Safe Links not rewriting

%3CLINGO-SUB%20id%3D%22lingo-sub-825956%22%20slang%3D%22en-US%22%3ESafe%20Links%20not%20rewriting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-825956%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20just%20received%20a%20pretty%20basic%20phishing%20email%20using%20a%20MS%20Form%20to%20harvest%26nbsp%3B%20username%20and%20passwords.%20we%20do%20have%20Office%20ATP%20enabled%2C%20but%20noticed%20that%20the%20link%20wasn't%20rewritten..and%20futher%20investigation%20showed%20in%20the%20past%20day%20no%20urls%20have%20been%20rewritten.%20Also%20when%20submitting%20the%20email%20for%20Automated%20Investigation%20the%20case%20failed%20with%20the%20error%20%22%3CSPAN%3EEmail%20Settings%20Error%22.%20We%20don't%20have%20any%20special%20config..just%20the%20defaults%20with%20a%20block%20of%20urls%20in%20the%20safe%20block%20list.%20Any%20thoughts%3F%2C%20yes%20loggin%20a%20case.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EJlouden%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-825956%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESafeLinks%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826021%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20not%20rewriting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826021%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20mean%20the%20link%20to%20the%20actual%20form%3F%20It%20should%20be%20rewritten%20regardless%20of%20any%20content%20in%20the%20actual%20form.%20Depending%20on%20the%20version%20of%20Outlook%2C%20you%20might%20be%20seeing%20the%20new%20%22native%22%20rendering%20of%20links%2C%20which%20shows%20the%20original%20URL%20in%20the%20tooltip%2C%20but%20if%20you%20check%20the%20status%20bar%20or%20click%20on%20the%20link%20it%20should%20take%20you%20to%20the%20rewritten%20one.%20If%20that's%20not%20the%20case%2C%20check%20for%20any%20exceptions%20you%20might%20have%20for%20rewriting%20URLs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20mean%20content%20in%20the%20actual%20form%2C%20they%20just%20announced%20this%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fadmin.microsoft.com%2FAdminPortal%2Fhome%3Fswitchtomodern%3Dtrue%23%2FMessageCenter%3Fid%3DMC188695%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fadmin.microsoft.com%2FAdminPortal%2Fhome%3Fswitchtomodern%3Dtrue%23%2FMessageCenter%3Fid%3DMC188695%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828294%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20not%20rewriting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828294%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20click%20on%20the%20link%20and%20found%20that%20it%20went%20directly%20to%20the%20site%20without%20rewriting%20the%20url.%20The%20form%20was%20external%20to%20our%20Org%20so%20don't%20think%20that%20setting%20will%20help%2C%20but%20enable%20it%20as%20soon%20as%20it%20comes%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828580%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20not%20rewriting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828580%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20suggest%20you%20open%20a%20support%20ticket%20and%20report%20this%20then%2C%20it%20should%20have%20been%20rewritten.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All,

 

I've just received a pretty basic phishing email using a MS Form to harvest  username and passwords. we do have Office ATP enabled, but noticed that the link wasn't rewritten..and futher investigation showed in the past day no urls have been rewritten. Also when submitting the email for Automated Investigation the case failed with the error "Email Settings Error". We don't have any special config..just the defaults with a block of urls in the safe block list. Any thoughts?, yes loggin a case.

 

Regards

Jlouden

3 Replies
Highlighted

Do you mean the link to the actual form? It should be rewritten regardless of any content in the actual form. Depending on the version of Outlook, you might be seeing the new "native" rendering of links, which shows the original URL in the tooltip, but if you check the status bar or click on the link it should take you to the rewritten one. If that's not the case, check for any exceptions you might have for rewriting URLs.

 

If you mean content in the actual form, they just announced this: https://admin.microsoft.com/AdminPortal/home?switchtomodern=true#/MessageCenter?id=MC188695

Highlighted

Hi, Vasil,

 

I did click on the link and found that it went directly to the site without rewriting the url. The form was external to our Org so don't think that setting will help, but enable it as soon as it comes in.

Highlighted

I would suggest you open a support ticket and report this then, it should have been rewritten.