Microsoft Entra Tech Accelerator
Jun 27 2023, 08:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Safe attachments and encrypted or password protected attachments

Regular Contributor

I'm looking for information of how Safe Attachments in Defender for Office 365 deals with attachments that are password protected or encrypted. I can't find anything documented by Microsoft on this scenario. Does anyone have this information at all?

3 Replies
Depends, if there is a way to read the content (for example OME or Azure RMS protected files) it will be scanned. Otherwise it's ignored, and you can configure rules to take an action on such messages.
Thanks Vasil. I added some feedback to the Safe Attachment Docs page asking for what occurs, and the documentation has been updated with this:
If a file attachment is encrypted or password protected, it can't be examined by Safe Attachments. The message with the attachment will be delivered, and the recipient receives no warning that the file hasn't been scanned by Safe Attachments.
This is not unique to EOP or MDO. Most gateway solutions will not tackle encryption, and encryption can be as little as a write-protect or cell protection password on a document or worksheet. You are dependent on end-point protection to scan the attachment once the recipient has opened it.

For rules, your predicate is "includes an attachment that is password protected" and your actions can be to quarantine, redirect or stamp the e-mail with a disclaimer. One possibility is to prepend the message with the text "This mail contains encrypted attachments. Are you expecting encrypted content from this sender? Check that {your anti-virus} is up to date before opening these attachments, or contact {your support desk} for advice." Needless to say, you should also have a fairly aggressive common attachment types list to keep most dubious attachment types out anyway.