User accessed link in ZAP-quarantined email <-> Safe Links reports

New Contributor

Currently I am working on an alert telling me a user accessed a link in ZAP-quarantined email. If I check the Safe Links report and filter it for the domain in the link I get zero results.


Can anyone enlighten me how these features work together? I assumed that Safe Links keeps a list of Clicks and whena  mail is Zapped that was successfully accessed Defender throughs the above alert. But shouldn't I be able to find the click in the Safe links report then?


3 Replies

Hi @JS70,


ZAP stands for Zero-Hour Purge, this is an email protection functionality that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to the EXO mailboxes. When this alert occurs, one (or more) of your users already accessed a hyperlink in an email message that ZAP later qualified as potentially dangerous.


Safe-Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.


Are these functions coming together?
So far I know, they don't. They are working separately from each other, and are not coming together. Maybe that's the reason why you are not getting any related information from the Safe-Links reports. In the User accessed link in ZAP-quarantined email alert, there is information on which link your user has accessed. From Explorer, you can perform a search for the particular email message or URL to find out which users have potentially accessed this URL.


If you have any more questions, please let me know.



Hello Tiennes,

thank you a lot for your answer. I understand the concepts as such. What I dont understand is that Safe-links should envelope any links sent to my users. So if a user clicks a link that click should be visible in the safe links report. If I dont find a domain in the report at all it should be safe to say that no user clicked on a link to that domain sent to him in an email.

At the same time Defender tells me the user has accessed the link.

This is contradicting, either he has or has not clicked the link. I am trying to find out which is true and why I am either getting an alert for a click that didnt happen or why I dont see the click in the report where it should be listed.
best response confirmed by JS70 (New Contributor)
I found a little more. It just does not show up when I filter for the Mail in the Safe links report. If I search explicitly in the Safe Links via an Create on-demand report, the URL and click show up. So its down to being a presentation layer glitch.