Can ATP re-write URLs in a hybrid scenario?


Where a customer has an Exchange Online hybrid scenario and MX records are still pointed on-premises, can ATP still re-write the links inside emails to make them "Safe links"?

The FAQ on TechNet isn't 100% clear on this as it indicates that the rewrite is done at the EOP end which makes sense, but how can it be done when they email isn't going via EOP?

It does also say in that FAQ: "Safe attachments scans incoming mail from outside the organization for all customers, as well as internal emails between employees for hosted mailbox customers. Safe links is only applied for inbound traffic from external senders to internal recipients."


So I'm just wanting to confirm if yes - all emails with URLs are scanned even if they are from the on-prem hybrid server to Online, or not.



3 Replies

This is a very interesting question!

I have spent a bit trying to replicate this and see what I could find, as I could not anwser this off the top of my head. I do allot of hybrid deployments with my clients, so know how this works with most filtering, I have just never specificly testing the malicious link aspect.


In short, you are in scenario 3 here -


You would have a connector in place, and that connector would enable mail flow. 

Unfortunately I did not find anything conclusive on the ATP side of the house. I do know from testing and documentation that even with a connector, EOP will still do such tasks as malware/spam filtering, as well as more advanced compliance asks. Ultimately from my understanding the connector just shields you from blacklisting, but the filtering still happens.


"This connector enables Office 365 to scan your email for spam and malware, and to enforce compliance requirements such as running data loss prevention policies. When your email server sends all email messages directly to Office 365, your own IP addresses are shielded from being added to a spam block list. To complete the scenario, you might need to configure your email server to send messages to Office 365."

With that said, logically I would say yes, ATP should still work. But this is just my extrapalation from my own testing and previous experience. I do not have a malicious link to test with ><

Sorry this was not conclusive, but hopefully this mesh's with your own thoughts on the matter and gives you a bit more confidence.



Hi Adam and Loryan,


This is a good question, if someone or Microsoft can send a link that we could test and for example to show to the client when implementing it will be a must. I think it will be a good way to acomplish the test phase of a implementation on this kind of feature.


Yes - it works (for us).