Microsoft Defender for Office 365 中的安全链接Safe Links in Microsoft Defender for Office 365

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用对象Applies to

重要

本文适用于拥有 Microsoft Defender for Office 365的企业客户。This article is intended for business customers who have Microsoft Defender for Office 365. 如果你使用的是 Outlook.com、Microsoft 365 家庭版或 Microsoft 365 个人版,并且正在查找有关 Outlook 中安全链接的信息,请参阅高级安全Outlook.com。If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safelinks in Outlook, see Advanced Outlook.com security.

安全链接是 Defender for Office 365 中的一项功能,它提供邮件流中入站电子邮件的 URL 扫描和重写,以及电子邮件和其他位置中 URL 和链接的单击验证时间。Safe Links is a feature in Defender for Office 365 that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. 除了 Exchange Online Protection ( EOP 策略中的入站电子邮件中的常规反垃圾邮件和反恶意软件保护外,安全链接扫描) 。Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). 安全链接扫描可帮助保护组织免受钓鱼和其他攻击中使用的恶意链接的攻击。Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.

安全链接保护可在以下位置使用:Safe Links protection is available in the following locations:

  • 电子邮件: 电子邮件中链接的安全链接保护由安全链接策略控制。Email messages: Safe Links protection for links in email messages is controlled by Safe Links policies. 没有默认的安全链接策略,因此若要保护电子邮件中的安全链接,需要创建一 个或多个安全链接策略There is no default Safe Links policy, so to get the protection of Safe Links in email messages, you need to create one or more Safe Links policies. 有关说明,请参阅在 Microsoft Defender for Office 365中设置安全链接策略。For instructions, see Set up Safe Links policies in Microsoft Defender for Office 365.

    有关电子邮件的安全链接保护详细信息,请参阅本文稍后介绍的电子邮件的安全链接设置部分。For more information about Safe Links protection for email messages, see the Safe Links settings for email messages section later in this article.

  • Microsoft Teams (TAP Preview) :Teams 对话、群聊或频道中的链接的安全链接保护也由安全链接策略控制。Microsoft Teams (currently in TAP Preview): Safe Links protection for links in Teams conversations, group chats, or from channels is also controlled by Safe Links policies. 没有默认的安全链接策略,因此若要在 Teams 中保护安全链接,需要创建一个或多个安全 链接策略There is no default Safe Links policy, so to get the protection of Safe Links in Teams, you need to create one or more Safe Links policies.

    有关 Teams 中的安全链接保护详细信息,请参阅本文稍后介绍 的 Microsoft Teams 安全链接设置部分。For more information about Safe Links protection in Teams, see the Safe Links settings for Microsoft Teams section later in this article.

  • Office 365 应用:Office 365 应用的安全链接保护在受支持的桌面、移动和 Web aps 中可用。Office 365 apps: Safe Links protection for Office 365 apps is available in supported desktop, mobile, and web aps. 安全 链接策略之外的全局设置中为 Office 365 应用配置安全链接保护。You configure Safe Links protection for Office 365 apps in the global setting that are outside of Safe Links policies. 有关说明,请参阅 为 Microsoft Defender for Office 365 中的安全链接设置配置全局设置For instructions, see Configure global settings for Safe Links settings in Microsoft Defender for Office 365.

    但是,Office 365 应用的安全链接保护仅适用于活动安全链接策略中包含的用户。But, Safe Links protection for Office 365 apps is only applied to users who are included in active Safe Links policies. 如果用户未包含在活动安全链接策略中,则用户不会在受支持的 Office 365 应用中获得安全链接保护。If a user isn't included in an active Safe Links policy, the user doesn't get Safe Links protection in supported Office 365 apps.

    有关 Office 365 应用中安全链接保护详细信息,请参阅本文稍后介绍 的 Office 365 应用的安全链接设置部分。For more information about Safe Links protection in Office 365 apps, see the Safe Links settings for Office 365 apps section later in this article.

本文包含以下安全链接设置的详细说明:This article includes detailed descriptions of the following types of Safe Links settings:

下表介绍了 Microsoft 365 和 Office 365 组织中安全链接的方案,其中包括 Defender for Office 365 (换句话说,缺少许可在示例) 中永远不会是问题。The following table describes scenarios for Safe Links in Microsoft 365 and Office 365 organizations that include Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).


方案Scenario 结果Result
表示是市场营销部门的成员。Jean is a member of the marketing department. Office 365 应用的安全链接保护在安全链接的全局设置中打开,并且存在适用于市场营销部门成员的安全链接策略。Safe Links protection for Office 365 apps is turned on in the global settings for Safe Links, and a Safe Links policy that applies to members of the marketing department exists. 在电子邮件中打开 PowerPoint 演示文稿,然后单击演示文稿中的 URL。Jean opens a PowerPoint presentation in an email message, and then clicks a URL in the presentation. 百分之百受安全链接保护。Jean is protected by Safe Links.

Office 365 应用的安全链接保护包含在安全链接策略中,且 Office 365 应用的安全链接保护已打开。Jean is included in a Safe Links policy, and Safe Links protection for Office 365 apps is turned on.

有关 Office 365 应用中安全链接保护的要求详细信息,请参阅本文稍后介绍 的 Office 365 应用的安全链接设置部分。For more information about the requirements for Safe Links protection in Office 365 apps, see the Safe Links settings for Office 365 apps section later in this article.

Chris 的 Microsoft 365 E5 组织未配置安全链接策略。Chris's Microsoft 365 E5 organization has no Safe Links policies configured. Chris 从外部发件人收到一封电子邮件,其中包含他最终单击的恶意网站的 URL。Chris receives an email from an external sender that contains a URL to a malicious website that he ultimately clicks. Chris 不受安全链接保护。Chris is not protected by Safe Links.

管理员必须至少为任何人创建一个安全链接策略,才能在入站电子邮件中获得安全链接保护。An admin must create at least one Safe Links policy for anyone to get Safe Links protection in inbound email messages. Chris 必须包含在策略条件中才能获得安全链接保护。Chris must be included in the conditions of policy to get Safe Links protection.

在 Pat 的组织中,管理员未创建任何安全链接策略,但 Office 365 应用的安全链接保护已打开。In Pat's organization, no admins have created any Safe Links policies, but Safe Links protection for Office 365 apps is turned on. Pat 打开 Word 文档并单击该文件中的 URL。Pat opens a Word document and clicks a URL in the file. Pat 不受安全链接保护。Pat is not protected by Safe Links.

尽管 Office 365 应用的安全链接保护已全局打开,但 Pat 未包含在任何活动的安全链接策略中,因此无法应用保护。Although Safe Links protection for Office 365 apps is turned on globally, Pat is not included in any active Safe Links policies, so the protection can't be applied.

在 Lee 的组织中,在安全链接的全局设置中的"阻止以下 https://tailspintoys.com URL" 列表中进行配置。In Lee's organization, https://tailspintoys.com is configured in the Block the following URLs list in the global settings for Safe Links. 包含 Lee 的安全链接策略已存在。A Safe Links policy that includes Lee already exists. Lee 收到一封包含 URL 的电子邮件 https://tailspintoys.com/aboutus/trythispageLee receives an email message that contains the URL https://tailspintoys.com/aboutus/trythispage. Lee 单击 URL。Lee clicks the URL. 可能为 Lee 自动阻止 URL;这取决于列表中的 URL 条目和所使用的电子邮件客户端 Lee。The URL might be automatically blocked for Lee; it depends on the URL entry in the list and the email client Lee used. 有关详细信息,请参阅本文稍后介绍的安全链接的"阻止以下 URL"列表部分。For more information, see the "Block the following URLs" list for Safe Links section later in this article.
Jamie 和 Julia 都负责 contoso.com。Jamie and Julia both work for contoso.com. 在不久之前,管理员配置了适用于 Jamie 和 Julia 的安全链接策略。A long time ago, admins configured Safe Links policies that apply to both of Jamie and Julia. Jamie 向 Julia 发送了一封电子邮件,但不知道该电子邮件包含恶意 URL。Jamie sends an email to Julia, not knowing that the email contains a malicious URL. 如果适用于 Julia 的安全链接策略配置为应用于内部收件人之间的邮件,则 Julia 受安全链接保护。Julia is protected by Safe Links if the Safe Links policy that applies to her is configured to apply to messages between internal recipients. 有关详细信息,请参阅本文稍后 介绍的电子邮件 的安全链接设置部分。For more information, see the Safe Links settings for email messages section later in this article.

安全链接扫描传入电子邮件中是否包含已知的恶意超链接。Safe Links scans incoming email for known malicious hyperlinks. 扫描的 URL 使用 Microsoft 标准 URL 前缀重写 https://nam01.safelinks.protection.outlook.com :。Scanned URLs are rewritten using the Microsoft standard URL prefix: https://nam01.safelinks.protection.outlook.com. 重写链接后,将分析潜在恶意内容。After the link is rewritten, it's analyzed for potentially malicious content.

在安全链接重写 URL 之后,即使手动将邮件转发或答复给外部收件人, (URL 仍) 。After Safe Links rewrites a URL, the URL remains rewritten even if the message is manually forwarded or replied to (both to internal and external recipients). 不会重写添加到转发或答复邮件的其他链接。Additional links that are added to the forwarded or replied to message are not rewritten. 但是,在收件箱规则或SMTP 转发自动转发的情况下,不会在发送给最终收件人的邮件中重写 URL,除非该收件人还受安全链接保护,或者URL 已在以前的通信中重写。However, in the case of automatic forwarding by Inbox rules or SMTP forwarding, the URL will not be rewritten in the message that's intended for the final recipient unless that recipient is also protected by Safe Links or the URL had already been rewritten in a previous communication.

以下列表介绍了适用于电子邮件的安全链接策略中的设置:The settings in Safe Links policies that apply to email messages are described in the following list:

  • 选择邮件中未知潜在恶意 URL 的操作:启用或禁用电子邮件中的安全链接扫描。Select the action for unknown potentially malicious URLs in messages: Enables or disables Safe Links scanning in email messages. 建议的值是 OnThe recommended value is On. 打开此设置会导致以下操作。Turning on this setting results in the following actions.

    • Windows 上的 Outlook (C2R) 启用安全链接扫描。Safe Links scanning is enabled in Outlook (C2R) on Windows.
    • 当单击邮件中的 URL 时,URL 将被重写,用户通过安全链接保护进行路由。URLs are rewritten and users are routed through Safe Links protection when they click URLs in messages.
    • 单击后,将针对已知恶意 URL 列表和"阻止以下 URL"列表检查URL。When clicked, URLs are checked against a list of known malicious URLs and the "Block the following URLs" list.
    • 没有有效信誉的 URL 将在后台异步触发。URLs that don't have a valid reputation are detonated asynchronously in the background.
  • 对指向文件的 可疑链接应用实时 URL 扫描:启用链接(包括指向可下载内容的电子邮件中的链接)实时扫描。Apply real-time URL scanning for suspicious links and links that point to files: Enables real-time scanning of links, including links in email messages that point to downloadable content. 建议的值已启用。The recommended value is enabled.

    • 等待 URL 扫描完成,然后再传递邮件Wait for URL scanning to complete before delivering the message:

      • 已启用:包含 URL 的邮件将一直进行,直到扫描完成。Enabled: Messages that contain URLs are held until scanning is finished. 仅在确认 URL 是安全的之后,才传递邮件。Messages are delivered only after the URLs are confirmed to be safe. 这是建议的值。This is the recommended value.
      • 已禁用:如果 URL 扫描无法完成,无论如何都传递邮件。Disabled: If URL scanning can't complete, deliver the message anyway.
  • 将安全链接应用于组织 内部发送的电子邮件:启用或禁用对同一 Exchange Online 组织中内部发件人和内部收件人之间发送的邮件的安全链接扫描。Apply Safe Links to email messages sent within the organization: Enables or disables Safe Links scanning on messages sent between internal senders and internal recipients within the same Exchange Online organization. 建议的值已启用。The recommended value is enabled.

  • Do not track user clicks: Enables or disables storing Safe Links click data for URLs clicked in email messages.Do not track user clicks: Enables or disables storing Safe Links click data for URLs clicked in email messages. 建议的值是保持此设置未选择 (跟踪用户单击) 。The recommend value is to leave this setting unselected (to track user clicks).

    目前不支持在内部发件人和内部收件人之间发送的电子邮件中的链接的 URL 单击跟踪。URL click tracking for links in email messages sent between internal senders and internal recipients is currently not supported.

  • 不允许用户单击到原始 URL: 允许或阻止用户通过警告 页面 单击到原始 URL。Do not allow users to click through to original URL: Allows or blocks users from clicking through the warning page to the original URL. 推荐值已启用。The recommend value is enabled.

  • 在通知和警告页面上 显示组织品牌:此选项在警告页面上显示组织的品牌。Display the organization branding on notification and warning pages: This option shows your organization's branding on warning pages. 品牌打造可帮助用户识别合法警告,因为默认 Microsoft 警告页面经常被攻击者使用。Branding helps users identify legitimate warnings, because default Microsoft warning pages are often used by attackers. 有关自定义品牌打造详细信息,请参阅 自定义组织的 Microsoft 365 主题For more information about customized branding, see Customize the Microsoft 365 theme for your organization.

  • 不要重写以下 URL: 保留 URL。Do not rewrite the following URLs: Leaves URLs as they are. 保留不需要扫描的安全 URL 的自定义列表。Keeps a custom list of safe URLs that don't need scanning. 该列表对于每个安全链接策略都是唯一的。The list is unique for each Safe Links policy. 有关不重写以下 URL 列表的信息,请参阅本文稍后的安全链接策略 中的"不重写以下 URL"列表一节。For more information about the Do not rewrite the following URLs list, see the "Do not rewrite the following URLs" lists in Safe Links policies section later in this article.

    有关安全链接策略的"标准"和"严格"策略设置的建议值详细信息,请参阅 安全链接策略设置For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see Safe Links policy settings.

  • 收件人 筛选器:需要指定确定策略适用的收件人条件和例外。Recipient filters: You need to specify the recipient conditions and exceptions that determine who the policy applies to. 可以将这些属性用于条件和例外:You can use these properties for conditions and exceptions:

    • 收件人为The recipient is
    • 收件人域为The recipient domain is
    • 收件人为以下组的成员The recipient is a member of

    一次只能使用一个条件或例外,但条件或例外可以包含多个值。You can only use a condition or exception once, but the condition or exception can contain multiple values. 同一个条件或例外的多个值使用“或”逻辑(例如,<recipient1><recipient2>)。Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). 不同的条件或例外使用“和”逻辑(例如,<recipient1><member of group 1>)。Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • 优先级:如果创建多个策略,可以指定策略的应用顺序。Priority: If you create multiple policies, you can specify the order that they're applied. 没有两个策略可以具有相同的优先级,并且在应用第一个策略之后,策略处理将停止。No two policies can have the same priority, and policy processing stops after the first policy is applied.

    有关优先级顺序以及如何评估和应用多个策略的详细信息,请参阅电子邮件保护的顺序和优先级For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

在高级别上,下面将说明安全链接保护在电子邮件中的 URL 上的工作原理:At a high level, here's how Safe Links protection works on URLs in email messages:

  1. 所有电子邮件均通过 EOP,其中 Internet 协议 (IP) 和信封筛选器、基于签名的恶意软件保护、反垃圾邮件和反恶意软件筛选器在邮件传递到收件人邮箱之前。All email goes through EOP, where internet protocol (IP) and envelope filters, signature-based malware protection, anti-spam and anti-malware filters before the message is delivered to the recipient's mailbox.

  2. 用户在邮箱中打开邮件,并单击邮件中的 URL。The user opens the message in their mailbox and clicks on a URL in the message.

  3. 安全链接在打开网站之前立即检查 URL:Safe Links immediately checks the URL before opening the website:

    • 如果 URL 包含在"阻止以下 URL" 列表中,将打开 阻止的 URL 警告。If the URL is included in the Block the following URLs list, a blocked URL warning opens.

    • 如果 URL 指向已确定为恶意的网站,将打开恶意 (或其他警告) 页面。If the URL points to a website that has been determined to be malicious, a malicious website warning page (or a different warning page) opens.

    • 如果 URL 指向可下载的文件,并且适用于用户的策略中启用了"对指向文件的可疑链接和链接应用实时 URL 扫描"设置,则选中可下载的文件。If the URL points to a downloadable file, and the Apply real-time URL scanning for suspicious links and links that point to files setting is enabled in the policy that applies to the user, the downloadable file is checked.

    • 如果确定 URL 是安全的,将打开网站。If the URL is determined to be safe, the website opens.

重要

自 2020 年 3 月起,此功能为预览版,仅适用于 Microsoft Teams 技术采用计划 (TAP) 。As of March 2020, this feature is in Preview and is available only to members of the Microsoft Teams Technology Adoption Program (TAP). 有关发布计划的信息,请查看 Microsoft 365 路线图For information about the release schedule, check out the Microsoft 365 roadmap.

在安全链接策略中为 Microsoft Teams 启用或禁用安全链接保护。You enable or disable Safe Links protection for Microsoft Teams in Safe Links policies. 具体来说,使用" 为 Microsoft Teams 中的未知或潜在恶意 URL 选择操作" 设置。Specifically, you use the Select the action for unknown or potentially malicious URLs within Microsoft Teams setting. 建议的值是 OnThe recommended value is On.

适用于电子邮件中链接的安全链接策略中的以下设置也适用于 Teams 中的链接:The following settings in Safe Links policies that apply to links in email messages also apply to links in Teams:

  • 对指向文件的可疑链接应用实时 URL 扫描Apply real-time URL scanning for suspicious links and links that point to files
  • 不跟踪用户单击Do not track user clicks
  • 不允许用户单击至初始 URLDo not allow users to click through to original URL

这些设置之前在电子邮件 的安全链接设置中进行了介绍These settings are explained previously in Safe Links settings for email messages.

为 Microsoft Teams 启用安全链接保护后,当受保护的用户单击链接时,将针对已知恶意链接列表检查 Teams 中的 URL (单击时保护) 。After you turn on Safe Links protection for Microsoft Teams, URLs in Teams are checked against a list of known malicious links when the protected user clicks the link (time-of-click protection). 不重写 URL。URLs are not rewritten. 如果发现链接是恶意链接,用户将具有以下体验:If a link is found to be malicious, users will have the following experiences:

  • 如果在 Teams 对话、群聊或频道中单击了链接,则以下屏幕截图中显示的警告页面将显示在默认 Web 浏览器中。If the link was clicked in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot below will appear in the default web browser.
  • 如果从固定选项卡单击了链接,则警告页面将显示在该选项卡内的 Teams 界面中。出于安全考虑,禁用在 Web 浏览器中打开链接的选项。If the link was clicked from a pinned tab, the warning page will appear in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons.
  • 根据策略中"不允许用户单击到原始 URL" 设置的配置方式,用户将允许或不允许单击到原始 URL (是否继续 (屏幕截图) 中不建议) 。 Depending on how the Do not allow users to click through to original URL setting in the policy is configured, the user will or will not be allowed to click through to the original URL (Continue anyway (not recommended) in the screenshot). 我们建议您启用"不允许用户单击访问原始 URL" 设置,以便用户无法单击到原始 URL。We recommend that you enable the Do not allow users to click through to original URL setting so users can't click through to the original URL.

如果发送链接的用户未包含在启用了 Teams 保护的安全链接策略中,则用户可以自由单击访问其计算机或设备上的原始 URL。If the user who sent the link isn't included in a Safe Links policy where Teams protection is enabled, the user is free to click through to the original URL on their computer or device.

"Teams 安全链接"页面报告恶意链接。

单击 警告页面上的 "返回"按钮将用户返回到其原始上下文或 URL 位置。Clicking the Go Back button on the warning page will return the user to their original context or URL location. 但是,再次单击原始链接将导致安全链接重新扫描 URL,因此警告页面将重新出现。However, clicking on the original link again will cause Safe Links to rescan the URL, so the warning page will reappear.

在高级别上,下面将说明安全链接保护在 Microsoft Teams 中对 URL 的工作原理:At a high level, here's how Safe Links protection works for URLs in Microsoft Teams:

  1. 用户启动 Teams 应用。A user starts the Teams app.

  2. Microsoft 365 验证用户组织是否包括适用于 Office 365 的 Microsoft Defender,并且用户是否包含在启用了 Microsoft Teams 保护的活动安全链接策略中。Microsoft 365 verifies that the user's organization includes Microsoft Defender for Office 365, and that the user is included in an active Safe Links policy where protection for Microsoft Teams is enabled.

  3. 在用户单击聊天、群聊、频道和选项卡时验证 URL。URLs are validated at the time of click for the user in chats, group chats, channels, and tabs.

Office 365 应用的安全链接保护检查 Office 文档中的链接,而不是电子邮件 (但它可以在打开 Office 文档后检查电子邮件中附加的 Office) 中的链接。Safe Links protection for Office 365 apps checks links in Office documents, not links in email messages (but it can check links in attached Office documents in email messages after the document is opened).

Office 365 应用的安全链接保护具有以下客户端要求:Safe Links protection for Office 365 apps has the following client requirements:

  • Microsoft 365 应用版或 Microsoft 365 商业高级版。Microsoft 365 Apps or Microsoft 365 Business Premium.

    • Windows、Mac 或 Web 浏览器中 Word、Excel 和 PowerPoint 的当前版本。Current versions of Word, Excel, and PowerPoint on Windows, Mac, or in a web browser.
    • iOS 或 Android 设备上的 Office 应用。Office apps on iOS or Android devices.
    • Windows 上的 Visio。Visio on Windows.
    • Web 浏览器中的 OneNote。OneNote in a web browser.
  • Office 365 应用配置为使用新式验证。Office 365 apps are configured to use modern authentication. 有关详细信息,请参阅新式验证如何适用于 Office 2013、Office 2016 和 Office 2019 客户端应用For more information, see How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps.

  • 用户使用工作或学校帐户登录。Users are signed in using their work or school accounts. 有关详细信息,请参阅登录到Office。For more information, see Sign in to Office.

在安全链接的全局设置中(而不是在安全链接策略中)为 Office 365 应用配置安全链接保护。You configure Safe Links protection for Office 365 apps in the global settings for Safe Links, not in Safe Links policies. 但是,若要应用 Office 365 应用的安全链接保护,打开 Office 文档并单击链接的用户必须包含在活动的安全链接策略中。But, in order for Safe Links protection for Office 365 apps to be applied, the user who opens the Office document and clicks the link must be included in an active Safe Links policy.

以下安全链接设置适用于 Office 365 应用:The following Safe Links settings are available for Office 365 apps:

  • Office 365 应用程序:启用或禁用受支持的 Office 365 应用中的安全链接扫描。Office 365 applications: Enables or disables Safe Links scanning in supported Office 365 apps. 默认值和推荐值为 On。The default and recommended value is On.

  • Do not track when users click Safe Links: Enables or disables storing Safe Links click data for URLs clicked in the desktop versions Word, Excel, PowerPoint, and Visio.Do not track when users click Safe Links: Enables or disables storing Safe Links click data for URLs clicked in the desktop versions Word, Excel, PowerPoint, and Visio. 建议值为 Off,这意味着将跟踪用户点击量。The recommended value is Off, which means user clicks are tracked.

  • 不允许用户 单击指向原始 URL 的安全链接:允许或阻止用户在桌面版 Word、Excel、PowerPoint 和 Visio 中单击通过警告页面指向原始 URL。 Do not let users click through safe links to original URL: Allows or blocks users from clicking through the warning page to the original URL in in the desktop versions Word, Excel, PowerPoint, and Visio. 默认值和推荐值为 On。The default and recommended value is On.

若要为 Office 365 应用配置安全链接设置,请参阅为 Office 365应用配置安全链接保护。To configure the Safe Links settings for Office 365 apps, see Configure Safe Links protection for Office 365 apps.

有关"标准"和"严格"策略设置的建议值详细信息,请参阅安全链接 的全局设置For more information about the recommended values for Standard and Strict policy settings, see Global settings for Safe Links.

在高级别上,下面将说明安全链接保护在 Office 365 应用中对 URL 的工作原理。At a high level, here's how Safe Links protection works for URLs in Office 365 apps. 支持的 Office 365 应用在上一部分中进行了介绍。The supported Office 365 apps are described in the previous section.

  1. 用户在包含 Microsoft 365 应用版或 Microsoft 365 商业高级版的组织使用工作或学校帐户登录。A user signs in using their work or school account in an organization that includes Microsoft 365 Apps or Microsoft 365 Business Premium.

  2. 用户打开并单击受支持的 Office 应用中的 Office 文档链接。The user opens and clicks on a link an Office document in a supported Office app.

  3. 安全链接在打开目标网站之前立即检查 URL:Safe Links immediately checks the URL before opening the target website:

    • 如果 URL 包含在跳过安全链接扫描的列表中 (将打开阻止的 URL ) 阻止的 URL 警告页。If the URL is included in the list that skips Safe Links scanning (the Block the following URLs list) a blocked URL warning page opens.

    • 如果 URL 指向已确定为恶意的网站,将打开恶意 (或其他警告) 页面。If the URL points to a website that has been determined to be malicious, a malicious website warning page (or a different warning page) opens.

    • 如果 URL 指向可下载的文件,并且将适用于用户的安全链接策略配置为扫描指向可下载内容的链接 (应用实时 URL 扫描,以检查指向文件) 的可疑链接和链接,将检查可下载文件。If the URL points to a downloadable file, and the Safe Links policy that applies to the user is configured to scan links to downloadable content (Apply real-time URL scanning for suspicious links and links that point to files), the downloadable file is checked.

    • 如果 URL 被视为安全 URL,则用户将访问网站。If the URL is considered safe, the user is taken to the website.

    • 如果安全链接扫描无法完成,不会触发安全链接保护。If Safe Links scanning is unable to complete, Safe Links protection does not trigger. 在 Office 桌面客户端中,在用户继续访问目标网站之前,将警告用户。In Office desktop clients, the user will be warned before they proceed to the destination website.

备注

在每个会话开始时,可能需要几秒钟来验证用户是否启用了 Office 安全链接。It may take several seconds at the beginning of each session to verify that the user has Safe Links for Office enabled.

" 阻止以下 URL" 列表定义安全链接扫描始终阻止的链接,这些链接位于以下位置:The Block the following URLs list defines the links that are always blocked by Safe Links scanning in the following locations:

  • 电子邮件。Email messages.
  • Windows 和 Mac 中的 Office 365 应用中的文档。Documents in Office 365 apps in Windows and Mac.
  • Office for iOS 和 Android 中的文档。Documents in Office for iOS and Android.

当活动安全链接策略中的用户单击受支持的应用中的阻止链接时,他们会访问阻止 的 URL 警告 页面。When a user in an active Safe Links policy clicks a blocked link in a supported app, they're taken to the Blocked URL warning page.

在安全链接的全局设置中配置 URL 列表。You configure the list of URLs in the global settings for Safe Links. 有关说明,请参阅 配置"阻止以下 URL"列表For instructions, see Configure the "Block the following URLs" list.

备注

  • 有关被阻止的 URL 的真正通用列表,请参阅管理 租户允许/阻止列表For a truly universal list of URLs that are blocked everywhere, see Manage the Tenant Allow/Block List.

  • 限制:Limits:

    • 最大条目数为 500。The maximum number of entries is 500.
    • 条目的最大长度为 128 个字符。The maximum length of an entry is 128 characters.
    • 所有条目不能超过 10,000 个字符。All of the entries can't exceed 10,000 characters.
  • 不要在 URL 末尾添加 / () 斜杠。Don't include a forward slash (/) at the end of the URL. 例如,使用 https://www.contoso.com ,而不是 https://www.contoso.com/For example, use https://www.contoso.com, not https://www.contoso.com/.

  • 例如或 (仅域 URL) contoso.com tailspintoys.com 将阻止包含该域的任何 URL。A domain only-URL (for example contoso.com or tailspintoys.com) will block any URL that contains the domain.

  • 可以阻止子域,但不阻止整个域。You can block a subdomain without blocking the full domain. 例如,阻止包含子域的任何 URL,但不阻止包含完整域 toys.contoso.com*contoso.com URL。For example, toys.contoso.com* blocks any URL that contains the subdomain, but it doesn't block URLs that contain the full domain contoso.com.

  • 每个 URL 条目可以包含最多三 () * 通配符。You can include up to three wildcards (*) per URL entry.

"阻止以下 URL"列表的条目语法Entry syntax for the "Block the following URLs" list

下表介绍了您可以输入的值及其结果的示例:Examples of the values that you can enter and their results are described in the following table:


Value 结果Result
contoso.com

or

*contoso.com*

阻止域、子域和路径。Blocks the domain, subdomains, and paths. 例如, https://www.contoso.com https://sub.contoso.com 、 和 https://contoso.com/abc 被阻止。For example, https://www.contoso.com, https://sub.contoso.com, and https://contoso.com/abc are blocked.
https://contoso.com/a 阻止 https://contoso.com/a 但不阻止其他子路径(如 https://contoso.com/a/b )。Blocks https://contoso.com/a but not additional subpaths like https://contoso.com/a/b.
https://contoso.com/a* https://contoso.com/a 和其他子路径(如 https://contoso.com/a/b )。Blocks https://contoso.com/a and additional subpaths like https://contoso.com/a/b.
https://toys.contoso.com* 阻止此示例中 (toys 子域) 但允许单击其他域 URL (或 https://contoso.com https://home.contoso.com) 。Blocks a subdomain (toys in this example) but allow clicks to other domain URLs (like https://contoso.com or https://home.contoso.com).

备注

如果组织使用安全链接策略,则不重写以下 URL 列表是第三方网络钓鱼测试唯一受支持的方法。If your organization use Safe Links policies, the Do not rewrite the following URLs lists are the only supported method for third party phishing tests.

每个安全链接策略都包含一个"不重写以下 URL" 列表,您可以使用该列表指定安全链接扫描未重写的 URL。Each Safe Links policy contains a Do not rewrite the following URLs list that you can use to specify URLs that are not rewritten by Safe Links scanning. 换句话说,该列表允许策略中包含的用户访问指定的 URL,否则安全链接会阻止这些 URL。In other words, the list allows users who are included in the policy to access the specified URLs that would otherwise be blocked by Safe Links. 可以在不同的安全链接策略中配置不同的列表。You can configure different lists in different Safe Links policies. 策略处理在用户应用第一 (策略后) 可能停止。Policy processing stops after the first (likely, the highest priority) policy is applied to the user. 因此,只有一个"不 重写以下 URL" 列表应用于包含在多个活动安全链接策略中的用户。So, only one Do not rewrite the following URLs list is applied to a user who is included in multiple active Safe Links policies.

若要将条目添加到新的或现有的安全链接策略中的列表,请参阅 创建安全链接策略 或修改 安全链接策略To add entries to the list in new or existing Safe Links policies, see Create Safe Links policies or Modify Safe Links policies.

备注

  • 以下客户端无法识别安全链接策略中的 重写以下 URL 列表。The following clients don't recognize the Do not rewrite the following URLs lists in Safe Links policies. 根据这些客户端中安全链接扫描的结果,可阻止包含在这些安全管理中的用户访问 URL:Users included in the polices can be blocked from accessing the URLs based on the results of Safe Links scanning in these clients:

    • Microsoft TeamsMicrosoft Teams
    • Office Web 应用Office web apps

    有关任何地方允许的 URL 的真正通用列表,请参阅 管理租户允许/阻止列表For a truly universal list of URLs that are allowed everywhere, see Manage the Tenant Allow/Block List.

  • 请考虑将常用的内部 URL 添加到列表中,以改进用户体验。Consider adding commonly used internal URLs to the list to improve the user experience. 例如,如果你有本地服务(如 Skype for Business 或 SharePoint),你可以添加这些 URL 以将其从扫描中排除。For example, if you have on-premises services, such as Skype for Business or SharePoint, you can add those URLs to exclude them from scanning.

  • 如果安全链接策略中已有"不重写以下 URL" 条目,请务必查看列表并根据需要添加通配符。If you already have Do not rewrite the following URLs entries in your Safe Links policies, be sure to review the lists and add wildcards as required. 例如,你的列表有一个类似 的条目 https://contoso.com/a ,你稍后决定包括子路径,如 https://contoso.com/a/bFor example, your list has an entry like https://contoso.com/a and you later decide to include subpaths like https://contoso.com/a/b. 不要添加新条目,而是向现有条目添加通配符,以便它成为 https://contoso.com/a/*Instead of adding a new entry, add a wildcard to the existing entry so it becomes https://contoso.com/a/*.

  • 每个 URL 条目可以包含最多三 () * 通配符。You can include up to three wildcards (*) per URL entry. 通配符明确包括前缀或子域。Wildcards explicitly include prefixes or subdomains. 例如,条目与 不同,因为允许用户访问指定域中的子域 contoso.com *.contoso.com/* *.contoso.com/* 和路径。For example, the entry contoso.com is not the same as *.contoso.com/*, because *.contoso.com/* allows people to visit subdomains and paths in the specified domain.

"不重写以下 URL"列表的条目语法Entry syntax for the "Do not rewrite the following URLs" list

下表介绍了您可以输入的值及其结果的示例:Examples of the values that you can enter and their results are described in the following table:


Value 结果Result
contoso.com 允许访问 https://contoso.com 子域或路径,但不能访问子域或路径。Allows access to https://contoso.com but not subdomains or paths.
*.contoso.com/* 允许访问域、子域和路径 (例如、 https://www.contoso.com https://www.contoso.comhttps://maps.contoso.com https://www.contoso.com/a) 。Allows access to a domain, subdomains, and paths (for example, https://www.contoso.com, https://www.contoso.com, https://maps.contoso.com, or https://www.contoso.com/a).

此条目本质上优于 ,因为它不允许潜在的欺诈性网站 *contoso.com* ,如 https://www.falsecontoso.comhttps://www.false.contoso.completelyfalse.comThis entry is inherently better than *contoso.com*, because it doesn't allow potentially fraudulent sites, like https://www.falsecontoso.com or https://www.false.contoso.completelyfalse.com

https://contoso.com/a 允许访问 https://contoso.com/a ,但不允许访问子路径(如 ) https://contoso.com/a/bAllows access to https://contoso.com/a, but not subpaths like https://contoso.com/a/b
https://contoso.com/a/* 允许访问 https://contoso.com/a 和子路径,如 https://contoso.com/a/bAllows access to https://contoso.com/a and subpaths like https://contoso.com/a/b

本节包含单击 URL 时安全链接保护触发的各种警告页面的示例。This section contains examples of the various warning pages that are triggered by Safe Links protection when you click a URL.

请注意,已更新多个警告页面。Note that several warning pages have been updated. 如果还没有看到更新的页面,你很快就会看到。If you're not already seeing the updated pages, you will soon. 更新的页面包括新的配色方案、更多详细信息,以及即使给定警告和建议,仍可以继续访问网站。The updated pages include a new color scheme, more detail, and the ability to proceed to a site despite the given warning and recommendations.

扫描正在进行通知Scan in progress notification

单击的 URL 正由安全链接进行扫描。The clicked URL is being scanned by Safe Links. 在再次尝试链接之前,可能需要等待片刻。You might need to wait a few moments before trying the link again.

"正在扫描链接"通知

原始通知页面如下所示:The original notification page looked like this:

原始"正在扫描链接"通知

可疑邮件警告Suspicious message warning

单击的 URL 位于类似于其他可疑邮件的电子邮件中。The clicked URL was in an email message that's similar to other suspicious messages. 我们建议您在继续网站之前仔细检查电子邮件。We recommend that you double-check the email message before proceeding to the site.

"从可疑邮件单击链接"警告

网络钓鱼尝试警告Phishing attempt warning

单击的 URL 位于已标识为网络钓鱼攻击的电子邮件中。The clicked URL was in an email message that has been identified as a phishing attack. 因此,电子邮件中所有 URL 都将被阻止。As a result, all URLs in the email message are blocked. 建议您不要继续访问该网站。We recommend that you do not proceed to the site.

"从网络钓鱼邮件中单击链接"警告

恶意网站警告Malicious website warning

单击的 URL 指向已标识为恶意的网站。The clicked URL points to a site that has been identified as malicious. 建议您不要继续访问该网站。We recommend that you do not proceed to the site.

"此网站被分类为恶意"警告

原始警告页面如下所示:The original warning page looked like this:

原始"此网站已分类为恶意"警告

<a name="blocked-url-warning">阻止的 URL 警告Blocked URL warning

单击的 URL 已被您组织的管理员手动阻止 (安全链接列表的全局设置中的"阻止以下 URL") 。The clicked URL has been manually blocked by an admin in your organization (the Block the following URLs list in the global settings for Safe Links). 安全链接未扫描该链接,因为它已被手动阻止。The link was not scanned by Safe Links because it was manually blocked.

管理员手动阻止特定 URL 的原因有多种。There are several reasons why an admin would manually block specific URLs. 如果认为不应阻止网站,请与管理员联系。If you think the site should not be blocked, contact your admin.

"此网站被管理员阻止"警告

原始警告页面如下所示:The original warning page looked like this:

原始"根据组织的 URL 策略阻止此网站"警告

错误警告Error warning

发生了某种错误,无法打开 URL。Some kind of error has occurred, and the URL can't be opened.

"无法加载您尝试访问的页面"警告

原始警告页面如下所示:The original warning page looked like this:

原始"无法加载此网页"警告