Office 365 now checks docs for known threats before editing

Posted by & filed under Security News.

Microsoft today announced the general availability of the Office 365 Safe Documents security feature which expands the protection provided by Protected View by checking untrusted documents for risks and known threats.

Safe Documents — launched in private preview in February — uses Microsoft Defender Advanced Threat Protection (ATP) to scan documents opened in Protected view and block users from editing them until a verdict is available.

Protected View is a read-only Office mode for opening documents deemed as potentially unsafe where most editing features are disabled to protect the users’ from threats.

“Although Protected View helps secure documents originating outside the organization, people too often exit the protection sandbox without considering if the document is safe – leaving their organizations vulnerable,” Microsoft said.

“To improve this trust promotion experience for Microsoft 365 Apps, Safe Documents takes away the guesswork by automatically verifying the document against the latest known risks and threat profiles before allowing users to leave the Protected View container.”

On endpoints where the Safe Documents feature is enabled, all untrusted files opened in Protected View will be uploaded and scanned by Microsoft Defender ATP, following the privacy and data handling rules detailed here.

During active scans of untrusted documents originating from outside the enterprise users’ organizations, the customers will be blocked from leaving Protected View and from editing the content.

If the files are found as being free of malicious content, users will be able to exit the Protected View. If the document is deemed unsafe, the users will be warned and blocked from exiting Protected View.

“Admins can configure whether users can bypass and ‘Enable Editing’ for malicious scenarios in the Admin portal,” Microsoft explains. The expected results of a Safe Documents check are available in this support document.

To configure Safe Documents for tenants in their organization (the feature is disabled by default), Security Administrators have to use the Office 365 Security & Compliance Center as detailed here.

The Safe Documents Office 365 security feature is now available for all Office 365 ProPlus customers with Microsoft 365 E5 and E5 Security licenses for Commercial and Education customers on Windows clients.

Redmond previously rolled out enhanced breach detection capabilities for Office 365 ATP to help Security Operations teams to discover breaches easier, as well as remediate hacked accounts and investigate suspicious users.

Office 365 now also blocks harmful content regardless of custom tenant configs unless manually overridden and the Office 365 ATP capabilities will be expanded with attack flow overviews of malware attacks targeting orgs.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.