SOLVED
Home

Safe Links Advanced Threat protection.

%3CLINGO-SUB%20id%3D%22lingo-sub-11838%22%20slang%3D%22en-US%22%3ESafe%20Links%20Advanced%20Threat%20protection.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-11838%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt148491(v%3Dexchg.150).aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat%20users%20see%20when%20they%20follow%20a%20malicious%20link%20when%20ATP%20is%20applied%3C%2FA%3E%3CBR%20%2F%3E%3CDIV%20class%3D%22LW_CollapsibleArea_HrDiv%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22sectionblock%22%3E%3CP%3EWhen%20a%20safe%20links%20policy%20is%20applied%20and%20users%20follow%20a%20suspect%20link%2C%20%3CSTRONG%3Eusers%20are%20shown%20a%20webpage%20informing%20them%20that%20the%20link%20they%20are%20trying%20to%20follow%20is%20malicious%3C%2FSTRONG%3E.%20If%20the%20recipient%E2%80%99s%20safe%20links%20policy%20has%20been%20configured%20to%20allow%20the%20user%20to%20go%20through%2C%20that%20user%20is%20given%20the%20option%20to%20continue%20to%20the%20site.%3C%2FP%3E%3CP%3E____________________________________________________________________________________________________________________________%3C%2FP%3E%3CP%3EFrom%20the%20article%20mentioned%20above%20I%20would%20expect%20that%20an%20malicious%20link%20would%20be%20reformatted%2C%20and%20when%20an%20end%20user%20clicks%20the%20link%2C%20they%20would%20be%20redirected%20to%20a%20warning%20site%20letting%20them%20know%20the%20content%20in%20the%20link%20is%20%22Suspect%22.%20Today%20one%20of%20our%20users%20got%20an%20email%20with%20a%20link%20to%20a%20Suspect%20site%2C%20and%20although%20in%20the%20body%20of%20the%20email%20the%20link%20was%20reformatted%2C%20when%20clicking%20on%20it%20we%20go%20directly%20to%20the%20Suspect%20site%2C%20and%20not%20to%20a%20warning%20page%20letting%20us%20know%20the%20link%20is%20suspect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20mean%20that%20the%20link%20is%20not%20malicious%3F%20Should%20we%20be%20redirected%20to%20a%20warning%20site%20when%20clicking%20on%20a%20link%20formatted%20like%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F3486iDDE35245F526DFE8%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22safelinks.PNG%22%20title%3D%22safelinks.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-11838%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-13959%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20Advanced%20Threat%20protection.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-13959%22%20slang%3D%22en-US%22%3E%3CP%3ENon-detected%20URLs%20can%20be%20submitted%20to%20the%20Safe%20Links%20PG%20for%20analysis%20in%20the%20following%20way%3A%3C%2FP%3E%3COL%3E%3COL%3E%3CLI%3ESend%20to%20%3CA%20href%3D%22mailto%3ASafelinksFeedback%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESafelinksFeedback%40microsoft.com%3C%2FA%3E%20with%20the%20subject%20including%20the%20tag%20%22%5BPotential%20Malicious%20URL%20Submission%5D%22.%3C%2FLI%3E%3CLI%3EInclude%20the%20link%2C%20but%20modify%20it%20so%20that%20it%20is%20not%20clickable%3A%20Change%20the%20%22.%22%20within%20the%20authority%20of%20the%20URL%20to%20%22_%22%2C%20such%20as%20%22%3CU%3E%3CA%20href%3D%22http%3A%2F%2Fwww_contoso_com%2FmaliciousUrl.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww_contoso_com%2FmaliciousUrl.html%3C%2FA%3E%3C%2FU%3E%22%3C%2FLI%3E%3CLI%3EDo%20not%20include%20any%20images.%3C%2FLI%3E%3C%2FOL%3E%3C%2FOL%3E%3CP%3EFor%20more%20important%20issues%2C%20consider%20submitting%20mails%20as%20basic%20spam%20as%20well%2C%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj200769%2528v%3Dexchg.150%2529.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESubmit%20spam%2C%20non-spam%2C%20and%20phishing%20scam%20messages%20to%20Microsoft%20for%20analysis.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20Safe%20Links%20incorporates%20the%20same%20URIBL%20providers%20(aka.%20%22Partner%20Block%20Lists%22)%26nbsp%3Bthat%20the%20EOP%20anti-spam%20component%20uses%2C%20you%20can%20also%20check%20URIs%2FURLs%20against%20their%20websites%2C%20as%20listed%20on%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn458545%2528v%3Dexchg.150%2529.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETechNet%20%3C%2FA%3E(%3CA%20href%3D%22https%3A%2F%2Fadmin.uribl.com%2F%3Fsection%3Dlookup%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EURIBL%3C%2FA%3E%2C%20%3CA%20href%3D%22http%3A%2F%2Fwww.surbl.org%2Fsurbl-analysis%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESURBL%3C%2FA%3E%2C%20%3CA%20href%3D%22http%3A%2F%2Fwww.spamhaus.org%2Flookup%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESpamhaus%3C%2FA%3E%2C%20%3CA%20href%3D%22http%3A%2F%2Fdnsbl.invaluement.com%2Flookup%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInvaluement%3C%2FA%3E%2C%20%3CA%20href%3D%22http%3A%2F%2Fwww.phishtank.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPhishtank%3C%2FA%3E).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-13701%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20Advanced%20Threat%20protection.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-13701%22%20slang%3D%22en-US%22%3E%3CP%3EA%20way%20to%20report%20that%20the%20link%20should%20have%20been%20marked%20as%20suspect%20would%20be%20nice.%20Anything%20like%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-13567%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20Advanced%20Threat%20protection.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-13567%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20Brent%20said%2C%20you%20are%20redirected%20to%20a%20warning%20page%20only%20if%2C%20at%20the%20time%20when%20the%20link%20was%20clicked%2C%20the%20URL%20is%20considered%20suspect.%20If%20the%20link%20is%20not%20suspect%2C%20then%20there%20is%20no%20reason%20to%20alter%20the%20user%20experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKeep%20in%20mind%20that%2C%20for%20a%20specific%20link%2C%20the%20behavior%20might%20change%20depending%20on%20the%20point%20in%20time%20when%20the%20link%20was%20clicked%20and%20how%20it%20was%20evaluated%20by%20Microsoft%20at%20that%20specific%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12131%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20Advanced%20Threat%20protection.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12131%22%20slang%3D%22en-US%22%3E%3CP%3EALL%20links%20are%20reformatted%20(using%20the%20safe%20links)%20--%20unless%20you%20whitelist%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20nothing%20in%20the%20email%20itself%20that%20indicates%20that%20the%20link%20is%20good%20or%20bad.%20%26nbsp%3BIt%20is%20only%20checked%20at%20the%20time%26nbsp%3Bthe%20link%20is%20actually%20clicked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20it%20goes%20through%20to%20website%2C%20it%20just%20means%20Microsoft%20hasnt%20caught%20on%20yet%20that%20it%20is%20a%20bad%20link.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-786060%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20Advanced%20Threat%20protection.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-786060%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F452%22%20target%3D%22_blank%22%3E%40Robert%20Woods%3C%2FA%3E%26nbsp%3BI've%20removed%20the%20previous%20official%20response%20as%20it's%20out%20of%20date.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFile%20the%20item%20under%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Foffice365%252Fsecuritycompliance%252Fadmin-submission%26amp%3Bdata%3D02%257C01%257Cv-ersta%2540microsoft.com%257Cd555bb4bf7e5469ac9d308d716d6e34e%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637002984554602349%26amp%3Bsdata%3DQdfOFn2%252Brgg8XdbnLr76gi2AViV4FE8UqqzSt6oCpgM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fadmin-submission%3C%2FA%3Eand%20then%20get%20feedback%20there.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20that%20doesn't%20solve%20the%20issue%2C%20feel%20free%20to%20open%20a%20support%20ticket.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Robert Woods
Super Contributor

When a safe links policy is applied and users follow a suspect link, users are shown a webpage informing them that the link they are trying to follow is malicious. If the recipient’s safe links policy has been configured to allow the user to go through, that user is given the option to continue to the site.

____________________________________________________________________________________________________________________________

From the article mentioned above I would expect that an malicious link would be reformatted, and when an end user clicks the link, they would be redirected to a warning site letting them know the content in the link is "Suspect". Today one of our users got an email with a link to a Suspect site, and although in the body of the email the link was reformatted, when clicking on it we go directly to the Suspect site, and not to a warning page letting us know the link is suspect.

 

Does this mean that the link is not malicious? Should we be redirected to a warning site when clicking on a link formatted like this?

 

safelinks.PNG

4 Replies
Solution

ALL links are reformatted (using the safe links) -- unless you whitelist them.

 

There is nothing in the email itself that indicates that the link is good or bad.  It is only checked at the time the link is actually clicked.

 

Since it goes through to website, it just means Microsoft hasnt caught on yet that it is a bad link.

As Brent said, you are redirected to a warning page only if, at the time when the link was clicked, the URL is considered suspect. If the link is not suspect, then there is no reason to alter the user experience.

 

Keep in mind that, for a specific link, the behavior might change depending on the point in time when the link was clicked and how it was evaluated by Microsoft at that specific time.

A way to report that the link should have been marked as suspect would be nice. Anything like that?

@Robert Woods I've removed the previous official response as it's out of date.

 

File the item under https://docs.microsoft.com/en-us/office365/securitycompliance/admin-submission and then get feedback there.

 

If that doesn't solve the issue, feel free to open a support ticket.

Related Conversations
Link Previews Working in Mobile but not Desktop
Peter Mcdermott in Microsoft Teams on
8 Replies
Quick Links Analytics
Tom Oliver in SharePoint on
1 Replies
BCL Values
Tony Derricott in Exchange on
7 Replies
Copying Links to Paragraphs in OneNote
kayla7 in Office 365 on
1 Replies