L1 BIO 12.02.01 ISO A.8.7 CIS 2.1.5

Safe Attachments Beleid GeConfigureererd

📅 2025-10-30
⏱️ 8 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Safe Attachments (veilige bijlagen) scant e-mail bijlagen in een virtuele sandbox-omgeving voor malware en zero-day threats door bestanden te 'detoneren' (uitvoeren in geïsoleerde VM) en gedrag te analyseren voordat emails worden afgeleverd aan gebruikers.

Aanbeveling
Implementeer
Risico zonder
Critical
Risk Score
9/10
Implementatie
5u (tech: 2u)
Van toepassing op:
M365
Exchange Online
Defender voor Office 365
SharePoint
OneDrive
Teams

Email attachments zijn de primaire malware delivery vector met specifieke attack types: ransomware via Word/Excel macros (Emotet, TrickBot, Ryuk delivery chain), credential stealers verborgen in PDFs met embedded links of executables, trojans in ZIP/RAR archives die backdoor access bieden, polymorphic malware die signatures verandert om traditional AV te omzeilen, en zero-day exploits in document formats (CVEs in Office, Adobe PDF). Traditional signature-based antivirus detecteert alleen KNOWN malware signatures en mist zero-day threats volledig. Safe Attachments gebruikt behavioral analysis (detonation): opent bijlage in geïsoleerde virtual machine (sandbox), observeert gedrag tijdens execution (registry changes, netwerkverbindings, file system modifications, process creation), detecteert malicious behavior patterns (versleuteling activities, credential dumping, C2 communication), en Blokkeert delivery als malware wordt gedetecteerd. Dit voorkomt: ransomware infections die €500K+ recovery costs hebben, Diefstal van inloggegevens malware, data exfiltration trojans, en zero-day exploits die geen signatures hebben. Safe Attachments detectie rate: 95%+ inclusief unknown/zero-day malware.

PowerShell Modules Vereist
Primary API: Exchange Online PowerShell
Connection: Connect-ExchangeOnline
Required Modules: ExchangeOnlineManagement

Implementatie

Safe Attachments beleid configuratie omvat drie action modes en bescherming scopes: (1) Action modes bij detected malware: Blokkeer is quarantine bijlage en Blokkeer email delivery (meest veilig, aanbevolen), Replace is verwijder malicious attachment maar deliver email body (gebruiker ziet notification), Dynamic Delivery is deliver email onmiddellijk met placeholder, scan attachment in background, deliver attachment als clean (balanceert security en gebruikerservaring), of monitoren is deliver + loggen detectie (NIET AANBEVOLEN - alleen voor testing), (2) Redirect op detectie: Forward detected malware naar security team email voor analysis (optioneel maar AANBEVOLEN), (3) Action op error: Blokkeer attachment als scanning timeout/error (security over availability), en (4) bescherming scope: Email attachments (altijd), SharePoint Online documenten (Schakel ind AANBEVOLEN), OneDrive voor Business bestanden (Schakel ind), Microsoft Teams bestanden (Schakel ind). beleid wordt geConfigureererd via Microsoft 365 Defender portal of PowerShell met commando New-SafeAttachmentPolicy. Scanning delay is minimal (few seconds) voor meeste files, Dynamic Delivery mode elimineert user-facing delay.

Vereisten

Voor Safe Attachments Implementeeratie zijn de volgende voorwaarden vereist:

  1. Microsoft Defender voor Office 365 Plan 1 of Plan 2 (onderdeel van M365 E5)
  2. Exchange Administrator of Security Administrator rol
  3. PowerShell 5.1+ met ExchangeOnlineManagement module voor automation
  4. Quarantine machtigingen Configureerd: Security team moet quarantined items kunnen reviewen
  5. Security team email adres voor malware redirects (optioneel maar aanbevolen)
  6. User awareness: Explain Safe Attachments delays (seconds) en placeholders (Dynamic Delivery)
  7. Testing plan: Valideer business-critical attachments niet false positive
  8. incidentrespons: Procedure voor analyzing redirected malware samples

Implementeeratie

Safe Attachments Implementeeratie via Microsoft 365 Defender portal:

Gebruik PowerShell-script safe-attachments-beleid.ps1 (functie Invoke-Remediation) – PowerShell script voor automatische creatie van Safe Attachments beleid.

Configuratie stappen:

  1. Ga naar security.microsoft.com → Email & collaboration → beleidsregels & rules
  2. Select 'Threat beleidsregels' → Safe Attachments
  3. Click 'Create' → Name: 'Safe Attachments - Company Wide'
  4. Safe Attachments unknown malware response:
  5. Option 1: Blokkeer (aanbevolen voor high security): Quarantine entire message
  6. Option 2: Dynamic Delivery (balanced): Deliver email immediately, placeholder voor attachment, deliver attachment na scan complete
  7. Option 3: Replace: Remove attachment maar deliver email (user notification)
  8. Recommendation: Blokkeer voor executives/finance, Dynamic Delivery voor general users
  9. Schakel in redirect:
  10. - Redirect messages met detected attachments: Schakel ind
  11. - Verzend to email adres: security-team@company.com
  12. Apply bescherming if scanning can't complete:
  13. - Schakel in: Yes (security over availability - Blokkeer bij timeout/error)
  14. Schakel in Safe Attachments voor SharePoint, OneDrive, en Microsoft Teams:
  15. - Schakel in: Yes (KRITIEK - beschermt files in collaboration tools)
  16. Applied to: alle recipient domains (of specific high-risk groeps first)
  17. Priority: 0 (highest priority beleid)
  18. Save en Implementeer

Testing en validatie:

  1. Test met EICAR Test file: Verzend email met eicar.com Test virus
  2. Expected result: Email quarantined of attachment blocked
  3. Test business attachments: Critical file types (contracts, invoices) werken normaal
  4. Performance test: Measure delivery delay (zou moeten zijn seconds)
  5. Dynamic Delivery test: Verifieer placeholder → attachment replacement flow
  6. SharePoint test: Upload EICAR to SharePoint, Verifieer blocked
  7. Teams test: Share file in Teams, Verifieer scanning works

monitoring

Gebruik PowerShell-script safe-attachments-policy.ps1 (functie Invoke-Monitoring) – Controleren.

Continue monitoring:

  1. bedreigingsbescherming status dashboard: Malware detections per day/week/month
  2. Quarantine review: Daily Controleer van quarantined malicious attachments
  3. Top malware families: Welke ransomware/trojans worden meest gedetecteerd?
  4. detectie trends: Increase in malware attempts (campaign detectie)?
  5. False positives: Volg legitimate files incorrectly quarantined
  6. Scanning delays: monitoren user complaints over attachment delays
  7. SharePoint/OneDrive/Teams: Separate monitoring voor file-based malware
  8. Security team: Review redirected malware samples, extract IOCs
  9. bedreigingsinformatie: Submit novel malware samples to Microsoft

Compliance en Auditing

Safe Attachments is essentieel voor Bescherming tegen malware compliance: CIS Microsoft 365 Foundations Benchmark - control 2.1.5 (Zorg ervoor dat Safe Attachments beleid is Schakel ind), BIO Thema 12.02.01 (Bescherming tegen malware - Detective en preventieve maatregelen), ISO 27001:2022 A.8.7 (Bescherming tegen malware), NIS2 Artikel 21 (Cybersecurity risicobeheer - Malware preventie), en NIST 800-53 SI-3 (Malicious Code bescherming - Behavioral analysis). Safe Attachments sandbox detonation is state-of-the-art malware detectie.

Remediatie

Gebruik PowerShell-script safe-attachments-policy.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Safe Attachments Policy Configuration .DESCRIPTION Ensures Safe Attachments policies are configured to protect against malicious attachments. Safe Attachments uses sandbox detonation to detect zero-day malware. .NOTES Filename: safe-attachments-policy.ps1 Author: Nederlandse Baseline voor Veilige Cloud Requires: Microsoft Defender for Office 365 Plan 1 or 2 .EXAMPLE .\safe-attachments-policy.ps1 -Monitoring Check if Safe Attachments policies are configured .EXAMPLE .\safe-attachments-policy.ps1 -Remediation Create Safe Attachments policy with recommended settings #> #Requires -Version 5.1 #Requires -Modules ExchangeOnlineManagement [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring, [Parameter(Mandatory = $false)] [switch]$Remediation, [Parameter(Mandatory = $false)] [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Safe Attachments Policy" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { <# .SYNOPSIS Checks Safe Attachments policy configuration #> try { Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop Write-Host "Checking Safe Attachments policies..." -ForegroundColor Gray $policies = Get-SafeAttachmentPolicy -ErrorAction Stop $result = @{ isCompliant = ($policies.Count -gt 0) total = $policies.Count properlyConfigured = 0 policyDetails = @() } if ($policies.Count -eq 0) { Write-Host " [FAIL] No Safe Attachments policies found" -ForegroundColor Red Write-Host " ⚠️ Requires Defender for Office 365 Plan 1 or 2" -ForegroundColor Yellow } else { foreach ($policy in $policies) { $isGood = $policy.Enable -and $policy.Action -ne 'Allow' if ($isGood) { $result.properlyConfigured++ Write-Host " [OK] PROPERLY CONFIGURED: $($policy.Name)" -ForegroundColor Green } else { Write-Host " ⚠️ NEEDS IMPROVEMENT: $($policy.Name)" -ForegroundColor Yellow } Write-Host " Enabled: $($policy.Enable)" -ForegroundColor $( if ($policy.Enable) { "Green" } else { "Red" } ) Write-Host " Action: $($policy.Action)" -ForegroundColor $( if ($policy.Action -in @('Block', 'DynamicDelivery')) { "Green" } else { "Yellow" } ) Write-Host " Redirect: $($policy.Redirect)" -ForegroundColor Cyan $result.policyDetails += @{ Name = $policy.Name Enabled = $policy.Enable Action = $policy.Action Redirect = $policy.Redirect } } } Write-Host "`n Total policies: $($result.total)" -ForegroundColor Cyan Write-Host " Properly configured: $($result.properlyConfigured)" -ForegroundColor $( if ($result.properlyConfigured -gt 0) { "Green" } else { "Yellow" } ) if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Safe Attachments configured" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Configure Safe Attachments" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red Write-Host "Note: Requires Defender for Office 365 license" -ForegroundColor Yellow exit 2 } } function Invoke-Remediation { <# .SYNOPSIS Creates Safe Attachments policy with secure defaults #> try { Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop Write-Host "Checking existing policies..." -ForegroundColor Gray $existing = Get-SafeAttachmentPolicy -ErrorAction Stop if ($existing.Count -gt 0) { Write-Host " [OK] Safe Attachments policies already exist" -ForegroundColor Green Write-Host " Review and update if needed" -ForegroundColor Cyan exit 0 } Write-Host "Creating Safe Attachments policy..." -ForegroundColor Gray $policyParams = @{ Name = 'Default Safe Attachments - NL Baseline' Enable = $true Action = 'Block' # Block malicious attachments ActionOnError = $true # Block on scanning errors Redirect = $false # Can enable and specify admin email } $policy = New-SafeAttachmentPolicy @policyParams -ErrorAction Stop Write-Host " [OK] Policy created: $($policy.Name)" -ForegroundColor Green Write-Host "Creating Safe Attachments rule..." -ForegroundColor Gray $domains = Get-AcceptedDomain | Select-Object -ExpandProperty Name $ruleParams = @{ Name = 'Default Safe Attachments Rule - NL Baseline' SafeAttachmentPolicy = $policy.Name RecipientDomainIs = $domains Priority = 0 } $rule = New-SafeAttachmentRule @ruleParams -ErrorAction Stop Write-Host " [OK] Rule created: $($rule.Name)" -ForegroundColor Green Write-Host "`n[OK] Safe Attachments configured successfully" -ForegroundColor Green Write-Host "`nPolicy settings:" -ForegroundColor Cyan Write-Host " • Action: Block malicious attachments" -ForegroundColor Gray Write-Host " • Applied to: All domains" -ForegroundColor Gray Write-Host " • Sandbox scanning enabled" -ForegroundColor Gray exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red Write-Host "Ensure you have Defender for Office 365 Plan 1 or 2" -ForegroundColor Yellow exit 2 } } function Invoke-Revert { <# .SYNOPSIS Removes Safe Attachments policy #> try { Write-Host "⚠️ WARNING: Removing Safe Attachments reduces security!" -ForegroundColor Yellow Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop $policy = Get-SafeAttachmentPolicy -Identity 'Default Safe Attachments - NL Baseline' -ErrorAction SilentlyContinue if ($policy) { # Remove rule first $rule = Get-SafeAttachmentRule | Where-Object { $_.SafeAttachmentPolicy -eq $policy.Name } if ($rule) { Remove-SafeAttachmentRule -Identity $rule.Name -Confirm:$false -ErrorAction Stop Write-Host " Rule removed" -ForegroundColor Yellow } # Then remove policy Remove-SafeAttachmentPolicy -Identity $policy.Name -Confirm:$false -ErrorAction Stop Write-Host " ⚠️ Policy removed" -ForegroundColor Yellow } else { Write-Host " Policy not found" -ForegroundColor Gray } exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Usage:" -ForegroundColor Yellow Write-Host " -Monitoring Check current Safe Attachments configuration" -ForegroundColor Gray Write-Host " -Remediation Create Safe Attachments policy" -ForegroundColor Gray Write-Host " -Revert Remove policy (NOT RECOMMENDED!)" -ForegroundColor Red } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK RANSOMWARE EN MALWARE RISICO: Email attachments zijn #1 ransomware delivery method. Zonder Safe Attachments: zero-day malware (geen signatures) omzeilt traditional AV volledig, ransomware infections via macro-Schakel ind documents slagen regelmatig (€500K - €5M recovery costs per incident), credential stealing trojans exfiltreren passwords en sessies tokens, en polymorphic malware met changing signatures blijft undetected. Safe Attachments behavioral detonation detecteert 95%+ van malware inclusief zero-days. Voor organisaties zonder Defender voor Office 365: upgrade is strongly AANBEVOLEN - ROI is immediate bij eerste ransomware block.

Management Samenvatting

Configureerer Safe Attachments beleid: Blokkeer malicious attachments via sandbox detonation, Schakel in voor email + SharePoint/OneDrive/Teams, redirect detections naar security team. Zero-day malware detectie via behavioral analysis. Vereist Defender voor Office 365 P1/P2. Voldoet aan CIS 2.1.5 (L1), BIO 12.02, ISO 27001 A.8.7, NIS2. Implementeeratie: 2 uur technisch + 3 uur testing/communication. KRITIEKE ANTI-MALWARE CONTROL.