Microsoft 365 Safe Links
A University-wide Safe Links policy is implemented to improve security of Microsoft 365 Services, in order to protect staff and students from phishing and similar attack attempts.
What is Safe Links?
Safe Links is part of Microsoft's Defender platform and helps better protect users (staff and students) from malicious links in emails. Safe Links checks links/URLs to see if they are malicious or safe before loading the web page. If the link leads to an attachment, the attachment will be scanned for malware. If the link is identified as insecure, the user is taken to a page displaying a warning message, as shown below.
Safe Links also scans any documents available on that link at the time of click to prevent malicious file downloads to user devices.
In summary, Safe Links service is part of Microsoft 365 Advanced Threat Protection (ATP) for organisations, that are designed to protect users from email phishing attempts.
What will be Different?
Nothing significant will be different in the way email service operates. Please note however, that the hyperlink in the emails that is received by users, may be rewritten (or wrapped) and appear differently than they would normally appear. This will occur in emails that are displayed in plain text and may result in some visual impact. Emails displayed in HTML format are not affected.
A link/URL rewritten (or wrapped) with Safe Links will appear to begin with Microsoft’s Standard URL format prefix: https://nam01.safelinks.protection.outlook.com. An example is shown below.
Original URL: https://www.ed.ac.uk/
Want to view Original the URL before Clicking?
You may want to view the original URL before clicking on the Safe Links URL. If you use Microsoft Outlook Desktop Client, simply hover your mouse on the wrapped URL and the original link will be displayed. Using other mail clients? There are a number of decoders that can be used to reveal the original URL, one of which is: https://www.o365atp.com/ Simply open the decoder and paste wrapped Safe Link. the original URL will be revealed.
You are advised however, not to use decoders to bypass Safe Links. Always visit URLs via Safe Links as this will help reduce the risk of falling victim of malicious attacks.
At a high level, here's how Safe Links protection works on URLs in email messages:
All email goes through EOP, (Exchange Oline Protection), where internet protocol (IP), malware protection, anti-spam as well as anti-malware filters, before the message is delivered to the recipient's mailbox.
The user opens the message in their mailbox and clicks on a URL in the message.
Safe Links immediately checks the URL before opening the website:
If the URL points to a website that has been determined to be malicious, a malicious website warning page (or a different warning page) opens.
If the URL points to a downloadable file, and the Apply real-time URL scanning for suspicious links and links that point to files setting is turned on in the policy that applies to the user, the downloadable file is checked.
If the URL is determined to be safe, the website opens.
At a high level, here's how Safe Links protection works for URLs in Microsoft Teams:
A user starts the Teams app.
Microsoft 365 verifies that the user's organization includes Microsoft Defender for Office 365, and that the user is included in an active Safe Links policy where protection for Microsoft Teams is turned on.
URLs are validated at the time of click for the user in chats, group chats, channels, and tabs.
At a high level, here's how Safe Links protection works for links/URLs in Office apps. The supported Office apps are:
- Current versions of Word, Excel, and PowerPoint on Windows, Mac, or in a web browser.
- Office apps on iOS or Android devices.
- Visio on Windows.
- OneNote in a web browser.
- Outlook for Windows when opening saved EML (email) or MSG (Message) files.
A user signs in using their University account.
The user opens and clicks on a link an Office document in a supported Office app.
Safe Links immediately checks the URL before opening the target website:
If the URL points to a website that has been determined to be malicious, a malicious website warning page (or a different warning page) opens.
If the URL points to a downloadable file, and the Safe Links policy that applies to the user is configured to scan links to downloadable content (Apply real-time URL scanning for suspicious links and links that point to files), the downloadable file is checked.
If the URL is considered safe, the user is taken to the website.
If Safe Links scanning is unable to complete, Safe Links protection doesn't trigger. In Office desktop clients, the user is warned before they proceed to the destination website.
This section contains examples of the various warning pages that are triggered by Safe Links protection when you click a URL.
Scan in progress notification
The clicked URL is being scanned by Safe Links. You might need to wait a few moments before trying the link again.
Suspicious message warning
The clicked URL was in an email message that's similar to other suspicious messages. We recommend that you double-check the email message before proceeding to the site.
Phishing attempt warning
The clicked URL was in an email message that has been identified as a phishing attack. As a result, all URLs in the email message are blocked. We recommend that you don't proceed to the site.
Malicious website warning
The clicked URL points to a site that has been identified as malicious. We recommend that you don't proceed to the site.
Error warning
Some kind of error has occurred, and the URL can't be opened.
Final Notes
If you cannot undertake a business critical function, process or work due to way Safe Links is implemented or functions, please provide details and the support and security teams will work with you to find a workaround or a technical resolution. Also, some ed.ac.uk URLs will be exempted from Safe Links and exemptions may be provided for specific work-related URLs that are impacted by Safe Links. Please submit such requests via: https://edin.ac/48TMFQP
You are encouraged to report all malicious URLs to IS Helpline. This will help us take further actions in preventing the rest of the University from the possibility of falling victim to cyber attacks. You can also pro-actively report URLs that should not be blocked to IS Helpline via https://edin.ac/safelinks-impact-review
If you believe Safe Links has blocked a URL unnecessarily or did not block a fraudulent site, please report this to IS Helpline using https://edin.ac/safelinks-impact-review