Retirement of ‘Replace’ Policy Action in Office 365 Safe Attachments Policies

Email communication plays a vital role in all our organizations, which needs to be monitored and scanned for protection. Attachments being part of email communication possess various risks of phishing, viruses, spyware, and ransomware. So Microsoft introduced various email security measures to prevent your Office 365 organization. And here, the ‘Safe Attachments Policies’ comes as a solution to add a layer of protection to email communication.

It prevents the users from opening malware attachments, so they do not trap themselves in cyber security threats! Through the Safe Attachments policy’s set of five customizable policy actions, organizations can enhance their defenses against suspicious malware entering their infrastructure via email communication.

One such policy action is the ‘Replace‘ policy action, which is soon to be retired as per the announcement made in the MC424901. Let us see the safe attachments policy in detail before jumping into the topic of deprecating the ‘Replace’ policy action.

Stay informed with Upcoming Microsoft 365 changes and end-of-support milestones.

The Office 365 safe attachment policy in Microsoft 365 Defender portal uses a virtual environment to scan all the inbound email messages for any suspicious malware and provides an extra layer of protection.

Safe attachment policies are set up in the Microsoft 365 Defender portal to manage safe attachment protection. You can configure safe attachment policies by navigating to the below path.

Microsoft 365 Defender portal -> Email & collaboration -> Policies & rules -> Threat policies -> Policies -> Safe attachments.

1. Select the Create option in the Safe attachments policy.

2.Then give a Name to your policy and add a description to it.

3.Add the Users, Groups, and Domains you want to include and exclude in the policy.

4.Choose one of the policy actions from the given options. Safe attachments include five policy actions which are listed below.

• Off – Turning the safe attachments off is not secure as it stops the scanning of attachments.
• Monitor – The action involves monitoring and delivering messages that have malware attachments, followed by tracking the detected malware and observing its spread within your organization.
• Replace – Delivers the messages but blocks the malware-containing attachments and notifies the recipient about the malware attachments.
• Block – Blocks all the messages from the sender once the malware is detected.
• Dynamic Delivery – Delivers the messages first and sends attachments after scanning.

5.After selecting the policy action define the Quarantine policy and click Next.

6.Review the policy settings and select Save.

And here is where Microsoft announced the deprecation of the ‘Replace’ policy action in Safe Attachments as the latest security update. So, now let’s drill down into the finer details of the ‘Replace’ policy action and analyze whether this deprecation is a good or bad idea.

Before delving into the analysis of whether it’s good or bad, let’s get to know what the actual procedure is for the ‘Replace’ policy action in the safe attachments policy.

• First, the body of the message is delivered, and then the attachment is scanned for risks.
• If an attachment possesses a threat while scanning, it replaces the specific attachment with a text(.txt) file.
• Here the text file actually notifies the user about the malware attachment in the email.
• Then, finally, the attachment is quarantined and only the admins can view &edit this file.

Below is a sample malware alert text that a recipient will receive when any suspicious content is found.

But now the major update is, the ‘replace’ policy action is going to be removed from the Microsoft safe attachment policies in two phases.

1. In the first phase, the policies with the ‘Replace’ action behavior are switched to the Block action behavior, i.e., which quarantines the emails.
2. By the second phase, the ‘Replace’ option will be discarded from the Microsoft 365 Defender portal. Also, the cmdlets related to the ‘Replace’ action will be removed. Thus, any existing policy with the ‘Replace’ option will be changed to a ‘Block’ action automatically.

Currently, we are in the first phase of deprecation, where this option is available with a notifying message in the Defender portal, as shown in the screenshot below.

As now we are clear about what ‘replace’ action is and what it does in safe attachments, let us discuss its benefits and drawbacks. In general, ‘Replace’ action in safe attachments literally had some severe drawbacks.

• Firstly, it delayed the delivery of safe messages due to the scanning of Office 365 safe attachments. Thus, the time delay is avoided due to the removal of this policy action.
• Previously, both the users and admins had the visibility of compromised users within their organization. But due to the removal of this ‘Replace’ policy action, only admins have visibility of compromised users.

Although the ‘replace’ option has many drawbacks it has its advantages.

For example, Usually, an organization receives a huge number of emails with specific types of attachments such as .exe or .bat files. This type of file usually contains a malware infection. At the same time, some emails may contain legitimate attachments that are needed by the organization. But blocking all the messages would be inappropriate here.

In this case, the ‘replace’ option would be more effective to receive messages with legitimate attachments. The ‘replace’ action blocks the messages with high-risk attachments and replaces them with a notification. Therefore, this allows your organization to receive legitimate attachments from external sources while protecting against malware infections. And most importantly, the user will be aware of the high-risk attachment they receive.

As there are no alternatives to the ‘Replace’ policy action, Office 365 admins can only change the existing policies with this policy action to either the ‘Block’ action or ‘Dynamic Delivery’ action.

If the email messages are of much importance or when you are sure it is from a trusted sender, then edit the policy settings to Dynamic Delivery policy action. Otherwise, change it to the ‘Block’ action as a safety precaution.

Thus, alter all the ‘Replace’ actions existing in your safe attachment policies immediately! Better customize them now to either the ‘Block’ or ‘Dynamic Delivery’ option. Or else it will be too late to change as the existing policies will be automatically moved to the ‘Block’ option!

Until then, implement the best Microsoft 365 Defender’s security settings and stay safe. Hope you find this blog useful and informative. What are your thoughts about this deprecation? Do you think it is a good decision or a bad decision? Share your experiences and thoughts in the comment section.