This article is more than 1 year old
None shall pass: Yet another layer to protect hapless users, employers from dodgy docs added to Microsoft 365
Clicking through Protected View is why we can't have nice things, so here's 'Safe Documents'
Feeling a bit uncertain about things? Never fear, kind old Microsoft has made Safe Documents generally available (assuming you're a Microsoft 365 E5 subscriber).
Aimed at enterprise users, the feature improves on the Protected View with which users of Office apps are all too familiar. Protected View is supposed to keep users safe by opening documents in read-only mode, thereby ensuring that any nasties lurking within cannot wreak havoc by leaping out of the sandbox and into a user's setup.
Protected View tends to be triggered when a document comes from somewhere unsafe, such as the internet or from an untrustworthy email sender. It is, in theory, a good thing. However, it can also be a bit of a pain, and all too many users eagerly take the option to edit and print regardless, thus potentially exposing an organisation to harm and undoing all the IT team's hard work securing things.
Enter Safe Documents. Once enabled, an extra layer of security is added which sends the document through Microsoft Defender ATP for scanning before allowing it to be edited.
The scanner allows for a maximum upload size of 60MB, and things can be derailed if timeouts of network connectivity occur (potentially allowing the user to hit the edit button, although the Protected View does urge caution).
If all goes well, then the user may edit the document as normal. However, if the scan detects that something is amiss, then the Protected View bar turns an angry red and the user informed that what they thought was a letter from a wealthy prince was actually something a little more malicious.
It is up to administrators to decide if users should be able to skip through the alerts and jump straight to editing. Admins can also use the Kusto-based Advanced Hunting tools to retrieve additional information.
It's off by default, and enabling it (and doubtless triggering a wave of calls to the helpdesk) is a simple matter of checking a box in the Security & Compliance Center.
Sadly, it is currently only possible to protect those with Microsoft 365 E5 or a Microsoft 365 E5 Security licence from themselves at present, and only those running in Window clients. ®