I've just received a pretty basic phishing email using a MS Form to harvest username and passwords. we do have Office ATP enabled, but noticed that the link wasn't rewritten..and futher investigation showed in the past day no urls have been rewritten. Also when submitting the email for Automated Investigation the case failed with the error "Email Settings Error". We don't have any special config..just the defaults with a block of urls in the safe block list. Any thoughts?, yes loggin a case.
Do you mean the link to the actual form? It should be rewritten regardless of any content in the actual form. Depending on the version of Outlook, you might be seeing the new "native" rendering of links, which shows the original URL in the tooltip, but if you check the status bar or click on the link it should take you to the rewritten one. If that's not the case, check for any exceptions you might have for rewriting URLs.
I did click on the link and found that it went directly to the site without rewriting the url. The form was external to our Org so don't think that setting will help, but enable it as soon as it comes in.