Best Practices for Safe Links Policies

Safe Links policies are a powerful feature in Defender for Office 365. They allow you to leverage a virtual sandbox for URL scanning of inbound email messages in mail flow. This includes time of click verification of URLs and links in email messages as well as all of the Office apps. Safe Links is a great tool to leverage to defend against phishing attacks. In today’s article, I am going to share some best practices when you create these policies as they are not set by default.  

Licensing

The ability to create Safe Links comes with the Defender for Office 365 Plan 1 offering. This can be purchased standalone as an add-on or it can be baked into certain plans. In SMB, Microsoft 365 Business Premium includes Defender for Office 365.  

Best Practices

1. Ensure Global settings are configured to protect Office Apps 

This policy isn’t turned on by default and can easily be overlooked. Go to Security.microsoft.com>Email and Collaboration>Policies and Settings>Threat Policies>Safe Links>Global Settings>Toggle On: 

global settings enabled
2. Use the following Protection Settings 

A key piece to note here is the “Wait for URL scanning to complete before delivering the message” can cause some latency in mail flow that end users might start complaining about so be aware its best to monitor this over time.  

Protection settings
3. Think of common, automated messages that go to end users that contain URLs. 

You want to eliminate as many false positives as possible so try to think of common URLs going to end-users today from 3rd parties. A notable example would be the URL to a voicemail message from a VOIP provider being used within the company. This would be a URL you would want to add to the “do not rewrite” list as seen in the previous best practice.  

4. Perform a pilot with a group of users  

It’s always a best practice to not roll out a policy like this globally to an organization without doing some testing. There is a possibility some content being shared could be flagged as a false positive from Microsoft. Rather than disrupt a ton of workflows and have many helpdesk calls, run a two-week proof of concept with some of the power users within the organization.  

End-User Experience

The following example is a phishing attempt against a user. The user here will click on the “Start Survey” button 

Real-time click protection triggers and the link is detonated in a sandbox environment and determined to be malicious. The user is unable to proceed.

If a user clicks on a URL that has been blocked by the global settings, they will see the following message: 

This website has been blocked by office

Helpful Resources

Featured Blog

IT technician at a service desk wearing a headset, assisting clients through a PSA platform.
MSP Insight
Gorelo Team

PSA vs RMM: What’s the Difference and What Does Your MSP Need?

PSA vs RMM which one does your MSP actually need first? If you’re confused between Professional Services Automation (PSA) and Remote Monitoring & Management (RMM) tools for your small MSP, this no-fluff guide breaks down what each does, when to use them, and how to pick the right one for growth. You’ll learn who uses each tool, the problems they solve, and when you should invest in bot