Safe Links policies are a powerful feature in Defender for Office 365. They allow you to leverage a virtual sandbox for URL scanning of inbound email messages in mail flow. This includes time of click verification of URLs and links in email messages as well as all of the Office apps. Safe Links is a great tool to leverage to defend against phishing attacks. In today’s article, I am going to share some best practices when you create these policies as they are not set by default.
Licensing
The ability to create Safe Links comes with the Defender for Office 365 Plan 1 offering. This can be purchased standalone as an add-on or it can be baked into certain plans. In SMB, Microsoft 365 Business Premium includes Defender for Office 365.
Best Practices
1. Ensure Global settings are configured to protect Office Apps
This policy isn’t turned on by default and can easily be overlooked. Go to Security.microsoft.com>Email and Collaboration>Policies and Settings>Threat Policies>Safe Links>Global Settings>Toggle On:
2. Use the following Protection Settings
A key piece to note here is the “Wait for URL scanning to complete before delivering the message” can cause some latency in mail flow that end users might start complaining about so be aware its best to monitor this over time.
3. Think of common, automated messages that go to end users that contain URLs.
You want to eliminate as many false positives as possible so try to think of common URLs going to end-users today from 3rd parties. A notable example would be the URL to a voicemail message from a VOIP provider being used within the company. This would be a URL you would want to add to the “do not rewrite” list as seen in the previous best practice.
4. Perform a pilot with a group of users
It’s always a best practice to not roll out a policy like this globally to an organization without doing some testing. There is a possibility some content being shared could be flagged as a false positive from Microsoft. Rather than disrupt a ton of workflows and have many helpdesk calls, run a two-week proof of concept with some of the power users within the organization.
End-User Experience
The following example is a phishing attempt against a user. The user here will click on the “Start Survey” button
Real-time click protection triggers and the link is detonated in a sandbox environment and determined to be malicious. The user is unable to proceed.
If a user clicks on a URL that has been blocked by the global settings, they will see the following message:
Helpful Resources
Set up Safe Links Policies: Set up Safe Links policies in Microsoft Defender for Office 365 – Office 365 | Microsoft Docs
Configure Global Settings for Safe Links: Configure global settings for Safe Links settings in Defender for Office 365 – Office 365 | Microsoft Docs
Customize the Branding in your org: Customize the theme for your organization – Microsoft 365 admin | Microsoft Docs
