CIS.M365.2.1.4 - (L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy)
Overviewβ
2.1.4 (L2) Ensure Safe Attachments policy is enabled
The Safe Attachments policy helps protect users from malware in email attachments by scanning attachments for viruses, malware, and other malicious content. When an email attachment is received by a user, Safe Attachments will scan the attachment in a secure environment and provide a verdict on whether the attachment is safe or not.
Rationaleβ
Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user's inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization's network.
Impactβ
Delivery of email with attachments may be delayed while scanning is occurring
Remediation action:β
To enable the Safe Attachments policy:
- Navigate to Microsoft 365 Defender.
- Click to expand E-mail & Collaboration select Policies & rules.
- On the Policies & rules page select Threat policies.
- Under Policies select Safe Attachments.
- Click + Create.
- Create a Policy Name and Description, and then click Next.
- Select all valid domains and click Next.
- Select Block.
- Quarantine policy is AdminOnlyAccessPolicy.
- Leave Enable redirect unchecked.
- Click Next and finally Submit.
PowerShellβ
- Connect to Exchange Online using
Connect-ExchangeOnline. - To change an existing policy modify the example below and run the following PowerShell command:
Set-SafeAttachmentPolicy -Identity 'Example policy' -Action 'Block' -QuarantineTag 'AdminOnlyAccessPolicy' -Enable $true
- Or, edit and run the below example to create a new safe attachments policy.
New-SafeAttachmentPolicy -Name "CIS 2.1.4" -Enable $true -Action 'Block' -QuarantineTag 'AdminOnlyAccessPolicy'
New-SafeAttachmentRule -Name "CIS 2.1.4 Rule" -SafeAttachmentPolicy "CIS 2.1.4" -RecipientDomainIs 'exampledomain[.]com'
Note: Policy targets such as users and domains should include domains, or groups that provide coverage for a majority of users in the organization. Different inclusion and exclusion use cases are not covered in the benchmark.
Related linksβ
- Microsoft 365 Defender
- Safe Attachments in Microsoft Defender for Office 365
- Set up Safe Attachments policies in Microsoft Defender for Office 365
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 84
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.1.4 |
| Severity | High |
| Suite | CIS |
| Category | CIS E5 Level 2 |
| PowerShell test | Test-MtCisSafeAttachment |
| Tags | CIS, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.2.1.4, L2 |
Sourceβ
- Pester test:
tests/cis/Test-MtCisSafeAttachment.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSafeAttachment.ps1