Safe Attachments & Safe Links
Understanding the Concept
Safe Attachments in Defender for Office 365 provides an additional layer of protection by detonating email attachments in a sandbox environment before delivery. Files are analyzed for malicious behavior in virtual machines, detecting zero-day malware that signature-based scanning misses.
Safe Links protects users from malicious URLs in emails and Office documents by performing real-time URL verification at time-of-click. URLs are rewritten to route through Microsoft's protection service, which checks the destination against known malicious sites and performs dynamic analysis.
Both features can be configured through preset security policies (Standard and Strict) or custom policies. Preset policies are recommended as they follow Microsoft's best practice settings.
Key Points
- Safe Attachments detonates files in sandbox before delivery
- Three modes: Monitor, Block, Replace, Dynamic Delivery
- Dynamic Delivery delivers email body immediately, replaces attachment after scan
- Safe Links performs time-of-click URL verification
- URLs are rewritten to route through Microsoft protection
- Preset policies (Standard/Strict) recommended over custom
Why This Matters in Real Organizations
Email remains the #1 attack vector. 94% of malware is delivered via email. Safe Attachments stops zero-day malware that traditional antivirus cannot detect, while Safe Links prevents users from reaching phishing and malware download sites.
Common Mistakes to Avoid
Interview Tips
- Explain Safe Attachment detonation modes
- Discuss the time-of-click protection model for Safe Links
Exam Tips (SC-200)
- Know all Safe Attachment modes and when to use each
- Understand Safe Links URL rewriting and time-of-click verification
- Know preset security policy tiers (Standard vs Strict)
Course Complete!
You've finished all lessons