Microsoft 365 Email Security: Maximizing PDF Use and Safe Attachments

This guide outlines a practical baseline for Safe Attachments, how to handle PDFs intelligently, and where a simple text-extraction check can catch what detonation alone misses.

What Safe Attachments Actually Does (and Doesn’t)

Safe Attachments detonates files in a virtual environment to catch malware and ransomware before delivery. Think of it as a “quarantine-and-test” room that supplements Microsoft's 365 email security anti-malware scanning.

For most organizations, enabling the Standard or Strict preset policies is the quickest win. They apply sensible defaults and prioritize scanning so high-risk mail gets inspected first. Dynamic Delivery then releases the message body while the attachment is still being checked, so users aren’t blocked unnecessarily.

Microsoft’s own write-up explains how Dynamic Delivery works and where it applies. Still, detonation doesn’t understand your vendor list, bank details, or whether Accounts Payable actually requested a routing change. Attackers lean on clean PDFs—no macros, no scripts—because they’re effective social-engineering containers. That’s where a narrow, business-aware PDF control helps.

Why PDFs Slip Through Typical Controls

Two factors make PDFs difficult.

1. Many malicious campaigns now use “goodware” documents: sanitized invoices that quietly change a beneficiary or include a QR code to a look-alike portal. There’s no exploit to detect, only a mismatched business context.
2. Even when URLs are included, the payload may resolve later or sit behind a login flow, so reputation signals look fine at the time of click.
   
   

A small, deterministic content check—extracting vendor names, IBANs, or approval terms—often exposes what sandboxes can’t. Federal guidance reinforces the need for layered defenses: combine gateway controls, sandboxing/detonation, and file-handling policies rather than relying on a single tool. The Counter-Phishing Recommendations for Non-Federal Organizations is a useful reference if you need to explain this approach to finance or leadership.

A Practical Safe Attachments Policy Baseline for SMBs

Overcome Microsoft 365 email security issues and tighten where risk demands it. In most tenants, enabling the Standard or Strict security policies delivers Safe Attachments and Safe Links coverage without hand-crafting every rule. From there:

• Enable Dynamic Delivery.
• Make sure ZAP (zero-hour auto purge) is active.
• Review who’s excluded from scanning—there shouldn’t be many.

If a bypass is required for a line-of-business sender, restrict it with a dedicated transport rule, clear business justification, and an expiration date. Microsoft’s configuration docs are helpful for understanding priority order, licensing boundaries, and where custom policies fit.

Layering in PDF Content Checks Without Slowing Email

Once Safe Attachments is set, add a lightweight inspection step for high-risk PDFs—like invoices, POs, or vendor forms. The goal isn’t a full DLP program; it’s to extract a few fields and compare them against what your finance system expects.

A script can parse PDFs and hand text to policy checks, flagging changes to payee or bank fields on known vendors or phrases such as “urgent update to bank details.” If you need a practical example, you can automate document parsing with a Python workflow that pulls text reliably from PDFs. Run this outside Microsoft 365 to avoid disrupting mail flow, raising a review in your helpdesk or SIEM for finance to confirm.

Safe Links Still Matter for PDFs

Even when attachments are clean, PDFs often contain links that later flip malicious. Safe Links wraps and evaluates URLs at the time of click across email and Office apps. This protects against delayed-activation campaigns and compromised vendor portals.

Keep Safe Links enabled with Safe Attachments, and avoid third-party link wrappers that prevent Microsoft from evaluating URLs. To stakeholders, emphasize that time-of-click checks complement detonation by catching late redirects and compromised sites.

An Operations-First Rollout Plan

Treat this rollout like any change that affects people and money.

• Enable the Standard preset broadly.
• Move high-risk groups—finance, AP, executives—to Strict.
• Add the PDF content check only to invoice and PO workflows first; that’s where you’ll see the pact.

Explain what users will see when a file is under detonation—messages arrive while attachments are still being scanned—and highlight the banner so they don’t re-request the file. If you have Safe Documents for Office apps, keep it enabled so that opened files are rescanned in the cloud.

Handling False Positives Without Training Users to Ignore Alerts

False positives usually fall into two categories: detonation delays and content-check noise.

• For delays, monitor “Delivered without scanning” and “Message delayed due to scanning” events. If lag is chronic with a trusted sender, work with them on file formats instead of creating broad bypasses.
• For content checks, treat it like finance QA: a quick second-person review for flagged changes. Blanket overrides only train attackers to target your exceptions.

Telemetry That Actually Matters

Focus on Safe Attachments report views in the Defender portal, particularly detection disposition (malware vs. suspicious) and top-flagged senders and file types. Pair this with helpdesk tags for “invoice change request” and “vendor onboarding.”

If flagged PDF trends drop but finance tickets spike, your content check may be too strict—or attackers may have shifted from attachments to portal links.

Where This Fits in Microsoft 365 Email Security

Attachment controls work best as part of a broader Microsoft 365 email security baseline:

• MFA for admins and users.
• Conditional Access policies.
• Awareness training so employees know what “normal” looks like.

For more depth, see our Microsoft 365 email security overview, our breakdown of common misconfigurations, and our guide on how phishing emails bypass default security. These complement Secure Score reviews and help non-security stakeholders understand priorities.

Wrapping Up: Making Safe Attachments and PDFs Effective

When configured correctly and paired with targeted PDF content checks, Safe Attachments delivers strong coverage—sandboxing for technical threats and providing context for financial ones. Keep Safe Links on, monitor telemetry, and reserve bypasses for exceptional cases. Done right, Microsoft 365 Safe Attachments and PDF controls become a quiet, reliable backstop for both your team and your money.

To learn more, see our Strategies Against Phishing in Microsoft 365 Guide.