Examine how Safe Links protects against malicious URLs

  • 6 minutes

Safe Links is a feature in Microsoft Defender for Office 365 that protects users from malicious URLs that are commonly used in phishing attacks. Phishing attacks are typically designed to:

  • Extract sensitive information from a user.
  • Deliver malicious code to end-user machines.
  • Trick users into actions that cause financial damages.

At a high level, here's how Safe Links protection works on URLs in email messages:

  1. All email goes through EOP, where internet protocol (IP) and envelope filters, signature-based malware protection, anti-spam and anti-malware filters before the message is delivered to the recipient's mailbox.

  2. The user opens the message in their mailbox and clicks on a URL in the message.

  3. Safe Links immediately checks the URL before opening the website:

    • If the URL points to a website that has been determined to be malicious, a malicious website warning page (or a different warning page) opens.

      For Example:

      Screenshot of a Safe link warning that states that the website is classified as malicious

    • If the URL points to a downloadable file, and the Apply real-time URL scanning for suspicious links and links that point to files setting is turned on in the policy that applies to the user, the downloadable file is checked.

    • If the URL is determined to be safe, the website opens.

It’s important that you complete the following prerequisite tasks before deploying Safe Links in your environment:

  • Verify that your organization has Microsoft Defender for Office 365 licensed.
  • Verify that you have the necessary permissions to define or edit Microsoft Defender's advanced threat protection policies. This action requires you to be a member of the Company administrators or Security admins role group.
  • Review your policies to ensure they’re defined in the proper sequence. Policies are enforced in the order they're listed in the Microsoft Defender portal.
  • Verify that Office clients are configured to use Modern Authentication (this consideration is for Safe Links protection in Office documents).
  • Allow up to 6 hours for your new or updated policies to be applied.

The following table identifies the policy options that apply to specific email recipients.

  • On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.: Turn on or turn off Safe Links scanning in email messages. The recommended value is selected (on), and results in the following actions:

    • Safe Links scanning is turned on in Outlook (C2R) on Windows.
    • URLs are rewritten and users are routed through Safe Links protection when they click URLs in messages.
    • When clicked, URLs are checked against a list of known malicious URLs and the "Block the following URLs" list.
    • URLs that don't have a valid reputation are detonated asynchronously in the background.

    The following settings are available only if Safe Links scanning in email messages is turned on:

    • Apply Safe Links to email messages sent within the organization: Turn on or turn off Safe Links scanning on messages sent between internal senders and internal recipients within the same Exchange Online organization. The recommended value is selected (on).

    • Apply real-time URL scanning for suspicious links and links that point to files: Turns on real-time scanning of links, including links in email messages that point to downloadable content. The recommended value is selected (on).

      • Wait for URL scanning to complete before delivering the message:
        • Selected (on): Messages that contain URLs are held until scanning is finished. Messages are delivered only after the URLs are confirmed to be safe. This is the recommended value.
        • Not selected (off): If URL scanning can't complete, deliver the message anyway.

    • Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected (on), no URL wrapping takes place. In supported versions of Outlook (Outlook for Desktop version 16.0.12513 or later), Safe Links is called exclusively via APIs at the time of URL click.