating Your First ATP Safe Attachments Policy

In this scenario, we’ll be creating an ATP Safe Attachments Policy that:

  • Applies to the mail domain
  • Delivers the message immediately and scans the attachment. If attachment contains malware, send it to the quarantine.

At the Safe Attachments Policy Page, click the create button to create a new policy. When the new window pops up, specify your Policy Name and Description.

In this next section, we’ll be selecting the malware response, this part of the policy tells ATP what you want to do with an attachment that has been scanned and found to contain malware. Your options are:

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Safe Attachments
Microsoft warns that Monitor, Block, and Replace may result in email delivery delays. In this scenario, I’ll be selecting the Dynamic Delivery option. I’ll go into detail how this will affect your users in the next section.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Safe Attachments

You’ll find that you can redirect an attachment to another user, although I don’t see myself or team reviewing these attachments individually. I’ll leave this unchecked.

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Safe Attachments

Then specify who this policy will apply to. In this scenario, I’ll be applying this policy to

Imaginet's Office 365 Advanced Threat Protection 101 - ATP Safe Attachments

Review your changes, and click Save to create the policy. Microsoft mentions that this may take up to 30 minutes to affect.

How Does This Impact My Users?

In the real world, you may want to test this policy by applying it to a test user or pilot group before applying it to the entire organization.

The policy we just created uses Dynamic Delivery which according to Microsoft does not cause email delivery delays since the message is sent to the recipient right away, and a place holder file is attached until the attachment is scanned. While the file is scanned, users can preview the file safely in safe mode. This preview feature supports most PDFS and office files. If an attachment contains malware, it’s sent to the quarantine. This allows users to receive the email message right away and preview the message safely while it is being scanned.

You may be wondering: what if an attachment was sent to the quarantine by mistake due to a false positive? Well, being an Office 365 administrator, you should be familiar with the Exchange Online quarantine by now. Here you’ll be able to review the message and determine for yourself if the message is a false positive, and if it is, you’ll be able to release it back to the user.

Coming Up Next

Next, in Part 3 of this Office 365 Advanced Threat Protection 101 article series, we will explore Office 365’s ATP Safe Links Policies, which can help protect your organization by providing verification of URLS in email messages and Office documents. And as always, if you need help with your Office 365 environment, Imaginet is here for you. Our Imaginet certified Office 365 experts can assist you with any of your Office 365 initiatives. To find out more, schedule your free consultation call with Imaginet today.


Proceed to Part 3


Imaginet is your trusted technology partner who turns your business innovation ideas into reality. 20+ years | 1200+ satisfied customers | 2500+ successful engagements. Primary services include Web Application Development, Mobile App Development, and SharePoint consulting services, with additional specialties in Power BI & Business Intelligence, Office 365, Azure, Visual Studio, TFS, & VSTS, Skype for Business, and more. Located in the United States (Dallas, TX) and Canada (Winnipeg, MB) with services offered worldwide. Contact us today at or 1-800-989-6022.

Roy Polvorosa

Roy Polvorosa is an Imaginet Infrastructure Specialist that focuses on deploying and supporting Microsoft technologies. During his time at Imaginet, Roy has focused his infrastructure skills towards SharePoint, Office 365, and Azure cloud offerings. Roy has rich experience deploying and supporting clients that have multiple sites and a variety of support needs. Roy further extends his knowledge by supporting Imaginet internal developers and their variety of database and application servers needed to support 20+ simultaneous development projects.

Let‘s Talk.

Let's talk!