Office 365 ATP Safe Links

Office 365 ATP Safe Links (ATP Safe Links) (along with Office 365 ATP Safe Attachments) is a set of security features offered as part of Office 365 Advanced Threat Protection for enterprise organizations. ATP Safe Links can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through ATP Safe Links policies that are set by your Office 365 security team.

Once your ATP Safe Links policies are in place, Office 365 global administrators, security administrators, and security readers can view reports for Advanced Threat Protection. The information in those reports can help your security team take further steps to protect your organization or research security incidents.

As new features are added to ATP, your Office 365 security team can add or edit your organization's ATP Safe Links policies. In addition, you might notice changes and improvements, such as our newly revised warning pages.

At a high level, here's how ATP Safe Links protection works for URLs in email (hosted in Office 365, not on-premises):

  1. People receive email messages, some of which contain URLs.

  2. All email goes through Exchange Online Protection, where internet protocol (IP) and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied.

  3. Email arrives in people's inboxes.

  4. A user signs in to Office 365, and goes to their email inbox.

  5. The user opens an email message, and clicks on a URL in the email message.

  6. The ATP Safe Links feature immediately checks the URL before opening the website. The URL is identified as blocked, malicious, or safe.

    • If the URL is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, the website opens.

    • If the URL is to a website that is included in the organization's custom blocked URLs list, a warning page opens.

    • If the URL is to a website that has been determined to be malicious, a warning page opens.

    • If the URL goes to a downloadable file and your organization's ATP Safe Links policies are configured to scan such content, the downloadable file is checked.

    • If the URL is determined to be safe, the website opens.

At a high level, here's how ATP Safe Links protection works for URLs in Office 365 ProPlus applications (current versions of Word, Excel, and PowerPoint on Windows or Mac, Office apps on iOS or Android devices, Visio on Windows, OneNote Online, and Office Online):

  1. People have installed Office 365 ProPlus on their computer, smartphone, or tablet. (Or, they are using Office Online in their browser.)

  2. A user opens a Word, Excel, PowerPoint, or Visio, and signs in to Office 365 Enterprise using their work or school account. The document contains URLs.

  3. When the user clicks on a URL in the document, the link is checked by the ATP Safe Links service.

  • If the URL is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, that user is taken to the website.

  • If the URL is to a website that is included in the organization's custom blocked URLs list, the user is taken to a warning page.

  • If the URL is to a website that has been determined to be malicious, the user is taken to a warning page.

  • If the URL goes to a downloadable file and the ATP Safe Links policies are configured to scan such downloads, the downloadable file is checked.

  • If the URL is considered safe, the user is taken to the website.

ATP Safe Links features are part of Advanced Threat Protection, which is included in Office 365 Enterprise E5, Microsoft 365 Business, and Microsoft 365 Enterprise.

The ATP Safe Links features are active when:

One good way to see how ATP Safe Links protection is working for your organization is by viewing reports for Advanced Threat Protection. Additionally, as a global administrator or security administrator, be sure to review your ATP Safe Links policies. ATP Safe Links policies determine whether protection applies to hyperlinks in email messages only, or to URLs in Office documents as well.

The following table describes some example scenarios where ATP Safe Links protection might or might not be in place. (In all of these cases, we assume the organization has Office 365 Enterprise E5.)

Example scenario Does ATP Safe Links protection apply in this case?
Jean is a member of a group that has ATP Safe Links policies covering URLs in email and Office documents. Jean opens a PowerPoint presentation that someone sent, and then clicks a URL in the presentation.
Yes. The ATP Safe Links policies that are defined apply to Jean's group, Jean's email, and Word, Excel, PowerPoint, or Visio documents that Jean opens, so long as Jean is signed in and using Office 365 ProPlus on Windows, iOS, or Android devices.
In Chris's organization, no global or security administrators have defined any ATP safe links policies yet. Chris receives an email that contains a URL to a malicious website. Chris is unaware the URL is malicious and clicks the link.
No. The default policy that covers URLs for everyone in the organization must be defined in order for protection to be in place.
In Pat's organization, no global or security administrators have defined or edited any ATP Safe Links policies yet. Pat opens a Word document and clicks a URL in the file.
No. A policy that includes Office documents must be defined in order for protection to be in place. See Set up ATP Safe Links policies in Office 365.
Lee's organization has a ATP Safe Links policy that has http://tailspintoys.com listed as a blocked website. Lee receives an email message that contains a URL to http://tailspintoys.com/aboutus/trythispage. Lee clicks the URL.
It depends on whether the entire site and all its subpages are included in the list of blocked URLs. See Set up a custom blocked URLs list using ATP Safe Links.
Jamie, Jean's colleague, sends an email to Jean, not knowing that the email contains a malicious URL.
It depends on whether ATP Safe Links policies are defined for email sent within the organization. See Set up ATP Safe Links policies in Office 365.