Office 365 ATP Safe Links
Overview of Office 365 ATP Safe Links
This article is intended for Office 365 Enterprise customers. If you are using Outlook.com, Office 365 Home, or Office 365 Personal, and you're looking for information about Safe Links in Outlook, see Advanced Outlook.com security.
Office 365 ATP Safe Links (part of Advanced Threat Protection) can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through ATP Safe Links policies that are set by your Office 365 security team.
Once your ATP Safe Links policies are in place, Office 365 global administrators, security administrators, and security readers can view reports for Advanced Threat Protection. The information in those reports can help your security team take further steps to protect your organization or research security incidents.
As new features are added to ATP, your Office 365 security team can add or edit your organization's ATP Safe Links policies. In addition, you might notice changes and improvements, such as our newly revised warning pages and native link rendering in Outlook.
How ATP Safe Links works with URLs in email
At a high level, here's how ATP Safe Links protection works for URLs in email (hosted in Office 365, not on-premises):
People receive email messages, some of which contain URLs.
All email goes through Exchange Online Protection, where internet protocol (IP) and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied.
Email arrives in people's inboxes.
A user signs in to Office 365, and goes to their email inbox.
The user opens an email message, and clicks on a URL in the email message.
The ATP Safe Links feature immediately checks the URL before opening the website. The URL is identified as blocked, malicious, or safe.
If the URL is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, the website opens.
If the URL is to a website that has been determined to be malicious, a warning page opens.
If the URL goes to a downloadable file and your organization's ATP Safe Links policies are configured to scan such content, the downloadable file is checked.
If the URL is determined to be safe, the website opens.
How ATP Safe Links works with URLs in Office documents
At a high level, here's how ATP Safe Links protection works for URLs in Office 365 ProPlus applications (current versions of Word, Excel, and PowerPoint on Windows or Mac, Office apps on iOS or Android devices, Visio on Windows, OneNote Online, and Office Online):
People have installed Office 365 ProPlus on their computer, smartphone, or tablet. (Or, they are using Office Online in their browser.)
A user opens a Word, Excel, PowerPoint, or Visio, and signs in to Office 365 Enterprise using their work or school account. The document contains URLs.
When the user clicks on a URL in the document, the link is checked by the ATP Safe Links service.
If the URL is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, that user is taken to the website.
If the URL is to a website that has been determined to be malicious, the user is taken to a warning page.
If the URL goes to a downloadable file and the ATP Safe Links policies are configured to scan such downloads, the downloadable file is checked.
If the URL is considered safe, the user is taken to the website.
How to get ATP Safe Links protection
First, make sure your subscription includes Advanced Threat Protection. ATP is included in in subscriptions, such as Microsoft 365 Enterprise, Microsoft 365 Business, Office 365 Enterprise E5, Office 365 Education A5, etc. If your organization has an Office 365 subscription that does not include Office 365 ATP, you can potentially purchase ATP as an add-on. For more information, see the following resources:
Next, make sure your ATP Safe Links policies are defined. (See Set up Office 365 ATP Safe Links policies.) ATP Safe Links features are active when:
ATP Safe Links policies are set up for email and for Office documents. (See Set up ATP safe links policies in Office 365.)
Office 365 client apps are configured to use Modern Authentication (this is for ATP Safe Links protection in Office documents). (See Modern Authentication for Office 2016.)
Users have signed into Office 365 using their work or school account. (See Sign in to Office or Office 365.)
Your organization's email passes through Exchange Online Protection.
Also make sure you have the necessary permissions. To define (or edit) ATP policies, you must be assigned an appropriate role. Some examples are described in the following table:
|Office 365 Global Administrator||The person who signs up to buy Office 365 is a global admin by default. (See About Office 365 admin roles to learn more.)|
|Security Administrator||Azure Active Directory admin center (https://aad.portal.azure.com)|
|Exchange Online Organization Management||Exchange admin center (https://outlook.office365.com/ecp)
PowerShell cmdlets (See Exchange Online PowerShell)
How to make sure ATP Safe Links protection is in place
As a global administrator or security administrator, be sure to review your ATP Safe Links policies regularly. ATP Safe Links policies determine whether protection applies to hyperlinks in email messages only, or to URLs in Office documents as well.
After ATP Safe Links policies are in place, your organization's security team can see see how ATP Safe Links protection is working for your organization is by viewing reports for Advanced Threat Protection.
The following table describes some example scenarios where ATP Safe Links protection might or might not be in place. (In all of these cases, we assume the organization has Office 365 Enterprise E5.)
|Example scenario||Does ATP Safe Links protection apply in this case?|
|Jean is a member of a group that has ATP Safe Links policies covering URLs in email and Office documents. Jean opens a PowerPoint presentation that someone sent, and then clicks a URL in the presentation.
||Yes. The ATP Safe Links policies that are defined apply to Jean's group, Jean's email, and Word, Excel, PowerPoint, or Visio documents that Jean opens, so long as Jean is signed in and using Office 365 ProPlus on Windows, iOS, or Android devices.
|In Chris's organization, no global or security administrators have defined any ATP safe links policies yet. Chris receives an email that contains a URL to a malicious website. Chris is unaware the URL is malicious and clicks the link.
||No. The default policy that covers URLs for everyone in the organization must be defined in order for protection to be in place.
|In Pat's organization, no global or security administrators have defined or edited any ATP Safe Links policies yet. Pat opens a Word document and clicks a URL in the file.
||No. A policy that includes Office documents must be defined in order for protection to be in place. See Set up ATP Safe Links policies in Office 365.
|Lee's organization has a ATP Safe Links policy that has
||It depends on whether the entire site and all its subpages are included in the list of blocked URLs. See Set up a custom blocked URLs list using ATP Safe Links.
|Jamie, Jean's colleague, sends an email to Jean, not knowing that the email contains a malicious URL.
||It depends on whether ATP Safe Links policies are defined for email sent within the organization. See Set up ATP Safe Links policies in Office 365.
Send feedback about: