cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

User accessed link in ZAP-quarantined email <-> Safe Links reports

JS70
New Contributor

‎Sep 26 2022 12:31 AM

‎Sep 26 2022 12:31 AM

User accessed link in ZAP-quarantined email <-> Safe Links reports

Currently I am working on an alert telling me a user accessed a link in ZAP-quarantined email. If I check the Safe Links report and filter it for the domain in the link I get zero results.

 

Can anyone enlighten me how these features work together? I assumed that Safe Links keeps a list of Clicks and whena  mail is Zapped that was successfully accessed Defender throughs the above alert. But shouldn't I be able to find the click in the Safe links report then?

Thanks

1,327 Views
0 Likes
3 Replies
Reply
3 Replies
Tiennes

‎Sep 26 2022 01:26 AM

‎Sep 26 2022 01:26 AM

Re: User accessed link in ZAP-quarantined email <-> Safe Links reports

Hi @JS70,

 

ZAP stands for Zero-Hour Purge, this is an email protection functionality that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to the EXO mailboxes. When this alert occurs, one (or more) of your users already accessed a hyperlink in an email message that ZAP later qualified as potentially dangerous.

 

Safe-Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.

 

Are these functions coming together?
So far I know, they don't. They are working separately from each other, and are not coming together. Maybe that's the reason why you are not getting any related information from the Safe-Links reports. In the User accessed link in ZAP-quarantined email alert, there is information on which link your user has accessed. From Explorer, you can perform a search for the particular email message or URL to find out which users have potentially accessed this URL.

 

If you have any more questions, please let me know.

 

 

0 Likes
Reply
JS70

‎Sep 26 2022 02:31 AM

‎Sep 26 2022 02:31 AM

Re: User accessed link in ZAP-quarantined email <-> Safe Links reports

Hello Tiennes,

thank you a lot for your answer. I understand the concepts as such. What I dont understand is that Safe-links should envelope any links sent to my users. So if a user clicks a link that click should be visible in the safe links report. If I dont find a domain in the report at all it should be safe to say that no user clicked on a link to that domain sent to him in an email.

At the same time Defender tells me the user has accessed the link.

This is contradicting, either he has or has not clicked the link. I am trying to find out which is true and why I am either getting an alert for a click that didnt happen or why I dont see the click in the report where it should be listed.
0 Likes
Reply
best response confirmed by JS70 (New Contributor)
JS70

‎Sep 28 2022 12:53 AM

‎Sep 28 2022 12:53 AM

Solution

Re: User accessed link in ZAP-quarantined email <-> Safe Links reports

I found a little more. It just does not show up when I filter for the Mail in the Safe links report. If I search explicitly in the Safe Links via an Create on-demand report, the URL and click show up. So its down to being a presentation layer glitch.
0 Likes
Reply