Safe Attachments, Safe Links? Why do we need this?
We work more and more with Email, Teams, OneDrive, Sharepoint share files with external people. We chat, we want to work from anywhere and we want to do this with all possible systems (Modern Workplace). A simple virus and spam protection, which is running by Exchange Online Protection (EOP) on every Exchange Online, is often no longer sufficient.
Microsoft 365 Defender show two additional features: Safe Attachments and Safe Links. Both are easy to configure and extend the security enormously.

Prerequisites and Licensing

The following licenses are suitable for Safe Attachments and Safe Links:

  • Microsoft Defender for Office 365 Plan 1

The license is included in Microsoft 365 Business Premium and many more.

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.

Microsoft 365 Defender Portal

Safe Attachments and Safe Links are configured via the Microsoft 365 Security Portal (https://security.microsoft.com/). The features are located under Email & collaboration > Policies & rules > Threat policies.

Safe Attachments

Safe Attachments provides an additional layer of protection that checks file attachments from Email, Teams, OneDrive and Sharepoint for malware in a sandbox. After the files are verified as harmless, they are delivered to the recipient.

Open Safe Attachments

Safe Attachments for Microsoft Teams, OneDrive and Sharepoint

Safe Attachments for Microsoft Teams, OneDrive, and Sharepoint are enabled in the global settings.

Select Global Settings

To turn on Safe Attachment for Microsoft Teams, OneDrive and Sharepoint, enable Turn on Defender for Office 365“. With a Microsoft 365 E5 or Microsoft 365 E5 Security license, Safe Documents can also be activated for Office clients.

Safe Attachments for Emails

To use Safe Attachments for email, create a new policy by clicking Create.

Enter a name for the policy.

The policy is enabled on users, groups or domains.


The properties define the behavior of Safe Attachments. Optimal protection is achieved with the following properties.

Dynamic Delivery
The email appears immediately in the inbox, but without a file attachment. There is no waiting time for delivery for the user.
If the file attachment has been checked and verified to be harmless, the message in the inbox is automatically reloaded and displayed.

Quarantine policy
Only Exchange administrators should have access to the quarantine.

Redirect messages
All message redirection options are disabled.

Check the settings again, if everything is well, click “Submit”.

The new policy is created after some minutes.

Finally, check that the policy you have just created has the status On and is therefore activated.

Safe Links

With Safe Links, links in email and Microsoft Teams are scanned for malware in real time. This means that the moment a user clicks on the link, Microsoft first checks it for malware and only displays the content if it is harmless. If the link contains malware, the following message appears:

To be able to check links in real time, all URLs in emails and Microsoft Teams are rewritten. These links can be recognized by the format “https://*.safelinks.protection.outlook.com”.

Open Safe Links

Safe Links for Emails and Microsoft Teams and Microsoft 365 Apps

To use Safe Links, create a new policy by clicking Create.

Enter a name for the policy.

The policy is enabled on users, groups or domains.

The properties define the behavior of Safe Links for Emails, Teams and Office 365 Apps.

The default settings provide optimal protection. The only exception is the Click protection settings. For privacy reasons, these should be disabled

When a malware link is found, the standard text from Microsoft informs the user.

Check the settings again, if everything is well, click “Submit”.

The new policy is created after some minutes.

Finally, check that the policy you have just created has the status On and is therefore activated.

Troubleshooting

Error message “Client Error” when saving the policy

The following error message appears when trying to save a new policy:

Client Error
An error occurred when saving the policy. Please check the settings and try again.

Microsoft 365 Defender - Client error

A dehydrated tenant can cause this error.
Connect to Exchange Online by PowerShell.

Run Get-OrganizationConfig and check the status IsDehydrated. A dehydrated tenant shows the status True.

Dehydrate the tenant by running Enable-OrganizationCustomization.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn