Posey's Tips & Tricks

How Microsoft 365 'Safe Documents' Works

Because sometimes (a lot of the time), Protected View isn't enough to guard against potentially malicious Office documents.

I will never forget a memo I received back in the late 1990s. At the time, I was working as an author for a tech journal. The company I worked for sent out a memo warning us to be careful about opening Office documents that had not been created in-house. It explained that malware authors had begun creating Office documents that included malicious macros. At the time, Office applications such as Word and Excel executed macros automatically, so just opening a malicious document could result in your system being harmed.

Since then, Microsoft has taken a number of steps to protect Office users against potentially malicious documents. Initially, Microsoft made it so that Office document macros did not automatically execute. Later, it incorporated the Protected View feature that is still in use today. Protected View causes an Office document to be treated as Read Only unless the user specifically enables editing of the document. This helps insulate the user against any malicious code that might be embedded in the document. You can see what Protected View looks like in Figure 1.

[Click on image for larger view.] Figure 1: Protected view causes Office documents to be treated as read only.

Although Protected View has its place, it isn't perfect. Consider, for example, that the screen capture shown above was taken from a document that I authored on my own computer and saved to my own network. Needless to say, I didn't include anything malicious in the document.

I mention this as a way of pointing out that Protected View makes no distinction between a malicious document and a safe document, or between a document that you created yourself and a document that you downloaded from a dubious source on the Internet. It treats every document the same.

While there is nothing wrong with allowing Protected View to act as a generic protective mechanism, users become conditioned to simply click the Enable Editing button as soon as they open a document, thereby completely bypassing the protection provided by Protected View. In fact, I try to be diligent about keeping my network secure, but there has been more than one occasion in which I have accidentally clicked the Enable Editing button, just because I am in the habit of having to click that button whenever I open one of my own documents.

Thankfully, Microsoft has recently implemented a new type of document safety, which it has aptly named Safe Documents. Safe Documents uses Microsoft Defender Advanced Threat Protection to scan documents that are open in Protected View. The idea is that rather than simply displaying a generic warning message like the one shown in Figure 1, Office is now able to identify specific threats and can warn users if it finds that a document is indeed malicious.

Although the Safe Documents feature is relatively straightforward, there are two important things that you need to know about it.

First, Safe Documents is not enabled by default. You can enable Safe Documents by logging into Microsoft 365 as an administrator and opening the Security and Compliance Center. From there, navigate through the console tree to Threat Management | Policy | ATP Safe Attachments. Finally, select the checkbox labeled "Turn On Safe Documents for Office Clients." You can find the checkbox just beneath the "Help People Stay Safe When Trusting a File to Open Outside Protected View in Office Applications" section.

Incidentally, Microsoft also provides a checkbox labeled "Allow People to Click Through Protected View Even if Safe Documents Identifies the File as Malicious." As a general rule, you should not select this checkbox unless you have a very good reason for doing so. Otherwise, you risk exposing users to malicious content.

The second thing you need to know about Safe Documents is that not every Microsoft 365 customer will have access to the Safe Documents feature. Unfortunately, Microsoft is only making Safe Documents available to those who have a Microsoft 365 E5 or Microsoft 365 E5 Security subscription.

If you would like to know more about the new Safe Documents feature, you can find all the details here.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus

Subscribe on YouTube