Email - Safe Attachments in Office 365


Safe Attachments provides an advanced layer of protection for email attachments sent to UCO faculty and staff. After attachments have gone through the basic antivirus and antimalware filters, Safe Attachments ensures they are opened in a virtual environment to look for malicious behavior that standard scanning mechanisms do not catch. This process is entirely automated by Microsoft and has been proven to intercept attachments that could result in account compromise, ransomware infections, and other very serious threats not detected with traditional methods.


  • Attachments are opened in a virtual sandbox environment where they are observed to identify malicious embedded code (macros and scripts) or other behaviors such as web browser redirects to fake login pages.
  • Provides an additional layer of security to protect recipients from advanced threats, allowing for higher confidence that email attachments can be trusted.
  • Entirely automated by Microsoft and does not involve people looking at the attachments.
  • Email delivery is not delayed. Attachment delivery is delayed by a few minutes if one or more attachments require scanning.
  • When attachments require scanning, a placeholder "ATP Scan In Progress" attachment is provided in their place while the scan is running.
  • Once scanning is complete, attachments are dynamically reattached to the email and the placeholder attachment is removed.
  • Attachments identified as malicious are replaced with an "Unsafe Attachments Blocked" attachment that provides details including the names of the blocked attachments and the reasons for the blocks.

User Experience

  1. When a UCO faculty or staff member receives an email that contains attachment types that require scanning, the email will be delivered without delay but will have a placeholder "ATP Scan In Progress" attachment.

    ATP Scan In Progress Outlook email attachment

  2. If the "ATP Scan In Progress" attachment is opened before the scanning is complete, it will look similar to the image below, which is followed by a transcription.

    ATP Scan In Progress attachment opened

    Subject: ATP Scan In Progress

    Office 365 logo
    We're making sure your attachments are safe...
    Names of attachments being scanned

    ATP Dynamic Delivery
    Your attachments are currently being scanned by Advanced Threat Protection:
    In the meantime, click the available previews of your attachments. The attachments without content preview will be available once the ATP scan is complete by reopening the message. The message will be marked as unread in your message list once scanning is completed.
    Once we complete the scan for the message this message will be replaced with either the attachments where the attachment scan verdict is clean, or with an unsafe attachment blocked message.
    Learn more about Advanced Threat Protection and previewable supported files types...

  3. The scanning should only take a few minutes to complete. Once the scan is complete, the original attachments will be dynamically reattached to the email and the placeholder "ATP Scan In Progress" attachment will be removed. The email will be marked as unread in your mailbox to provide a visual indicator that it has been updated.
  4. If any attachments are blocked, an "Unsafe Attachments Blocked" attachment will be added to the email. Opening that attachment will look similar to the image below, which is followed by a transcription.

    Unsafe Attachments Blocked attachment opened

    Subject: Unsafe Attachments Blocked

    Office 365 logo
    Your attachments were found to be unsafe...
    The following attachment(s) were found to be unsafe:
    Names of blocked attachments and the associated detection mechanism that blocked them

    ATP Threat Protection Dynamic Delivery
    Your attachments were scanned by Advanced Threat Protection and found to be unsafe:
    We have completed the Advanced Threat Protection scan of the attachments and found them to be unsafe.
    Per your company administrator's policy, your attachments have been blocked.
    Learn more about Advanced Threat Protection and previewable supported files types...

Frequently Asked Questions (FAQ)

Will this delay email delivery and how much of a delay should be expected?

Email delivery will not be delayed, however the delivery of attachments to those emails will be delayed when one or more of the attachments needs to be scanned. If scanning is required, you should expect an average delay of 2 to 3 minutes based on UCO testing. Microsoft's official response is to expect an average delay of 4 minutes...up to 30 minutes depending on attachment type, size, and content...but we haven't observed such lengthy delays in our testing.

What types of attachments require scanning?

Some examples of attachment types that require scanning are PDF, ZIP, HTML, RTF, and Microsoft Office documents. If an email contains any attachment that requires scanning, all attachments for that email will be delayed until the scan is complete. If an email only contains image attachments (such as .png and .jpg) and/or text attachments (such as .txt), those attachments will be delivered without delay as they do not need to be scanned.

Are internal emails (from a UCO sender to a UCO recipient) also scanned?

Yes, internal emails are also scanned to protect UCO recipients from compromised UCO email accounts. However, emailed scans from on-campus scanning devices such as multifunction copiers have a special exception in place that prevents those attachments from being scanned.

Can I request an exception?

An exception should only be requested when it concerns a large number of recurring automated messages from a trusted source. Please contact the UCO Service Desk at (405) 974-2255 to have a service request opened. The request will be reviewed by OIT Information Security staff who may reach out for additional information. The request will then be approved/implemented or denied and you will be notified of the result.

What if a faculty or staff member needs to receive an attachment that keeps getting deleted?

UCO has a variety of other solutions available for sharing files and can provide guidance for these rare cases. Please contact the UCO Service Desk at (405) 974-2255 for assistance.

Related Services

Service Fees or Additional Costs

There is no additional fee or charge for this service. It is provided to all faculty and staff as part of our Microsoft 365 A5 license.

100% helpful - 1 review


Article ID: 112231
Mon 3/22/21 10:40 AM
Wed 5/26/21 9:15 AM