ASD's Blueprint for Secure Cloud

Safe Links

This section describes the design decisions associated with Safe Links Microsoft 365 security features for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Microsoft Defender for Office 365 Safe Links helps to protect organisations by providing ’time-of-click verification’ of web addresses (URLs) in email messages, Office documents, and Teams messages. Safe Links is configured within the Microsoft 365 Defender portal using Safe Links policies.

Administrators can redirect URLs in order to avoid being sent to the original link. In addition, administrators can obfuscate the original link preventing users from copying and pasting the link into a web browser.

Real-time scanning of URLs provides an additional layer of protection by scanning links during transit and hold an email message from being delivered until the links have been scanned and considered safe.

Safe Links policies can be configured at an organisational level or on a per recipient basis and applied to Exchange Online, Teams, Office 365 applications, or combinations of the three.

How Safe Links works within Exchange Online:

  • All incoming email goes through Exchange Online Protection, where IP and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied
  • An end-user signs into Office 365 and accesses their Exchange Online mailbox
  • An end-user opens an email message containing a URL, and then clicks on the URL in the email message
  • The ATP Safe Links feature immediately checks the URL before opening the website. The URL is identified as blocked, malicious, or safe
  • If the URL sends an end-user to a website that is included in a custom “Do not rewrite” URLs list for a policy that applies to the user, the website opens
  • If the URL sends an end-user to a website that is included in the organisation’s custom blocked URLs list, a warning page opens
  • If the URL sends an end-user to a website that has been determined to be malicious, a warning page opens
  • If the URL goes to a downloadable file and the ATP Safe Links policies are configured to scan such content, the downloadable file is checked
  • If the URL is considered safe, the end-user is taken to the website.

How Safe Links works within Office applications:

  • A user opens a Word, Excel, PowerPoint, or Visio, and is signed in using their Office 365 security credentials. The document contains URLs
  • When a user clicks on a URL in the document, the link is checked by the ATP Safe Links service
  • If the URL sends an end-user to a website that is included in a custom “Do not rewrite” URLs list for a policy that applies to the user, that user is taken to the website
  • If the URL sends an end-user to a website that is included in the organisation’s custom blocked URLs list, the user is taken to a warning page
  • If the URL sends an end-user to a website that has been determined to be malicious, the user is taken to a warning page
  • If the URL goes to a downloadable file and the ATP Safe Links policies are configured to scan such downloads, the downloadable file is checked
  • If the URL is considered safe, the end-user is taken to the website.

How Safe Links works within Teams:

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra