- Article
- Applies to:
- ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2, ✅ Microsoft Defender XDR
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.
In organizations with Microsoft Defender for Office 365, Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams in the Microsoft Defender portal or in Exchange Online PowerShell.
What do you need to know before you begin?
You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you need to be a member of the Organization Management or Security Administrator role groups in the Microsoft Defender portal. For more information, see Permissions in the Microsoft Defender portal.
To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the Global Administrator or SharePoint Administrator roles in Microsoft Entra ID.
Verify that audit logging is enabled for your organization (it's on by default). For instructions, see Turn auditing on or off.
Allow up to 30 minutes for the settings to take effect.
In the Microsoft Defender portal at https://security.microsoft.com, go to Policies & rules > Threat policies > Safe Attachments in the Policies section. Or, to go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
On the Safe Attachments page, select
Global settings.In the Global settings flyout that opens, go to the Protect files in SharePoint, OneDrive, and Microsoft Teams section.
Move the Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams toggle to the right
to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.When you're finished in the Global settings flyout, select Save.
Global settings.
to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.If you'd rather use PowerShell to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, connect to Exchange Online PowerShell and run the following command:
Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $trueFor detailed syntax and parameter information, see Set-AtpPolicyForO365.
By default, users can't open, move, copy, or share* malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, they can delete and download malicious files.
* If users go to Manage access, the Share option is still available.
To prevent users from downloading malicious files, connect to SharePoint Online PowerShell and run the following command:
Set-SPOTenant -DisallowInfectedFileDownload $trueNotes:
- This setting affects both users and admins.
- People can still delete malicious files.
For detailed syntax and parameter information, see Set-SPOTenant.
Step 3 (Recommended) Use the Microsoft Defender portal to create an alert policy for detected files
You can create an alert policy that notifies admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alert policies, see Alert policies in the Microsoft Defender portal.
In the Microsoft Defender portal at https://security.microsoft.com, go to Policies & rules > Alert policy. To go directly to the Alert policy page, use https://security.microsoft.com/alertpolicies.
On the Alert policy page, select
New alert policy to start the new alert policy wizard.On the Name your alert, categorize it, and choose a severity page, configure the following settings:
- Name: Type a unique and descriptive name. For example, Malicious Files in Libraries.
- Description: Type an optional description. For example, Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
- Severity: Select Low, Medium, or High from the dropdown list.
- Category: Select Threat management from the dropdown list.
When you're finished on the Name your alert, categorize it, and choose a severity page, select Next.
On the Choose an activity, conditions and when to trigger the alert page, configure the following settings:
- What do you want to alert on? section > Activity is > Common user activities section > Select Detected malware in file from the dropdown list.
- How do you want the alert to be triggered? section: Select Every time an activity matches the rule.
When you're finished on the Choose an activity, conditions and when to trigger the alert page, select Next.
On the Decide if you want to notify people when this alert is triggered page, configure the following settings:
- Verify Opt-in for email notifications is selected. In the Email recipients box, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
- Daily notification limit: Leave the default value No limit selected.
When you're finished on the Decide if you want to notify people when this alert is triggered page, select Next.
On the Review your settings page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
In the Do you want to turn the policy on right away? section, select Yes, turn it on right away.
When you're finished n the Review your settings page, select Submit.
On this page, you can review the alert policy in read-only mode.
When you're finished, select Done.
Back on the Alert policy page, the new policy is listed.
New alert policy to start the new alert policy wizard.Use Security & Compliance PowerShell to create an alert policy for detected files
If you'd rather use PowerShell to create the same alert policy as described in the previous section, and run the following command:
New-ActivityAlert -Name "Malicious Files in Libraries" -Description "Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams" -Category ThreatManagement -Operation FileMalwareDetected -NotifyUser "admin1@contoso.com","admin2@contoso.com"Note: The default Severity value is Low. To specify Medium or High, include the Severity parameter and value in the command.
For detailed syntax and parameter information, see New-ActivityAlert.
How do you know these procedures worked?
To verify that you've successfully turned on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, use either of the following steps:
In the Microsoft Defender portal, go to Policies & rules > Threat Policies > Policies section > Safe Attachments, select Global settings, and verify the value of the Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams setting.
In Exchange Online PowerShell, run the following command to verify the property setting:
Get-AtpPolicyForO365 | Format-List EnableATPForSPOTeamsODBFor detailed syntax and parameter information, see Get-AtpPolicyForO365.
To verify that you've successfully blocked people from downloading malicious files, open SharePoint Online PowerShell, and run the following command to verify the property value:
Get-SPOTenant | Format-List DisallowInfectedFileDownloadFor detailed syntax and parameter information, see Get-SPOTenant.
To verify that you've successfully configured an alert policy for detected files, use either of the following methods:
In the Microsoft Defender portal at https://security.microsoft.com/alertpolicies, select the alert policy, and verify the settings.
In Security & Compliance PowerShell, replace <AlertPolicyName> with the name of the alert policy, run the following command, and verify the property values:
Get-ActivityAlert -Identity "<AlertPolicyName>"For detailed syntax and parameter information, see Get-ActivityAlert.
Use the Threat protection status report to view information about detected files in SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the View data by: Content > Malware view.
