Related Articles
- Configure Anti-Phishing Policies in Microsoft Defender for Office 365
- Enable and Configure Safe Links Policies
- Enable and Configure Safe Attachments Policies
- Configure Anti-Malware Policies in Microsoft 365
- Configure Spoof Intelligence and Anti-Spoofing Protection in Microsoft 365
- Enable DKIM for Exchange Online
- Disable Legacy Authentication for Exchange Online
- Using Preset Security Policies in Microsoft Defender for Office 365
Enable and Configure Safe Links Policies
Overview
Safe Links is a feature in Microsoft Defender for Office 365 that protects users from malicious URLs in emails and Microsoft 365 collaboration tools.
Unlike traditional email filtering that scans links only at delivery time, Safe Links evaluates URLs at the moment a user clicks them (time-of-click protection). This helps defend against attacks where links become malicious after the email has already been delivered.
If you are searching for:
- Enable Safe Links Microsoft 365
- Safe Links policy configuration
This guide explains what Safe Links is, why it is important, and how to configure it correctly.
Why Safe Links Is Important
Phishing campaigns increasingly rely on:
- Delayed payload activation
- Redirect chains
- Compromised legitimate websites
- Newly registered domains
A link that appears safe during email delivery may later redirect to a malicious page. Safe Links protects users at the time of interaction.
Key benefits:
- Real-time URL scanning at click
- Protection against newly weaponized links
- Warning pages for suspicious URLs
- URL tracking and reporting
Safe Links significantly reduces phishing exposure when properly configured.
Licensing Requirements
Safe Links requires:
- Microsoft Defender for Office 365 Plan 1
- Microsoft Defender for Office 365 Plan 2
- Microsoft 365 Business Premium (includes Plan 1)
- Microsoft 365 E5 (includes Plan 2)
Exchange Online Protection (EOP) alone does not include Safe Links.
How Safe Links Works
URL Rewriting
When Safe Links is enabled:
- URLs in email messages are rewritten.
- The original link is wrapped in a Microsoft security URL.
- When a user clicks the link, it is evaluated in real time.
- If malicious, access is blocked with a warning page.
This process is known as URL rewriting.
How to Enable and Configure Safe Links Policies
Step 1: Navigate to Safe Links Settings
-
Go to Microsoft 365 Defender Portal
https://security.microsoft.com -
Navigate to:
Email & Collaboration → Policies & Rules → Threat Policies → Safe Links
Step 2: Review or Create a Safe Links Policy
You may see:
- Preset security policies (Standard or Strict)
- Custom Safe Links policies
Preset policies are recommended as a baseline. Custom policies allow granular control.
Click Create to configure a new policy if needed.
Step 3: Configure Policy Scope (Who It Applies To)
Define:
- Specific users
- User groups
- Domains
Best practice:
- Apply Safe Links to all users
- Consider stricter policies for high-risk roles (executives, finance, HR)
Ensure no critical users are excluded.
Step 4: Configure Safe Links Settings
Important options include:
- Enable Safe Links for email messages
- Scan URLs at time of click
- Apply Safe Links to internal messages
- Do not allow users to click through warnings (recommended for strict environments)
Review these carefully before enabling.
Safe Links for Teams, SharePoint, and OneDrive
Safe Links can also protect collaboration workloads.
Enable protection for:
- Microsoft Teams messages
- SharePoint Online
- OneDrive for Business
This ensures:
- Links shared in chat are scanned
- URLs embedded in documents are evaluated
- Collaboration tools are covered, not just email
To configure:
- Go to Safe Links policy settings.
- Enable Safe Links for Microsoft Teams.
- Enable Safe Links for Office apps.
Without enabling these, protection is limited to email only.
Click Tracking and Reporting
Safe Links provides visibility into:
- Who clicked a link
- When it was clicked
- Whether it was blocked
- URL verdict status
Security analysts can review this data in:
- Microsoft Defender portal
- Threat Explorer (Plan 2)
- Reports section
This is useful for:
- Incident response
- Identifying compromised users
- Campaign analysis
Key Settings to Verify
Security administrators should confirm:
- Safe Links is applied to all users
- Internal emails are included (if required)
- Teams and SharePoint protection is enabled
- Users cannot bypass warning pages (for high-risk roles)
- Click tracking is enabled
Common Misconfigurations
- Safe Links enabled only for a pilot group
- Teams and SharePoint protection not enabled
- Users allowed to override warning pages
- Preset policy overridden by weaker custom rules
Regular policy review is recommended.
Limitations to Understand
- Safe Links evaluates URLs based on reputation and analysis.
- If a URL is unknown but not classified as malicious, it may still load.
- Protection focuses on detection and warning, not containment.
- User interaction still occurs on the local endpoint device.
Layered protection strategies are recommended for comprehensive defense.
Frequently Asked Questions (FAQ)
What is the difference between Safe Links and Safe Attachments?
Safe Links protects users from malicious URLs.
Safe Attachments scans file attachments using sandbox detonation.
Does Safe Links protect internal emails?
Yes, if configured. You must enable Safe Links for internal messages in policy settings.
Can users bypass Safe Links warning pages?
Depending on the configuration, users may be allowed to click through warnings. For higher security environments, disable this option.
Does Exchange Online Protection include Safe Links?
No. Safe Links requires Microsoft Defender for Office 365 Plan 1 or Plan 2.
Is Safe Links enabled automatically with Defender?
Preset security policies may enable Safe Links, but administrators should verify configuration and scope.
Summary
Safe Links is a critical layer of protection in Microsoft Defender for Office 365. It protects users from malicious URLs by scanning links at time-of-click and providing warning or blocking actions based on Microsoft’s threat intelligence.
To ensure effective protection:
- Enable Safe Links across all users
- Configure proper policy scope
- Include Teams, SharePoint, and OneDrive
- Review click tracking reports regularly
However, Safe Links primarily focuses on detection and reputation-based analysis. In scenarios involving zero-day threats, newly weaponized domains, or advanced phishing kits, additional containment controls may be considered.
Organizations seeking enhanced protection against unknown or evolving threats often evaluate browser isolation technologies that open untrusted links in a controlled remote environment rather than directly on the user’s device.
Examples of such solutions include:
These solutions provide post-click containment, reducing the risk of endpoint exposure even when a malicious link is not immediately classified as harmful.
A layered security approach combining Microsoft Defender protections with isolation-based controls provides stronger resilience against modern phishing attacks.