Forum Discussion
URL rewriting does not apply during Attack Simulation (Credential Harvesting)
I’m running a credential-harvesting attack simulation in Microsoft Defender for Office 365, but the URL rewriting does not work as expected.
In the final confirmation screen, the phishing link is shown as rewritten to something like:
https://security.microsoft.com/attacksimulator/redirect?...
However, during the actual simulation, the link is NOT rewritten. It stays as the original domain (e.g., www.officentry.com), which causes the simulation to fail with an error.
I’m not sure whether this behavior is related to Safe Links or something else within Defender.
Why is the URL not rewritten at runtime, and how can I ensure that the redirect link is applied correctly in the actual simulation?
This behavior is expected in many configurations and is usually related to how Safe Links and Attack Simulation interact.
In a credential harvesting simulation, the preview screen often shows a rewritten redirect URL (for example, the security portal redirect endpoint). However, during the actual campaign execution, URL rewriting is handled by Defender for Office 365 policies at delivery time, not by the simulation wizard itself.
A few key points to check:
- Safe Links policy scope
URL rewriting only occurs if Safe Links is enabled and applied to the recipient users through a policy. If the users targeted in the simulation are not included in a Safe Links policy, the URL will not be rewritten at runtime. - Safe Links exclusions
If the domain used in the simulation (for example, officentry.com) is added as an allowed or excluded domain in Safe Links settings, rewriting will not occur. - Policy mode
If Safe Links is configured in monitor-only mode or has certain tracking options disabled, rewriting may not behave as expected. - Attack Simulation design
In credential harvesting simulations, Defender often uses its own redirect and tracking mechanism. In some configurations, the platform does not rely on Safe Links rewriting because it needs to preserve the original phishing domain for tracking purposes. The preview screen may show the redirect format, but runtime behavior can differ depending on your tenant configuration. - Mail flow rules
Check whether any mail flow (transport) rules are modifying or bypassing Safe Links processing for internal messages or simulation messages.
Recommended validation steps:
- Confirm Safe Links policy is enabled and applied to the target users
- Verify the simulation domain is not excluded
- Review message trace to see if the email was processed by Safe Links
- Check Defender reports to confirm whether the link was evaluated
If Safe Links is properly scoped and still not rewriting, it may be because the simulation campaign is using its own tracking logic instead of the standard Safe Links rewrite engine.
Architecturally, remember that Safe Links rewriting happens at message processing time, not at campaign configuration time. The preview UI does not always reflect final runtime behavior.
- Safe Links policy scope
1 Reply
This behavior is expected in many configurations and is usually related to how Safe Links and Attack Simulation interact.
In a credential harvesting simulation, the preview screen often shows a rewritten redirect URL (for example, the security portal redirect endpoint). However, during the actual campaign execution, URL rewriting is handled by Defender for Office 365 policies at delivery time, not by the simulation wizard itself.
A few key points to check:
- Safe Links policy scope
URL rewriting only occurs if Safe Links is enabled and applied to the recipient users through a policy. If the users targeted in the simulation are not included in a Safe Links policy, the URL will not be rewritten at runtime. - Safe Links exclusions
If the domain used in the simulation (for example, officentry.com) is added as an allowed or excluded domain in Safe Links settings, rewriting will not occur. - Policy mode
If Safe Links is configured in monitor-only mode or has certain tracking options disabled, rewriting may not behave as expected. - Attack Simulation design
In credential harvesting simulations, Defender often uses its own redirect and tracking mechanism. In some configurations, the platform does not rely on Safe Links rewriting because it needs to preserve the original phishing domain for tracking purposes. The preview screen may show the redirect format, but runtime behavior can differ depending on your tenant configuration. - Mail flow rules
Check whether any mail flow (transport) rules are modifying or bypassing Safe Links processing for internal messages or simulation messages.
Recommended validation steps:
- Confirm Safe Links policy is enabled and applied to the target users
- Verify the simulation domain is not excluded
- Review message trace to see if the email was processed by Safe Links
- Check Defender reports to confirm whether the link was evaluated
If Safe Links is properly scoped and still not rewriting, it may be because the simulation campaign is using its own tracking logic instead of the standard Safe Links rewrite engine.
Architecturally, remember that Safe Links rewriting happens at message processing time, not at campaign configuration time. The preview UI does not always reflect final runtime behavior.
- Safe Links policy scope