Protect users from malicious URLs by using Safe Links

9 minutes

In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides:

URL scanning and rewriting of inbound email messages in mail flow.
Time-of-click verification of URLs and links in email messages, Microsoft Teams, and supported Office 365 apps.

Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that attackers use in phishing attacks and other forms of attacks.

In a perfect world, email and documents containing phishing URLs would never land in users' mailboxes. Ideally, EOP or Microsoft Defender for Office 365 would detect and quarantine them within the mail flow process. However, since malicious actors know this process, they do their best to work around URL scanning. For example, they might send an email that contains a link that redirects to a known good website, even a Microsoft site, then wait for the message to make its way into users' inboxes before weaponizing the link to redirect to their malicious phishing site.

Microsoft Defender for Office 365 can still protect the organization from these attacks, however. When users select the link, Safe Links checks the URL before opening the page. If the URL is malicious, users see the Safe Links block in their web browser, and the organization's Security Operations team sees alerts related to the event in the Microsoft 365 Defender portal. Protection also extends beyond messages in users' inboxes. For example, when users select a link inside a document or in Microsoft Teams, Safe Links can check the link before opening it.

Important

Microsoft Defender for Office 365 doesn't include a default Safe Links policy. However, the Built-in protection preset security policy in Microsoft Defender for Office 365 provides Safe Links protection to users who aren't defined in Microsoft Defender for Office 365's Standard or Strict preset security policies or in custom Safe Links policies. For more information, see Preset security policies in EOP and Microsoft Defender for Office 365. You can also create Safe Links policies that apply to specific users, group, or domains, which is covered in the next unit in this module.

Tip

The Built-in protection preset security policy applies to organizations who have at least one Defender for Office 365 license. This application is in the spirit of securing the broadest set of users until administrators specifically configure Defender for Office 365 protections. Because the Built-in protection preset security policy is enabled by default, customers don't need to worry about violating product licensing terms. However, Microsoft recommends purchasing enough Defender for Office 365 licenses to ensure Built-in protection continues for all users. The Built-in protection preset security policy doesn't affect recipients who are defined in the Standard or Strict preset security policies, or in custom Safe Links policies. As such, Microsoft typically doesn't recommend exceptions to the Built-in protection preset security policy.

Safe Links protection by Safe Links policies is available in email messages, Microsoft Teams, and Office apps. The following sections examine each of these areas that are protected by Safe Links.

Safe Links settings for email messages

Safe Links scans incoming email for known malicious hyperlinks. Scanned URLs are rewritten or wrapped using the Microsoft standard URL prefix: https://<DataCenterLocation>.safelinks.protection.outlook.com (for example, https://nam01.safelinks.protection.outlook.com). After the link is rewritten, Safe Links analyzes it for potentially malicious content.

After Safe Links rewrites a URL, the URL is rewritten even if the message is manually forwarded or replied to. Wrapping is done per message recipient (both internal and external recipients). Other links that are added to the forwarded or replied-to message are also rewritten.

For automatic forwarding by Inbox rules or SMTP forwarding, the URL isn't rewritten in the message that's intended for the final recipient unless one of the following statements is true:

The recipient is also protected by Safe Links.
The URL was already rewritten in a previous communication.

As long as Safe Links protection is turned on, URLs are scanned before message delivery, regardless of whether the URLs are rewritten or not. In supported versions of Outlook (Windows, Mac, and Outlook on the web), unwrapped URLs are checked by a client-side API call to Safe Links at the time of click.

The settings in Safe Links policies that apply to email messages are described in the following list:

On: Safe Links checks a list of known, malicious links when users select links in email. URLs are rewritten by default. This setting turns Safe Links scanning on or off in email messages. The recommended value is selected (on), and results in the following actions:
- Safe Links scanning is turned on in Outlook (C2R) on Windows.
- URLs are rewritten and users are routed through Safe Links protection when they click URLs in messages.
- When clicked, URLs are checked against a list of known malicious URLs.
- URLs that don't have a valid reputation are scanned asynchronously in the background.
The following settings are available only if Safe Links scanning in email messages is turned on:
- Apply Safe Links to email messages sent within the organization. Turn on or turn off Safe Links scanning on messages sent between internal senders and internal recipients within the same Exchange Online organization. The recommended value is selected (on).
- Apply real-time URL scanning for suspicious links and links that point to files. Turns on real-time scanning of links, including links in email messages that point to downloadable content. The recommended value is selected (on).
  - Wait for URL scanning to complete before delivering the message:
    - Selected (on). Messages that contain URLs are held until scanning is finished. Messages are delivered only after the URLs are confirmed to be safe. This is the recommended value.
    - Not selected (off). If URL scanning can't complete, deliver the message anyway.
- Do not rewrite URLs, do checks via SafeLinks API only. If this setting is selected (on), no URL wrapping takes place, but the URLs are scanned before message delivery. In supported versions of Outlook (Windows, Mac, and Outlook on the web), Safe Links is called exclusively through APIs at the time of URL selection.
For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see Safe Links policy settings.

While Safe Links offers robust protection for links in email messages, there are specific scenarios and limitations that you should be aware of, including:

Safe Links doesn't work on mail-enabled public folders.
Safe Links doesn't provide protection for URLs in Rich Text Format (RTF) email messages.
Safe Links supports only HTTP(S) and FTP formats.
Safe Links ignores S/MIME signed messages.
Safe Links no longer wraps URLs pointing to SharePoint or OneDrive sites. However, the Safe Links service still processes the URLs. This change doesn't degrade protection. Instead, it improves the performance of loading SharePoint or OneDrive URLs.
Using another service to wrap links before Defender for Office 365 might prevent Safe Links from processing links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link.

At a high level, here's how Safe Links protection works on URLs in email messages:

All email goes through EOP, where internet protocol (IP) and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied before the message is delivered to the recipient's mailbox.
The user opens the message in their mailbox and selects a URL in the message.
Safe Links immediately checks the URL before opening the website:
- If the URL points to a website that Safe Links determines is malicious, a malicious website warning page (or a different warning page) opens.
- If the URL points to a downloadable file, the system checks to see if the Apply real-time URL scanning for suspicious links and links that point to files setting is turned on in the policy that applies to the user. If so, the downloadable file is checked.
- If the URL is determined to be safe, the website opens.

Safe Links settings for Microsoft Teams

You turn on or turn off Safe Links protection for Microsoft Teams in Safe Links policies. Specifically, you use the On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten setting in the Teams section. The recommended value is on (selected).

When you turn on or turn off Safe Links protection for Teams, it might take up to 24 hours for the change to take effect. Safe Links protection for Teams is supported in Teams desktop and web instances.

URLs in Teams are checked against a list of known malicious links when the protected user selects the link (time-of-click protection). URLs aren't rewritten. If a link is found to be malicious, users have the following experiences:

If the link was selected in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot appears in the default web browser.
If the link was selected from a pinned tab, the warning page appears in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons.
Depending on how the Let users click through to the original URL setting in the policy is configured, the user is or isn't allowed to select through to the original URL. Microsoft recommends that you don't select the Let users click through to the original URL setting so users can't click through to the original URL.

If the user who sent the link isn't protected by a Safe Links policy where Teams protection is turned on, the user is free to select through to the original URL on their computer or device.

At a high level, here's how Safe Links protection works for URLs in Microsoft Teams:

A user starts the Teams app.
Microsoft 365 verifies that the user's organization includes Microsoft Defender for Office 365, and that the user is included in an active Safe Links policy where protection for Microsoft Teams is turned on.
URLs are validated at the time of selection for the user in chats, group chats, channels, and tabs.

Safe Links settings for Office apps

Safe Links protection for Office apps checks links in Office documents, not links in email messages. But, it can check links in attached Office documents in email messages after the document is opened.

You turn on or turn off Safe Links protection for Office apps in Safe Links policies. Specifically, you use the following setting in the Office 365 apps section: On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten. The recommended value for this setting is on (selected).

Safe Links protection for Office apps has the following client requirements:

Microsoft 365 Apps or Microsoft 365 Business Premium:
- Current versions of Word, Excel, and PowerPoint on Windows, Mac, or in a web browser.
- Office apps on iOS or Android devices.
- Visio on Windows.
- OneNote in a web browser.
- Outlook for Windows when opening saved EML or MSG files.
Supported Office apps and Microsoft 365 services are configured to use modern authentication. For more information, see How modern authentication works for Office client apps.
Users are signed in using their work or school accounts.

Additional reading. For more information about the recommended values for Standard and Strict policy settings, see Safe Links policy settings.

At a high level, here's how Safe Links protection works for URLs in Office apps. The supported Office apps are described in the previous section.

A user signs in using their work or school account in an organization that includes Microsoft 365 Apps or Microsoft 365 Business Premium.
The user opens and clicks on a link an Office document in a supported Office app.
Safe Links immediately checks the URL before opening the target website:
- If the URL points to a website that Safe Links determines is malicious, a Malicious website warning page (or a different warning page) opens.
- If the URL points to a downloadable file, and the Safe Links policy that applies to the user is configured to scan links to downloadable content (Apply real-time URL scanning for suspicious links and links that point to files), the downloadable file is checked.
- If the URL is considered safe, the user is taken to the website.
- If Safe Links scanning is unable to complete, Safe Links protection doesn't trigger. In Office desktop clients, the user is warned before they proceed to the destination website.

Note

It may take several seconds at the beginning of each session to verify that Safe Links for Office apps is available to the user.

Safe Links scenarios

The following table describes common scenarios for Safe Links in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (note that lack of licensing is never an issue in the examples).

Scenario	Result
Jean is a member of the marketing department. Safe Links protection for Office apps is turned on in a Safe Links policy that applies to members of the marketing department. Jean opens a PowerPoint presentation in an email message, and then selects a URL in the presentation.	Jean is protected by Safe Links. Jean is included in a Safe Links policy where Safe Links protection for Office apps is turned on.
Chris is a sales rep for Contoso. Contoso hasn't created any custom Safe Links policies, nor has it defined any users in the Standard or Strict preset security policies. Chris receives an email from an external sender that contains a URL to a malicious website. Chris ultimately selects the URL.	Chris is protected by Safe Links. The Built-in protection preset security policy provides Safe Links protection to all recipients who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies. For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
In Pat's organization, administrators created a Safe Links policy that applies to Pat, but Safe Links protection for Office apps is turned off. Pat opens a Word document and selects a URL in the file.	Pat isn't protected by Safe Links. Although Pat is included in an active Safe Links policy, Safe Links protection for Office apps is turned off in that policy, so the protection can't be applied.
Jamie and Julia both work for Contoso. A long time ago, Contoso administrators configured Safe Links policies that apply to both of Jamie and Julia. Jamie sends an email to Julia, not knowing that the email contains a malicious URL.	Julia is protected by Safe Links if the Safe Links policy that applies to her is configured to apply to messages between internal recipients.

"Do not rewrite the following URLs" lists in Safe Links policies

Each Safe Links policy contains a Do not rewrite the following URLs list that you can use to specify URLs that aren't rewritten by Safe Links scanning. You can configure different lists in different Safe Links policies. Policy processing stops after the system applies the first (likely, the highest priority) policy to the user. So, only one Do not rewrite the following URLs list is applied to a user who is included in multiple active Safe Links policies.

Entries in the Do not rewrite the following URLs list aren't scanned or wrapped by Safe Links during mail flow. However, they still might be blocked at time of selection. Report the URL as I've confirmed it's clean and then select Allow this URL to add an allow entry to the Tenant Allow/Block List so the URL isn't scanned or wrapped by Safe Links during mail flow and at time of click. For instructions, see Report good URLs to Microsoft.

Warning pages from Safe Links

This section contains examples of the various warning pages that are triggered by Safe Links protection when you select a URL.

Scan in progress notification

This notification is sent when Safe Links scans a selected URL. You might have to wait a few moments before trying the link again.

Screenshot of the warning message indicating the system is scanning the link.

Suspicious message warning

When a user selects a URL in an email message that's similar to other suspicious messages, Safe Links displays the following warning message. You should instruct your users to double-check the email message before proceeding to the site.

Screenshot of the warning message saying the user selected a link from a suspicious message.

Phishing attempt warning

The selected URL is in an email message that Safe Links identified as a phishing attack. As a result, all URLs in the email message are blocked. Microsoft recommends that you don't proceed to the site.

Malicious website warning

The selected URL points to a site that Safe Links identified as malicious. Microsoft recommends that you don't proceed to the site.

Screenshot of the warning message saying the user selected a website classified as malicious.

If you select the Go Back button on the warning page, the system returns you to your original context or URL location. However, selecting on the original link again causes Safe Links to rescan the URL, so the warning page reappears.

Error warning

Some kind of error occurred, and the URL can't be opened.

Knowledge check

Choose the best response for the following question.