Attackers often try to obtain sensitive information through phishing attacks, which involve tricking a user into clicking on a link that leads to a malicious website or downloading malware. Phishing attacks can compromise sensitive data, lead to financial losses, and damage reputation. 


Safe Links is a setting in Microsoft Defender for Office 365 that helps protect against these types of attacks by scanning links in emails and other messages for potential threats.

When a user clicks on a link that has been scanned by Safe Links, the URL is first re-written and checked for any malicious content. If the link is deemed safe, the user is then redirected to the intended website. However, if the link is found to be malicious, the user will be blocked from accessing the site and will receive a warning message instead.


Safe Links is only available with Microsoft Defender for Office 365.
According to Microsoft licensing terms, licenses must be acquired for any user that uses Microsoft 365 Apps or Teams when Safe Links protections are enabled.


Enabling Safe Links through Office Protect will protect links shared through:

  1. Email messages, including emails sent within the organization. The message will be delivered after the URL scanning will be complete.
  2. Teams conversations, group chats, channels
  3. Microsoft Office 365 apps (desktop, mobile, web apps)



In the Set section, you can configure one of the following options when you apply the setting:

  • Disabled:
    • Removes Office Protect Safe Links policy
    • Disables all other Safe Links policies enabled on the tenant
  • Enabled
    • Creates the Office Protect Safe Links policy
    • Disables other Safe Links policies enabled on the tenant
  • Do not modify (Ignore): We will not monitor nor attempt to modify the organization’s Safe Links policies. We recommend using this if you prefer using a customized Safe Links policy in Defender, so Office Protect does not overwrite your customization.

 

Safe Links policies are available in the Microsoft 365 Defender Security portal, in Policies & rules - Threat policies - Safe Links


Operation to look for in the Unified Audit Logs: New-SafeLinksPolicy


Microsoft’s Documentation on Safe Links: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide


Microsoft Defender for Office 365 licensing terms: https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms