Even without Defender for Office 365, every single attachment is scanned for known malicious signatures, but this only helps for the known, what about the unknown?
With Safe Attachments, messages with unsafe attachments that don’t match known signatures are sent to a sandboxed virtual environment where they are securely opened.
If suspicious activity is detected, like a virus or malware trying to execute, the message is rejected or quarantined. If no suspicious activity is detected, the message is released to the user.
Dynamic delivery is a policy that seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.
If an attachment is found to be malicious, the message is quarantined. Only admins (not end-users) can review, release, or delete messages that were quarantined by Safe Attachments scanning.
Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.
Legitimate attachments are being blocked
Please contact our help desk for help with getting flagged attachments released from the system.
Would you like to know more?
Microsoft has some excellent documentation here: Safe Attachments in Microsoft Defender for Office 365