Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

ATP Safe Links are automatically unsubscribing users from email lists

Brass Contributor

We turned on ATP safe links a few weeks ago, and I have multiple reports of people being automatically unsubscribed from email lists they want to remain members of. 


In each case the messages sent to list members includes a "Click-to-unsubscribe" link in the footer. It seems that either ATP is activating the unsubscribe script when it probes the link, or when it rewrites the URL. There are a couple of lists that between 500 and 1000 of our users subscribe to, and they were all unsubscribed the first time that list sent a message after we turned on Safe Links.


Is there any way to keep this from happening? I know we can opt users out of safe links, but in this case we need to white list a sender. 

2 Replies

Please complain to these br0ken lists, since:


"GET is for retrieving data.  It should have no side effects, you should be able to request the same URL over and over harmlessly."


"In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". (...) Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them."

Thank you for the reply, but the "one-click unusubscribe" has been a feature in many lists for a very long time. I can ask the owners of those lists to talk to the list host about making changes, but some of these are very old lists that are not maintained with current technology (many of these are ancient academic lists). I did get one list host (Dada Mail) to remove the click to unsubscribe from the footer of messages being sent to our domain. Another host replied to tell me that they could not do remove or change the link. 


So I know it's not Microsoft's fault, but from my customers' perspectives it is my department's fault for turning on a feature that has a negative side effect for many of them. The workaround many are using is to re-subscribe using a personal email address, which is less than ideal for many reasons. I did find that it looks like we can create a Transport rule to bypass safe links for specific IP addresses, so we will give that a try. Another user reported that it was triggering the satisfaction rating for their service desk software: