feat(m365): add defender_safe_attachments_policy_enabled security check

[andoniaf]

Context

Adds a new security check defender_safe_attachments_policy_enabled for the m365 provider.

Description

This PR adds a new security check for m365:

• Check: defender_safe_attachments_policy_enabled
• Implementation: New check that detects security misconfigurations
• Tests: Unit tests covering pass, fail, and no-resources scenarios

Steps to review

1. Review the check implementation at prowler/providers/m365/services/defender/defender_safe_attachments_policy_enabled/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Run the check tests: poetry run pytest tests/providers/m365/services/defender/defender_safe_attachments_policy_enabled/ -v
4. Optionally run the check against a test environment

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 79.72973% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.41%. Comparing base (31b53f0) to head (d2aa0e9).
⚠️ Report is 1 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (31b53f0) and HEAD (d2aa0e9). Click for more details.

HEAD has 4 uploads less than BASE

Flag	BASE (31b53f0)	HEAD (d2aa0e9)
prowler-py3.12-azure	1	0
prowler-py3.9-azure	1	0
prowler-py3.10-azure	1	0
prowler-py3.11-azure	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #9833       +/-   ##
===========================================
- Coverage   86.60%   76.41%   -10.19%     
===========================================
  Files         222      177       -45     
  Lines        5645     9554     +3909     
===========================================
+ Hits         4889     7301     +2412     
- Misses        756     2253     +1497     

Flag	Coverage Δ
prowler-py3.10-azure	?
prowler-py3.10-lib	76.41% <79.72%> (?)
prowler-py3.10-m365	88.65% <82.60%> (?)
prowler-py3.11-azure	?
prowler-py3.11-lib	76.35% <79.72%> (?)
prowler-py3.11-m365	88.49% <82.60%> (?)
prowler-py3.12-azure	?
prowler-py3.12-lib	76.35% <79.72%> (?)
prowler-py3.12-m365	88.49% <82.60%> (?)
prowler-py3.9-azure	?
prowler-py3.9-lib	76.35% <79.72%> (?)
prowler-py3.9-m365	88.49% <82.60%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	76.41% <79.72%> (-10.19%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:ebad0b1
Last scan: 2026-01-23 13:48:25 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	3
Total	3

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[HugoPBrito]

Please also map the check in the corresponding compliances.

[HugoPBrito]

Default one applies to all users and domains, but custom ones may not. We have to check the higher priority one and ensure all users and domains are selected.
Please use defender_antispam_outbound_policy_configured as reference.