Advice through experience in Office 365, Security, and Azure
Email Phishing Protection Guide – Part 8: Deploy ATP Safe Links Policies

Email Phishing Protection Guide – Part 8: Deploy ATP Safe Links Policies

The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.

Email Phishing Protection Guide Index:

Introduction: Email Phishing Protection Guide – Enhancing Your Organization’s Security Posture

Part 1: Customize the Office 365 Logon Portal

Part 2: Training Users with the Office 365 Attack Simulator

Part 3: Deploy Multi Factor Authentication (MFA)

Part 4: Deploy Windows Hello

Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services

Part 6: Deploy Outlook Plug-in to Report Suspicious Emails

Part 7: Deploy ATP Anti-Phishing Policies

Part 8: Deploy ATP Safe Link Policies

Part 9: Deploy ATP Safe Attachment Policies

Part 10: Deploy and Enforce Smart Screen for Microsoft Edge, Microsoft Internet Explorer and Google Chrome

Part 11: Monitor Phishing and SPAM Attacks in Office 365

Part 12: Discover Who is Attacking Your Office 365 User Identities

Part 13: Update Your User Identity Password Strategy

Part 14: Prevent Brute Force and Spray Attacks in Office 365

Part 15: Implement the Microsoft Azure AD Password Protection Service (for On-Premises too!)

Part 16: Disable Office 365 Legacy Email Authentication Protocols

Part 17: Control Application Consent Registrations in Microsoft Office 365 and Microsoft Azure

Part 18: Increase Security with Microsoft Secure Score

Part 19: Email Phishing Protection Security Checklist

Part 20: Recommended Security and Anti-Phishing Training from Microsoft Ignite 2018


Part 8: Deploy ATP Safe Link Policies

We are on a journey in this series of blogs to increase the security posture of your organization against phishing emails. We are setting up a variety of locks that an attacker will need to pick for a successful email phishing attack. Organizations need to make it as difficult as possible for an attacker to be successful. So let’s consider that a well-crafted phishing email has managed to pick through a few locks and made it to a user’s email Inbox. Given the potential that the user may now click on the phishing link (or an attachment), we want to setup another lock to help prevent any type of malicious activity as a result. ATP Anti-Phishing Policies, ATP Safe Links and ATP Safe Attachments (security features within Office 365 ATP) can help protect environments from when a user may unknowingly click on a malicious link.

Hyper-links included in any inbound message to Office 365 email users are rewritten when Safe Links is enabled and policies are defined. This feature also extends to email sent from one Office 365 user to another either within the same tenant or to another tenant. In early 2018, the URL protection was also extended to Office 365 documents that are stored in Word Online, Excel Online, PowerPoint Online, and OneNote Online (as well as Office 365 ProPlus on Mac) – providing a much greater layer of protection across an organization. As explained in this link, “ATP Safe Links can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents.” If a link is scanned and found to contain malicious content, instead of opening, the user will presented with a warning page instead (examples of warning page). Office 365 ATP Safe Links provides another layer of locks in the email and Office Online environment that every organization should consider implementing. See the section in this link called How do we get ATP Safe Links protection if not already included in your Office 365 subscription.

Office 365 ATP Safe Links Policies

Organizations that have ATP capabilities in their Office 365 subscriptions must define policies for ATP Safe Links. Also explained in the aforementioned link(see the table on example scenarios), this policy is not defined or active by default. It is up to the organization to define policies based on their internal design.

Instructions to Setup Office 365 ATP Safe Links Policies

Note: Only user accounts in your organization with the ATP license will be protected by this policy. Please see the section how to How to Get ATP Safe Links in this link for licensing information.

  1. Logon to as a global administrator in your Office 365 tenant. This opens the Security & Compliance area of the tenant.
  2. Within the Security & Compliance area, expand Threat Management and then click on Policy.

  3. Click on the ATP Safe Links tile.
  4. In the Safe Links area is a policy called Default. Let’s edit it to include several monitoring features. With Default highlighted, click on the pencil icon to edit it.

  5. Within the Default policy, I recommend the following options be set to increase the security of these areas.

    Use Safe Links in:

    Office 365 ProPlus, Office for iOS and Android: Enabled

    Office Online of above applications: Enabled

    For the locations selected above:

    Do not track when users click on safe links: Disabled (Note: If it were my organization to administer, I would want to see if I have a problem with users clicking on links. This could indicate a need for additional training to recognize phishing emails.)

    Do not let users click through safe links to original URL: Enabled (Note: The goal is to prevent the unsuspecting user from clicking on a malicious link. This is where they should be blocked.)

  6. Click Save when done with the settings. With these settings in place, you now want to monitor the quarantine area of your environment.
  7. Back in the Security & Compliance area, expand Threat Management. Then, click Threat Tracker to view items in quarantine. In addition to this blog about configuring ATP Safe Links, be sure to review the other options to further secure your environment.

Conclusion: In this blog on ATP Safe Links we reviewed how this feature helps to further secure an organization and how to define a protection policy. We also reviewed how to monitor the quarantine area in Threat Tracker.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: