The estimated reading time 3 minutes
Microsoft recently announced in the M365 Administration Center notifications that they will be making some adjustments to the paid feature “Safe Attachments.” Specifically, the “Monitor” function will no longer be available. All rules with “Monitor” will be switched to “BLOCK” in February 2025.
See Microsoft’s notification for more details:
Microsoft Exchange Online Protection (Defender for Office 365): Monitor action in Safe attachments policy will retireMC918563
We will retire the Monitor action in the Safe attachments policy in Microsoft Exchange Online Protection (Microsoft Defender for Office 365) starting late February 2025 and ending by late May 2025.
How this will affect your organization:
A Safe attachments policy provides an additional layer of protection against malicious content (attachments) in emails by analyzing attachment content and behavior in a sandbox environment. This policy provides four actions: Off, Monitor, Block, and Dynamic delivery. We made the Monitor action available for customers who wanted a Safe attachments policy to process attachments, deliver the emails (without blocking malicious attachments), and track what happened with attachments identified as malicious. Customers used reports to see detections from the Monitor action in the policy.
As part of this retirement, if your organization has Safe attachments policies set to the Monitor action, we will automatically change the action in from Monitor to Block. We will not change the policy’s recipients, status, or priority. After retirement, the Monitor option will not be available in the Safe Attachments policy page in the Defender security portal or the corresponding Microsoft PowerShell cmdlet.
Before retirement, you can find the Monitor action in Defender > Email & collaboration > Policies & rules > Threat policies > Safe attachments > choose a policy or create a new policy > Edit settings (or Settings if creating a new policy). We will also retire Redirect messages with detected attachments, because this option only supports the Monitor action):
After the retirement, the only actions in the Safe attachments policy will be Off, Block, and Dynamic delivery.
What you need to do to prepare:
Before the retirement, review your Safe attachments policies and take appropriate action if your organization has Safe attachments policies set to the Monitor action. We recommend changing the action from Monitor to Block.
Alternatively, if you still need to run Safe attachment policy in audit mode, we recommend using Evaluation mode. Learn more about Evaluation mode.
Safe Attachments
For those who haven’t heard of Safe Attachments:
This feature is included with Defender for Office 365, which comes in various plans.
At least Plan 1 is highly recommended for all customers, as it significantly enhances security for attachments and Safe Links. Additionally, attachments in other products like OneDrive and Teams (including links) are scanned, providing higher protection.
You can find a good overview of the different plans on M365maps.
Actions to Take
What needs to be done now? It’s important to review the “Safe Attachment Policies” and check if any policies with the “Monitor” option are active. As of October 27, 2024, it is still possible to create “Monitor” policies, but this is no longer recommended!
Existing policies can be quickly reviewed and ideally changed immediately.
There’s still some time until February 2025, but this shouldn’t be put off for too long.
I hope I was able to help some of you avoid an unpleasant surprise next year.