Create Safe Links policies using Microsoft 365 Defender
- 6 minutes
Safe Links is a feature in Microsoft Defender for Office 365 that provides URL scanning of inbound email messages in mail flow. It also provides time of selection verification of URLs and links in email messages and in other locations. There's no built-in or default Safe Links policy. To get Safe Links scanning of URLs, you must create one or more Safe Links policies.
Safe Links scans incoming email for known malicious hyperlinks. It rewrites scanned URLs using the Microsoft standard URL prefix: https://nam01.safelinks.protection.outlook.com. After this prefix, Safe Links includes parameters that encode the original URL and other information necessary for Safe Links to analyze the site for potentially malicious content.
For example, after the prefix, you might see something like this: https://nam01.safelinks.protection.outlook.com/?url=<original-URL>&data=<encoded-data>
In this example:
- <original-URL> is the URL that was originally in the email.
- <encoded-data> includes information that helps Safe Links perform its analysis.
After Safe Links rewrites the link, it then analyzes the site for potentially malicious content. This rewriting process ensures the link is scanned and analyzed for any potential threats before the user accesses it.
Once Safe Links rewrites a URL, the URL remains rewritten even if the user manually forwards or replies to the message (both to internal and external recipients). Safe Links doesn't rewrite other links that users added to the forwarded or replied-to message. However, consider the situation in which an organization enables automatic forwarding by Inbox rules or SMTP forwarding. In this case, the system doesn't rewrite the URL in the message intended for the final recipient unless Safe Links protects that recipient, or the system rewrote the URL in a previous communication.
Safe Links scans URLs prior to delivery, regardless of whether Safe Links rewrites them. Safe Links still checks unwrapped URLs through a client-side API call to Safe Links at the time of selection in Outlook for Desktop version 16.0.12513 or later.
You can configure Safe Links policies in the Microsoft Defender portal or in one of the following versions of PowerShell:
- Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online
- Standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions
The basic elements of a Safe Links policy are:
The Safe Links policy. A Safe Links policy includes the following options:
- Turn on Safe Links protection.
- Turn on real-time URL scanning.
- Specify whether to wait for real-time scanning to complete before delivering the message.
- Turn on scanning for internal messages.
- Specify whether to track user selections on URLs.
- Specify whether to allow users to select trough to the original URL.
The Safe Links rule. Specifies the priority and recipient filters (who the policy applies to).
The difference between these two elements isn't obvious when you manage Safe Links policies in Microsoft Defender XDR:
- When you create a Safe Links policy, you're actually creating a Safe Links rule and the associated Safe Links policy at the same time using the same name for both.
- When you modify a Safe Links policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the Safe Links rule. All other settings modify the associated Safe Links policy.
- When you remove a Safe Links policy, the system automatically removes the Safe Links rule and the associated Safe Links policy.
Note
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately. The next training unit examines this feature.
To create, modify, and delete Safe Links policies, you must be a member of:
- The Organization Management or Security Administrator role groups in the Microsoft Defender portal.
- The Organization Management role group in Exchange Online.
Creating a custom Safe Links policy in Microsoft Defender XDR
Creating a custom Safe Links policy in Microsoft Defender XDR creates the Safe Links rule and the associated Safe Links policy at the same time using the same name for both.
In the Microsoft 365 admin center, select Show All in the left-hand navigation pane, and then under Admin centers, select Security.
In the Microsoft Defender portal, select Policies and rules in the left-hand navigation pane.
On the Policies and rules page, select Threat policies.
On the Threat policies page, under the Policies section, select Safe Links.
On the Safe Links page, select Create.
The New Safe Links policy wizard opens. On the Name your policy page, configure the following settings and then select Next:
- Name. Enter a unique, descriptive name for the policy.
- Description. Enter an optional description for the policy.
On the Users and domains page, enter onmicrosoft in the Domains field. In the drop-down list that appears, select the xxxxxZZZZZZ.onmicrosoft.com domain for your organization (where xxxxxZZZZZZ is your tenant prefix), and then select Next.
On the Protection & Settings page that appears, configure the following settings and then select Next:
On: Safe Links checks a list of known, malicious links when users click links in email. Enables or disables Safe Links scanning in email messages. Microsoft recommends setting this value to On, which results in the following actions:
- The system enables Safe Links scanning in Outlook (C2R) on Windows.
- Safe Links rewrites URLs and routes users through Safe Links protection when they select URLs in messages.
- When a user selects a URL, Safe Links checks it against a list of known malicious URLs and the "Block the following URLs" list.
- Safe Links detonates a URL asynchronously in the background if the URL doesn't have a valid reputation.
The following settings are available only if Safe Links scanning is on in email messages:
Apply Safe Links to email messages sent within the organization. Enables or disables Safe Links scanning on messages sent between internal senders and internal recipients within the same Exchange Online organization. Microsoft recommends turning this value On.
Apply real-time URL scanning for suspicious links and links that point to files. Enables real-time scanning of links, including links in email messages that point to downloadable content. Microsoft recommends turning this value On.
Wait for URL scanning to complete before delivering the message:
- Selected (On). Messages that contain URLs are held until scanning completes. The system delivers messages only after Safe Links confirms the URLs to be safe. This option is the recommended value.
- Not selected (Off). If URL scanning can't complete, deliver the message anyway.
Do not rewrite URLs, do checks via SafeLinks API only. If you enable this setting, no URL wrapping occurs. Outlook clients that exclusively support API calls call Safe Links at the time of URL selection. The recommended value is Disabled.
Track user clicks. Enables or disables storing Safe Links selection data for URLs that users select in email messages. The recommended value is to leave this setting selected (track user clicks). Safe Links doesn't currently support URL selection tracking for links in email messages sent between internal senders and internal recipients.
Let users click through to the original URL. Allows or blocks users from clicking through the warning page to the original URL. The recommended value is Disabled.
Display the organization branding on notification and warning pages. This option shows your organization's branding on warning pages. Branding helps users identify legitimate warnings, because attackers often use default Microsoft warning pages. For more information about customized branding, see Customize the Microsoft 365 theme for your organization. For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see Safe Links policy settings.
Recipient filters. You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:
- The recipient is.
- The recipient domain is.
- The recipient is a member of.
You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, [recipient1] or [recipient2]). Different conditions or exceptions use AND logic (for example, [recipient1] and [member of group1]).
Priority. If you create multiple policies, you can specify the order that you want them applied. No two policies can have the same priority, and policy processing stops after the system applies the first policy. For more information about the order of precedence and how the system evaluates and applies multiple policies, see Order and precedence of email protection.
On the Notification page, configure how you would like to notify your users by selecting from the following options, and then select Next:
- Use the default notification text.
- Use custom notification text. If you select this option, a field appears in which you can enter Custom notification text.
On the Review page that appears, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or select the specific page in the wizard. When complete, select Submit.
On the New Safe Links policy created page, select Done.
Knowledge check
Choose the best response for the following question.