Office 365 ATP Safe Links

Important

This article is intended for business customers who have Office 365 Advanced Threat Protection. If you are using Outlook.com, Office 365 Home, or Office 365 Personal, and you're looking for information about Safe Links in Outlook, see Advanced Outlook.com security.

Office 365 ATP Safe Links (part of Advanced Threat Protection) can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through ATP Safe Links policies that are set by your Office 365 security team.

Once your ATP Safe Links policies are in place, Office 365 global administrators, security administrators, and security readers can view reports for Advanced Threat Protection. The information in those reports can help your security team take further steps to protect your organization or research security incidents.

As new features are added to ATP, your Office 365 security team can add or edit your organization's ATP Safe Links policies. In addition, you might notice changes and improvements, such as our newly revised warning pages and native link rendering in Outlook (introduced in Office 365 ProPlus version 1809).

First, make sure your subscription includes Advanced Threat Protection. ATP is included in in subscriptions, such as Microsoft 365 Enterprise, Microsoft 365 Business, Office 365 Enterprise E5, Office 365 Education A5, etc. If your organization has an Office 365 subscription that does not include Office 365 ATP, you can potentially purchase ATP as an add-on. For more information, see the following resources:

Next, make sure your ATP Safe Links policies are defined. (See Set up Office 365 ATP Safe Links policies.) ATP Safe Links features are active when:

Also make sure you have the necessary permissions. To define (or edit) ATP policies, you must be assigned an appropriate role. Some examples are described in the following table:

Role Where/how assigned
Office 365 Global Administrator The person who signs up to buy Office 365 is a global admin by default. (See About Office 365 admin roles to learn more.)
Security Administrator Azure Active Directory admin center (https://aad.portal.azure.com)
Exchange Online Organization Management Exchange admin center (https://outlook.office365.com/ecp)
or
PowerShell cmdlets (See Exchange Online PowerShell)

As a global administrator or security administrator, be sure to review your ATP Safe Links policies regularly. ATP Safe Links policies determine whether protection applies to hyperlinks in email messages only, or to URLs in Office documents as well.

After ATP Safe Links policies are in place, your organization's security team can see see how ATP Safe Links protection is working for your organization is by viewing reports for Advanced Threat Protection.

Example scenarios

The following table describes some example scenarios where ATP Safe Links protection might or might not be in place. (In all of these cases, we assume the organization has Office 365 Enterprise E5.)

Example scenario Does ATP Safe Links protection apply in this case?
Jean is a member of a group that has ATP Safe Links policies covering URLs in email and Office documents. Jean opens a PowerPoint presentation that someone sent, and then clicks a URL in the presentation.
Yes. The ATP Safe Links policies that are defined apply to Jean's group, Jean's email, and Word, Excel, PowerPoint, or Visio documents that Jean opens, so long as Jean is signed in and using Office 365 ProPlus on Windows, iOS, or Android devices.
In Chris's organization, no global or security administrators have defined any ATP safe links policies yet. Chris receives an email that contains a URL to a malicious website. Chris is unaware the URL is malicious and clicks the link.
No. The default policy that covers URLs for everyone in the organization must be defined in order for protection to be in place.
In Pat's organization, no global or security administrators have defined or edited any ATP Safe Links policies yet. Pat opens a Word document and clicks a URL in the file.
No. A policy that includes Office documents must be defined in order for protection to be in place. See Set up ATP Safe Links policies in Office 365.
Lee's organization has a ATP Safe Links policy that has http://tailspintoys.com listed as a blocked website. Lee receives an email message that contains a URL to http://tailspintoys.com/aboutus/trythispage. Lee clicks the URL.
It depends on whether the entire site and all its subpages are included in the list of blocked URLs. See Set up a custom blocked URLs list using ATP Safe Links.
Jamie, Jean's colleague, sends an email to Jean, not knowing that the email contains a malicious URL.
It depends on whether ATP Safe Links policies are defined for email sent within the organization. See Set up ATP Safe Links policies in Office 365.