| title | f1.keywords | ms.author | author | manager | audience | ms.topic | ms.localizationpriority | search.appverid | ms.assetid | ms.collection | ms.custom | description | ms.service | ms.date | appliesto | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams |
|
chrisda |
chrisda |
deniseb |
Admin |
conceptual |
medium |
|
26261670-db33-4c53-b125-af0662c34607 |
|
|
Learn about Microsoft Defender for Office 365 for files in SharePoint Online, OneDrive for Business, and Microsoft Teams. |
defender-office-365 |
6/19/2023 |
|
[!INCLUDE MDO Trial banner]
In organizations with Microsoft Defender for Office 365, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams provides an additional layer of protection against malware. After files are asynchronously scanned by the common virus detection engine in Microsoft 365, Safe Attachments opens files in a virtual environment to see what happens (a process known as detonation). As part of detonation, any password protected files are checked against a list of known passwords or patterns that are typically used by malicious actors. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams also helps detect and block existing files that are identified as malicious in team sites and document libraries.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled by default. To turn it on or off, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and identifies a file as malicious, the file is locked using direct integration with the file stores. The following image shows an example of a malicious file detected in a library.
:::image type="content" source="media/2bba71cc-7ad1-4799-8b9d-d56f923db3a7.png" alt-text="The files in OneDrive for Business with one detected as malicious" lightbox="media/2bba71cc-7ad1-4799-8b9d-d56f923db3a7.png":::
Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But, they can delete the blocked file.
Here's an example of what a blocked file looks like on a mobile device:
:::image type="content" source="media/cb1c1705-fd0a-45b8-9a26-c22503011d54.png" alt-text="The option to delete a blocked file from OneDrive for Business from the OneDrive mobile app" lightbox="media/cb1c1705-fd0a-45b8-9a26-c22503011d54.png":::
By default, people can download a blocked file. Here's what downloading a blocked file looks like on a mobile device:
:::image type="content" source="media/be288a82-bdd8-4371-93d8-1783db3b61bc.png" alt-text="The option to download a blocked file in OneDrive for Business" lightbox="media/be288a82-bdd8-4371-93d8-1783db3b61bc.png":::
SharePoint Online admins can prevent people from downloading malicious files. For instructions, see Use SharePoint Online PowerShell to prevent users from downloading malicious files.
To learn more about the user experience when a file has been detected as malicious, see What to do when a malicious file is found in SharePoint Online, OneDrive, or Microsoft Teams.
View information about malicious files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams appear in reports for Microsoft Defender for Office 365 and in Explorer (and real-time detections).
When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to admins. For more information, see Manage quarantined files in Defender for Office 365.
-
Defender for Office 365 doesn't scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This behavior is by design. Files are scanned asynchronously. The process uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.
-
Make sure your SharePoint sites are configured to use the Modern experience. Visual indicators that a file is blocked are available only in the Modern experience.
-
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is part of your organization's overall threat protection strategy, which includes anti-spam and anti-malware protection in Exchange Online Protection (EOP), as well as Safe Links and Safe Attachments protection in Microsoft Defender for Office 365.