As you already know, Office clients always open ‘unsafe’ documents (email attachment or downloaded from the Internet) in the well-known Protected View (https://support.microsoft.com/en-us/office/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653?ui=en-us&rs=en-us&ad=us) to block all active content (like links) or edition mode.
That said, we all know also that end-users quickly turn off the Protected View without even checking if this action is safe.
Since Office 365 has been introduced, Microsoft has been added additional security features to help protect end-users like ATP Safe Links or ATP Safe Attachments.
Well, a new capability has been added to ATP Safe Attachments to automatically analyse the content of a document opened in Protected View to help end-users protecting themselves by blocking the deactivation of the Protected View is the document in unsafe.
The Safe Documents feature is turned off by default, so you will need to turn it on first.
You also need to have either an Office 365 E5 or Office E5 Security licenses (same as for getting Office 365 ATP).
To turn on the Safe Documents, logging to your Office 365 Security portal (https://protection.office.com/) and access the Threat Management\Policy blade
Then edit the ATP safe attachments option
Check the box for the Safe Documents setting; optional (but not recommended, you can also let your end-users click while still in Protected View even if Safe Documents has found the document is not safe)
After you have turn on the option, your end-users will have a slight different experience when turning off the Protected View
First they will be notified an analysis is in progress (similar the ATP attachments scanning)
Then if the document is safe, they will be able to turn off the Protected View using the Enable Editing button
Otherwise they will be notified the document is unsafe and will not be able to do anything