Set up Office 365 ATP Safe Links policies

ATP Safe Links , a feature of Office 365 Advanced Threat Protection (ATP), can help protect your organization from malicious links used in phishing and other attacks. If you have the necessary permissions for the Office 365 Security & Compliance Center, you can set up ATP Safe Links policies to help ensure that when people click web addresses (URLs), your organization is protected. Your ATP Safe Links policies can be configured to scan URLs in email and URLs in Office documents.

New features are continually being added to ATP. As new features are added, you may need to make adjustments to your existing ATP Safe Links policies.

What to do

  1. Review the prerequisites.

  2. Review and edit the default ATP Safe Links policy that applies to everyone. For example, you can set up your custom blocked URLs list for ATP Safe Links.

  3. Add or edit policies for specific email recipients, including setting up your custom "Do not rewrite" URLs list for ATP Safe Links.

  4. Learn about ATP Safe Links policy options (in this article), including settings for recent changes

Step 1: Review the prerequisites

When you have Office 365 Advanced Threat Protection, you will have a default ATP Safe Links policy that applies to everyone in your organization. Make sure to review, and if needed, edit your default policy.

  1. Go to https://security.microsoft.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy > Safe Links.

  3. In the Policies that apply to the entire organization section, select Default, and then choose Edit (the Edit button resembles a pencil).
    Click Edit to edit your default policy for Safe Links protection

  4. In the Block the following URLs section, specify one or more URLs that you want to prevent people in your organization from visiting. (See Set up a custom blocked URLs list using ATP Safe Links.)

  5. In the Settings that apply to content except email section, select (or clear) the options you want to use. (We recommend that you select all the options.)

  6. Choose Save.

After you have reviewed (or edited) the default ATP Safe Links policy that applies to everyone, your next step is to define additional policies that would apply to specific recipients. For example, you can specify exceptions to your default policy by defining an additional policy.

  1. Go to https://security.microsoft.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy.

  3. Choose Safe Links.

  4. In the Policies that apply to specific recipients section, choose New (the New button resembles a plus sign ( +)).
    Choose New to add a Safe Links policy for specific email recipients

  5. Specify the name, description, and settings for your policy.
    Example: To set up a policy called "no direct click through" that does not allow people in a certain group in your organization to click through to a specific website without ATP Safe Links protection, you might specify the following recommended settings:

  • In the Name box, type no direct click through.

  • In the Description box, type a description like, Prevents people in certain groups from clicking through to a website without ATP Safe Links verification.

  • In the Select the action section, choose On.

  • Select Use Safe Attachments to scan downloadable content.

  • If this option is available, select Apply Safe Links to messages sent within the organization.

  • Select Do not allow user to click through to original URL.

  • (This is optional) In the Do not rewrite the following URLs section, specify one or more URLs that are considered to be safe for your organization. (See Set up a custom "Do not rewrite" URLs list using ATP Safe Links)

  • In the Applied To section, choose The recipient is a member of, and then choose the group(s) you want to include in your policy. Choose Add, and then choose OK.

  1. Choose Save.

As you set up or edit your ATP Safe Links policies, will see several options available. In case you are wondering what these options are, the following table describes each one and its effect. Remember that there are two main kinds of ATP Safe Links policies to define or edit:

Default policy options

Default policy options apply to everyone in your organization.

This option Does this
Block the following URLs
Enables your organization to have a custom list of URLs that are automatically blocked. When users click a URL in this list, they'll be taken to a warning page that explains why the URL is blocked.
To learn more, see [Set up a custom blocked URLs list using ATP Safe Links
Office 365 ProPlus, Office for iOS and Android
When this option is selected, ATP Safe Links protection is applied to URLs in documents that are open in Office 365 ProPlus (Word, Excel, and PowerPoint on Windows or Mac OS), Office documents on iOS, or Android devices, Visio 2016 on Windows, and Office Online (Word Online, PowerPoint Online, Excel Online, and OneNote Online), provided the user has signed into Office 365.

If you see only Office 2016 on Windows, then the feature updates have not reached your Office 365 environment yet (and they are coming soon). Until then, ATP Safe Links protection applies to Word 2016, Excel 2016, PowerPoint 2016 or Visio 2016 running on Windows.
Don't track when users click ATP Safe Links
When this option is selected, click data for URLs in Word, Excel, PowerPoint, and Visio documents is not stored.
Don't let users click through ATP Safe Links to original URL
When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious.

Policies that apply to specific email recipients

This option Does this
Off
Does not scan URLs in email messages.
Enables you to define an exception rule, such as a rule that does not scan URLs in email messages for a specific group of recipients.
On
Rewrites URLs to route users through ATP Safe Links protection when the users click URLs in email messages.
Checks a URL when clicked against a list of blocked or malicious URLs.
Use Safe Attachments to scan downloadable content
When this option is selected, URLs that point to downloadable content are scanned.
Apply Safe Links to messages sent within the organization
When this option is available and selected, ATP Safe Links protection is applied to email messages sent between people in your organization, provided the email accounts are hosted in Office 365.
Do not track user clicks
When this option is selected, click data for URLs in email from external senders is not stored. URL click tracking for links within email messages sent within the organization is currently not supported.
Do not allow users to click through to original URL
When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious.
Do not rewrite the following URLs
Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning for a specific group of email recipients in your organization. See Set up a custom "Do not rewrite" URLs list using ATP Safe Links for more details, including recent changes to support for wildcard asterisks (*).

Next steps

Once your ATP Safe Links policies are in place, you can see how ATP is working for your orgnization by viewing reports. See the following resources to learn more: