Office 365 ATP Safe Links
Overview of Office 365 ATP Safe Links
Office 365 ATP Safe Links (ATP Safe Links) (along with Office 365 ATP Safe Attachments) is a set of security features offered as part of Office 365 Advanced Threat Protection for enterprise organizations. ATP Safe Links can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through ATP Safe Links policies that are set by your Office 365 security team.
Once your ATP Safe Links policies are in place, Office 365 global administrators, security administrators, and security readers can view reports for Advanced Threat Protection. The information in those reports can help your security team take further steps to protect your organization or research security incidents.
How ATP Safe Links works with URLs in email
At a high level, here's how ATP Safe Links protection works for URLs in email (hosted in Office 365, not on-premises):
People receive email messages, some of which contain URLs.
All email goes through Exchange Online Protection, where internet protocol (IP) and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied.
Email arrives in people's inboxes.
A user signs in to Office 365, and goes to their email inbox.
The user opens an email message, and clicks on a URL in the email message.
The ATP Safe Links feature immediately checks the URL before opening the website. The URL is identified as blocked, malicious, or safe.
If the URL is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, the website opens.
If the URL is to a website that has been determined to be malicious, a warning page opens.
If the URL goes to a downloadable file and your organization's ATP Safe Links policies are configured to scan such content, the downloadable file is checked.
If the URL is determined to be safe, the website opens.
How ATP Safe Links works with URLs in Office documents
At a high level, here's how ATP Safe Links protection works for URLs in Office 365 ProPlus applications (current versions of Word, Excel, and PowerPoint on Windows or Mac, Office apps on iOS or Android devices, Visio on Windows, OneNote Online, and Office Online):
People have installed Office 365 ProPlus on their computer, smartphone, or tablet. (Or, they are using Office Online in their browser.)
A user opens a Word, Excel, PowerPoint, or Visio, and signs in to Office 365 Enterprise using their work or school account. The document contains URLs.
When the user clicks on a URL in the document, the link is checked by the ATP Safe Links service.
If the URL is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, that user is taken to the website.
If the URL is to a website that has been determined to be malicious, the user is taken to a warning page.
If the URL goes to a downloadable file and the ATP Safe Links policies are configured to scan such downloads, the downloadable file is checked.
If the URL is considered safe, the user is taken to the website.
How to get ATP Safe Links protection
ATP Safe Links features are part of Advanced Threat Protection, which is included in Office 365 Enterprise E5, Microsoft 365 Business, and Microsoft 365 Enterprise. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.
The ATP Safe Links features are active when:
ATP Safe Links policies are set up for email and for Word, Excel, PowerPoint, and Visio documents. (See Set up ATP safe links policies in Office 365.)
Office 365 client apps are configured to use Modern Authentication. (See Modern Authentication for Office 2016.)
Users have signed into Office 365 using their work or school account. (See Sign in to Office or Office 365.)
Your organization's email is hosted in Office 365, not in an on-premises server.
How to make sure ATP Safe Links protection is in place
One good way to see how ATP Safe Links protection is working for your organization is by viewing reports for Advanced Threat Protection. Additionally, as a global administrator or security administrator, be sure to review your ATP Safe Links policies. ATP Safe Links policies determine whether protection applies to hyperlinks in email messages only, or to URLs in Office documents as well.
Example scenarios where ATP Safe Links protection might or might not be in place
The following table describes some example scenarios where ATP Safe Links protection might or might not be in place. (In all of these cases, we assume the organization has Office 365 Enterprise E5.)
|Example scenario||Does ATP Safe Links protection apply in this case?|
|Jean is a member of a group that has ATP Safe Links policies covering URLs in email and Office documents. Jean opens a PowerPoint presentation that someone sent, and then clicks a URL in the presentation.
||Yes. The ATP Safe Links policies that are defined apply to Jean's group, Jean's email, and Word, Excel, PowerPoint, or Visio documents that Jean opens, so long as Jean is signed in and using Office 365 ProPlus on Windows, iOS, or Android devices.
|In Chris's organization, no global or security administrators have defined any ATP safe links policies yet. Chris receives an email that contains a URL to a malicious website. Chris is unaware the URL is malicious and clicks the link.
||No. The default policy that covers URLs for everyone in the organization must be defined in order for protection to be in place.
|In Pat's organization, no global or security administrators have defined or edited any ATP Safe Links policies yet. Pat opens a Word document and clicks a URL in the file.
||No. A policy that includes Office documents must be defined in order for protection to be in place. See Set up ATP Safe Links policies in Office 365.
|Lee's organization has a ATP Safe Links policy that has
||It depends on whether the entire site and all its subpages are included in the list of blocked URLs. See Set up a custom blocked URLs list using ATP Safe Links.
|Jamie, Jean's colleague, sends an email to Jean, not knowing that the email contains a malicious URL.
||It depends on whether ATP Safe Links policies are defined for email sent within the organization. See Set up ATP Safe Links policies in Office 365.
New features are continually being added to ATP Safe Links
We are continuing to add new features to ATP Safe Links. Sometimes a new feature calls for ATP Safe Links policies to be reviewed and updated. Here are several examples:
Beginning in late October 2017, ATP Safe Links protection is extended to apply to URLs in email as well as URLs in Office 365 ProPlus documents, such as Word, Excel, PowerPoint, and Visio on Windows, as well as Office apps on iOS and Android devices. (Make sure you're using Modern Authentication for Office.)
Beginning in March 2018, ATP Safe Links protection is extended to apply to email sent between people within an organization. (Make sure to review and edit your ATP Safe Links policies.)
Beginning in the second half of 2018, ATP Safe Links protection is extended to apply to URLs in Office Online (Word Online, Excel Online, PowerPoint Online, and OneNote Online) and Office 365 ProPlus on Mac. (Make sure to review and edit your ATP Safe Links policies.)
Beginning in September 2018, Office 365 ATP warning pages feature a new color scheme, more details, and the ability to continue to a site despite given warnings and recommendations.
Beginning in October 2018 and rolling out over the next several months, when people are using Outlook Web Application (OWA) or Outlook, ATP Safe Links renders original URLs, not rewritten URLs. (We call this native link visibility.)