Anti-Malware Policy¶
Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-malware
Anti-malware policies scan email attachments for malware and block or quarantine infected messages before delivery.
Default Policy Settings¶
The default policy applies to all users. Create a custom policy if you need different settings per group.
Recommended settings¶
Protection settings¶
| Setting | Recommended value |
|---|---|
| Enable the common attachments filter | On |
| Automatically remove email with common attachment types | On |
| Enable zero-hour auto purge (ZAP) | On |
Common attachment types filter¶
Enable the common attachments filter which blocks files by extension regardless of content scanning. Default blocked types include:
ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, pkg, plg, ps1, ps2, psc1, psc2, rpm, scr, shk, sys, vb, vbe, vbs, vxd, wsf, wsh, xll, xz, z
Add file types for your environment
Consider also blocking: .hta, .vbs, .js, .jse, .wsf, .wsh if these are not used in your environment.
Quarantine policy¶
| Verdict | Action |
|---|---|
| Malware | Quarantine (admin-only release) |
Use AdminOnlyAccessPolicy — users should never self-release malware-quarantined messages.
Safe Attachments¶
Defender portal → Threat policies → Safe Attachments
Safe Attachments detonates email attachments in a sandbox before delivery. Requires Defender for Office 365 Plan 1.
Recommended policy¶
Apply to all users:
| Setting | Recommended value |
|---|---|
| Safe Attachments unknown malware response | Block |
| Quarantine policy | AdminOnlyAccessPolicy |
| Enable redirect | On — redirect to security team mailbox for investigation |
| Redirect address | security@yourdomain.com |
| Apply the above selection if malware scanning times out or error occurs | On |
Safe Attachments for SharePoint, OneDrive, and Teams¶
Enable at the global level:
Defender portal → Threat policies → Safe Attachments → Global settings
| Setting | Value |
|---|---|
| Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams | On |
| Turn on Safe Documents for Office clients | On (requires Microsoft 365 E5 or Microsoft 365 E5 Security) |
Useful PowerShell¶
Connect-ExchangeOnline -UserPrincipalName admin@domain.com
# View malware filter policy settings
Get-MalwareFilterPolicy -Identity Default | Select-Object *
# Check if common attachment filter is enabled
Get-MalwareFilterPolicy -Identity Default |
Select-Object EnableFileFilter, FileTypes
# List currently quarantined malware messages
Get-QuarantineMessage -QuarantineTypes Malware -StartReceivedDate (Get-Date).AddDays(-7) |
Select-Object Subject, SenderAddress, RecipientAddress, ReceivedTime
# View Safe Attachments policies (requires ExO module + Defender permissions)
Get-SafeAttachmentPolicy | Select-Object Name, Enable, Action, Redirect, RedirectAddress