The types of threats we’re seeing these days have evolved. In the past, a virus outbreak around the world might cause some havoc with systems for a few hours or a day, but signature-based detection would be updated, and it would be cleaned up, and we’d move on. Attackers were motivated to cause disruption and to damage systems.

Today, the motivation of most attackers is financial, they want to make money from their attacks, not just gain notoriety or cause a big mess and the power of modern computers, along with permanent connectivity of their devices, and the adoption of cloud services make it a lot easier for criminals to launch widespread spam, phishing, ransomware, or malware attacks against our networks. They can use sophisticated attack tools that can scan wide ranges of the internet to find known vulnerabilities to exploit, and they can create new malware and ransomware varients with ease. Well, we definitely need some protection from all those advanced threats, and Microsoft came up with Advanced Threat Protection.

ATP first appeared or Microsoft made ATP available as an add-on for Exchange Online Protection and EOP is the email security layer of Exchange Online that we looked at in the last 4 posts. It’s responsible for detecting and preventing spam and malware from going in or out of our Office 365 tenants via email. Why start there with email? Well, email is the most common attack vector. We’re under constant bombardment with spam and malware in emails. It’s a huge problem, and it’s not going away.

Buying ATP doesn’t remove the need to use the features of EOP as well. If your EOP configuration is weak, ATP doesn’t pick up the slack, it’s doing a different job. You need both services configured and working together to provide you with the best possible security for your organization.

Let’s get started.

First feature that we will cover is Safe Links.


The threat that Safe Links is designed to mitigate is that of malicious URLs being clicked on by our end users. So this is cases like phishing links that are trying to steal logon credentials for Office 365, or for PayPal, or for banking websites. This is separate to the anti-phishing policies we’ll look at later in the future post. It can also be malicious links to content such as PDFs or documents containing executable code that will try to run on the computer and infect it with ransomware or malware.

The Safe Links processing occurs after spam filtering so an email that has been processed by ATP has already gone through all the other layers of protection in Exchange Online Protection. There’s every chance that malicious emails with phishing links will be blocked by one of the earlier mechanisms, but if it’s a fresh campaign that EOP hasn’t seen before, or it’s a spear-phishing campaign, that’s one that is targeted at specific users, then it may not be detected by those earlier mechanisms in the mail flow.

So, what does Safe Links do?

  1. Using Safe Links policies, we can rewrite and check the URLs in emails in Office documents for malicious links. The checking is performed at the time the user clicks on the link, not at the time the URL passes through EOP or ATP as part of an email or document. This is so that previously-unknown or harmless URLS that get through to the inbox of users, that are then turned into a malicious payload by the attacker can be blocked at the time of the click. If EOP only checked the URL as it passed through Exchange Online, they’d have no ability to block URLs that are later found to be malicious.
  2. Safe Links can also be configured to check any downloadable files that are linked to by scanning them with the Safe Attachments feature of ATP, and we’re going to talk about Safe Attachments in the next post.
  3. We can track user clicks on Safe Links, and just to point that this is turned off by default.
  4. If a link is determined to be malicious, the user is presented the option to click through anyway, that’s probably not desirable in all cases, so you can configure your policy to block that click through.
  5. If you want to bypass Safe Links for specific domains, perhaps those of your own organization or trusted partners, you can do that as well.
  6. Safe Links policies can also be applied to Office applications, so malicious links can’t be hidden inside a Word document attached to an email, for example. And you can also maintain a list of blocked URLs that you don’t want your users to ever be allowed to click on.

Now here’s something important to note. Safe Links has a bit of a reputation for creating really ugly and non-user friendly URLS when it rewrites them.

2019-06-07 - Fjärrskrivbordsanslutning.png

This is a fair criticism, and one of the problems that it causes for users is they lose the ability to easily hover over a URL in an email or a document, and see where that URL is point to. So if you have users who are trained to hover over links to look at for phishing links and so on, they lose that capability and once the URL has been rewritten to that ugly URL, if the email gets forwarded somewhere else, that rewritten URL remains in the email, so even outside organizations that aren’t using Office 365, have to detail with this ugly URL in their emails. It’s an unfortunate tradeoff, and some critics say it actually lowers the security of the organization, because users stop doing their own checking, and they just assume that Safe Links will protect them, which is not going to always be the case. Safe Link is just one layer of the overall security strategy, and like everything else, it’s not perfect.

Okay, let’s go ahead and set up a Safe Links policy. Safe Links configuration is found in the Security and Compliance center.

2019-06-07 08_14_09-Policy - Security & Compliance.png

There are two groups of settings here in the Safe Links section and the first is the organization-wide settings.

2019-06-07 08_41_25-Safe links - Security & Compliance.png

To edit this policy click on the pencil.

2019-06-07 08_43_00-Safe links - Security & Compliance

Here we can maintain the block list of URLs, so if our users were getting hit with a specific campaign, and we need to act fast to stop it, we can add the URLs here, and that will stop users from clicking through to those URLs from emails or documents, or basically from Office applications. This doesn’t protect them from visiting the URLs directly in their web browser though, you would need to control that with your web proxy or firewall if that’s a concern.

2019-06-07 08_48_15-Advanced threat protection policy.png

We can also turn on Safe Links for Office apps, and that includes the desktop and mobile apps. These are the latest Office 365 ProPlus apps and mobile apps, not older editions like Office 2013 or 2010. You need to be running up-to-date Office 365 apps to benefit from these features. We’ve also got the click tracking settings here, which are turned off by default, so do not track when users click on safe links, but also do not let users click through safe links to the original URL. That click through option is an important decision to make. For the general user base, I’d say it’s a good idea to not allow them to click through the URLs if they are found to be malicious. In other words, you don’t let your users override that Safe Links decision, but if you’re getting lots of false-positive complaints, and you feel your users are educated enough that you can trust them to make good decisions about what to click through on and what not to, then you could allow it. Once done, click Save.

2019-06-07 08_52_10-Advanced threat protection policy.png

Now let’s look at creating Safe Links policies for email recipients.

2019-06-07 09_00_17-Safe links - Security & Compliance.png

These are pretty simple policies, we just need to give the policy a name, and then turn on Safe Links protection for this policy.

2019-06-07 09_01_17-Safe links policy.png

Let’s say yes, we do want to scan downloadable content, so this will hopefully protect us if a URL links directly to a malicious PDF or executable file, and for these email recipients, we’ll say we do not want to track what those users are clicking on, and we do not want to let these email recipients click through to the original URL if Safe Links determines they are malicious. So this policy applies to email recipients only, whereas the global organization policies also apply to Office applications.

2019-06-07 09_03_02-Safe links policy.png

Scroll down to configure next section

Okay next, let’s say we’ve got some site that we don’t want to rewrite the URLs for, we can exclude that from Safe Links for these email recipients and finally, here’s where we get to choose who to apply this policy to. So I can apply it to every recipient in the organization. If you want to test a policy on a small group of users, you could scope it to just those few users, or to members of a particular group and if you’ve got multiple policies, you can have them listed in priority order, so having multiple policies allows you to say set a higher priority policy for some special users who should be able to click through on potentially malicious URLs, and then have a general policy at a lower priority that encompasses all the rest of the users who should not be allowed to click through to potentially-malicious URLs. So that’s our Safe Links policy all set up.

2019-06-07 09_06_25-Safe links - Security & Compliance.png

Click on Save. When you do that, your organization settings will be updated.

2019-06-07 09_09_26-Safe links policy.png

Now, let’s see this in action. Here we have a user, Nedim, and he received an email from an outside sender sending from an outlook address. Sender has included a link that’s been directly typed into the message. That’s been hyperlinked automatically, because this is a HTML email. Now by hovering on that link, we can see that it has been rewritten with a Safe Links URL. We can see that this site is not redirecting us to some other site.

2019-06-07 - Fjärrskrivbordsanslutning

When a user clicks on this link, this may/may not came up. Short delay is expected but the user should land on that website if there is no malicious activity.

2019-06-07 13_58_57-Window.png

Now if I go and forward that email to my hotmail account, we can see that safe links url follows

2019-06-07 13_35_10-2019_06_07_13_25_38_Microsoft_Edge.png - Paint.png

What if we receive a mail like this?

2019-06-07 - Fjärrskrivbordsanslutning.png

If we go and hover over a URL in this email, we can see that the safe links rewrite the URL but this time we can see that it is pointing to a different site which has nothing to do with our company.

2019-06-07 - Fjärrskrivbordsanslutning.png

Now, if a user click on this link, this will happen

2019-06-07 - Fjärrskrivbordsanslutning.png

That’s it.

Safe Links can protect you but as I said it is not perfect so please do not think if you have it enabled that you are 100 % safe. It is very important to test it and to see what you can expect of it. I hope this has been informative for you.

Stay Tuned!