Your employee gets an email. It looks like an invoice from a supplier. There's a PDF attached. They open it.

That's it. That's how ransomware gets in.

For small and medium-sized businesses, a single malicious email attachment can mean days of downtime, thousands in recovery costs, and — worst of all — the trust of your customers shattered. You don't have a dedicated IT security team watching every inbox. You rely on your people to make smart decisions, and attackers know it.

Here's the good news: if your business uses Microsoft 365, you already have access to a powerful tool that catches dangerous attachments before anyone can open them. It's called Safe Attachments in Microsoft Defender for Office 365, and most SMBs either haven't turned it on or haven't configured it properly.

What Is Safe Attachments in Microsoft Defender for Office 365?

Safe Attachments in Microsoft Defender for Office 365 is a feature inside Microsoft Defender for Office 365 that adds a critical layer of protection on top of your standard antivirus scanning.

Here's how it works: instead of just checking a file against a list of known viruses, Safe Attachments opens the suspicious file inside a secure virtual environment — called a sandbox — and watches what it does. If the file tries to run a script, download malware, or tamper with system settings, it gets blocked. The whole process, known as detonation, typically completes in 2–15 minutes.

Think of it as a hazmat team opening a suspicious package in a sealed room before it ever lands on your employee's desk.

Standard antivirus misses threats it hasn't seen before. Safe Attachments catches zero-day attacks, new ransomware variants, and cleverly disguised phishing files that traditional scanning won't flag.

Why SMBs Can't Afford to Skip This

You might think, "We're a small business — why would hackers target us?"

Because you're easier. Cybercriminals automate their attacks and cast wide nets. Small businesses are attractive targets precisely because they often lack enterprise-grade defenses. And the consequences are disproportionate: a large corporation survives a breach with its legal team and cyber insurance. A 20-person business might not.

Safe Attachments in Microsoft Defender for Office 365 protects not just email, but also files shared through SharePoint, OneDrive, and Microsoft Teams — the tools your team uses every day to collaborate. One infected file shared through Teams can spread to everyone who opens it.

What You Need Before Getting Started

Safe Attachments is included in Microsoft Defender for Office 365 Plan 1 and Plan 2. Check which plan you have:

• Microsoft 365 Business Premium — includes Defender for Office 365 Plan 1

• Microsoft 365 E3 — requires adding Plan 1 or Plan 2 separately

• Microsoft 365 E5 — includes Plan 2 automatically

You'll also need admin access. Specifically, you need the Security Administrator or Organization Management role in your Microsoft 365 tenant. If you're the business owner managing your own Microsoft 365 account, you almost certainly have this.

Step-by-Step: How to Configure Safe Attachments in Microsoft Defender for Office 365 Policies

Step 1 — Sign Into the Microsoft Defender Portal

Go to https://security.microsoft.com and sign in with your admin account.

Step 2 — Navigate to Safe Attachments

In the left-hand menu, go to: Email & Collaboration → Policies & Rules → Threat Policies → Safe Attachments

Or go directly to: https://security.microsoft.com/safeattachmentv2

Step 3 — Enable Protection for SharePoint, OneDrive, and Teams

Before creating a policy, click Global Settings and turn on:

• "Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams" — this prevents users from downloading malicious files shared in your collaboration tools.

• "Turn on Safe Documents for Office clients" (if you have E5 or Microsoft 365 E5 Security) — this sends document information to Microsoft Defender for Endpoint for deeper analysis.

Click Save.

Step 4 — Create Your Safe Attachments Policy

Click Create to start a new policy. Walk through these settings:

Name your policy — something clear like "SMB Safe Attachments – All Users."

Users and Domains — add your entire company domain (e.g., yourcompany.com) so the policy covers everyone automatically.

Response setting — this is the most important choice:

• Block is the option most SMBs should choose. When Safe Attachments detects a threat, both the email and the attachment are quarantined before anyone can open them. It's the most protective setting and the default in Microsoft's own Standard and Strict preset policies — maximum protection, no exceptions.

• Dynamic Delivery is worth considering if your team is sensitive to email delays. The email body lands in the inbox immediately while the attachment is held back and scanned in the background. Once cleared, the attachment is released. You get speed without skipping the safety check.

• Monitor scans and delivers everything without blocking anything — it simply logs what it finds. This was useful as a testing mode before committing to enforcement, though Microsoft retired this option in early 2025 and automatically migrated any Monitor policies to Block.

Recommended for most SMBs: start with "Block." This is the default setting in Microsoft's own Standard and Strict preset security policies — there's a reason for that.

Quarantine Policy — this controls what happens to blocked messages. The default keeps quarantined emails admin-only, meaning your users won't accidentally release a dangerous file themselves. Leave this as-is unless you have a specific reason to change it.

Click through and Save your policy.

Step 5 — Verify Everything Is Working

Back on the Safe Attachments page, confirm your policy shows as Enabled with the correct Priority listed. You can also check the Defender for Office 365 reports in the portal to see scan activity and any detections.

The Easier Path: Use Microsoft's Preset Security Policies

If all of the above feels like too many decisions, Microsoft actually recommends a simpler approach for most organizations: turn on the Standard or Strict preset security policies and add all your users.

These presets automatically configure Safe Attachments (along with Safe Links, anti-phishing, and anti-malware) using Microsoft's recommended settings. You don't have to choose between Block or Dynamic Delivery — Microsoft has already decided based on real-world threat data.

To set this up, go to: Threat Policies → Preset Security Policies

Choose Standard Protection, add all users, and save. You're done. Custom policies are great for granular control, but presets get you 90% of the way there in five minutes.

How PlexHosted Can Help

Configuring Safe Attachments in Microsoft Defender for Office 365 correctly is one thing — keeping it optimized as your business grows is another. At PlexHosted, we are a Microsoft Solution Partner and managed security service provider specializing in Microsoft cloud environments. We handle the full setup, monitoring, and ongoing management of your Microsoft 365 security policies, including Safe Attachments, Safe Links, and threat protection across email, SharePoint, OneDrive, and Teams. Whether you're in healthcare, financial services, government, or any other regulated industry, we align your security configuration to frameworks like NIST, HIPAA, and CIS Controls — so you're protected and compliant.