SOLVED

Office 365 SafeLinks ATP custom URL

%3CLINGO-SUB%20id%3D%22lingo-sub-1358317%22%20slang%3D%22en-US%22%3EOffice%20365%20SafeLinks%20ATP%20custom%20URL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358317%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20looking%20to%20build%20a%20dynamic%20script%20that%20pulls%20known-phishing%20sites%20from%20various%20sources%20and%20add%20these%20dynamically%20to%20SafeLinks%20policy.%20I%20did%20a%20bit%20of%20research%20and%20unfortunately%20I%20have%20found%20no%20option%20to%20add%26nbsp%3B%3CSTRONG%3Ecustom%26nbsp%3B%3C%2FSTRONG%3Eblacklisted%20URLs%20onto%20Office%20365%20-%20I%20can%20manage%20the%20policy%20settings%20in%20general%2C%20but%20I%20can't%20find%20an%20option%20that%20would%20allow%20me%20to%20automate%20my%20own%20custom%20URLs%20and%20domains.%20Both%20Graph%20API%20(seemingly%20unable%20to%20manage%20ATP%20Safelinks%20at%20all)%20and%20Powershell%20(some%20Safelink%20management)%20do%20not%20seem%20to%20expose%20this%20option.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAlex%20P%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1377047%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20SafeLinks%20ATP%20custom%20URL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1377047%22%20slang%3D%22en-US%22%3EHow%20about%20this%20command%3F%3CBR%20%2F%3ESet-AtpPolicyForO365%20-BlockUrls%20%3CMULTIVALUEDPROPERTY%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fadvanced-threat-protection%2Fset-atppolicyforo365%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fadvanced-threat-protection%2Fset-atppolicyforo365%3Fview%3Dexchange-ps%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EKeep%20in%20mind%20when%20you%20run%20the%20command%20above%2C%20it%20will%20overwrite%20any%20previous%20values%20that%20were%20in%20the%20blocklist%2C%20so%20you%20need%20to%20use%20the%20%40Add%20to%20append.%3CBR%20%2F%3Eset-AtpPolicyForO365%20-BlockUrls%20%40%7Badd%3D'contoso.com'%7D%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20wish%20to%20automate%2C%20you%20could%20use%20Azure%20Automation%20Runbook%20to%20read%20phishing%20sites%20from%20various%20sources%2C%20and%20then%20run%20Set-AtpPolicyForO365%20to%20update%20the%20block%20policy.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Flearn%2Fautomation-tutorial-runbook-textual-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Flearn%2Fautomation-tutorial-runbook-textual-powershell%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20this%20was%20helpful%20please%20click%20'Mark%20as%20best%20response.'%3CBR%20%2F%3E%3CBR%20%2F%3E-Joe%3C%2FMULTIVALUEDPROPERTY%3E%3C%2FLINGO-BODY%3E
Contributor

Hello!

I'm looking to build a dynamic script that pulls known-phishing sites from various sources and add these dynamically to SafeLinks policy. I did a bit of research and unfortunately I have found no option to add custom blacklisted URLs onto Office 365 - I can manage the policy settings in general, but I can't find an option that would allow me to automate my own custom URLs and domains. Both Graph API (seemingly unable to manage ATP Safelinks at all) and Powershell (some Safelink management) do not seem to expose this option. 

 

Any help? 

Alex P

1 Reply
best response confirmed by Aleksander Pawlak (Contributor)
Solution
How about this command?
Set-AtpPolicyForO365 -BlockUrls <MultiValuedProperty>
https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/set-atppolicy...

Keep in mind when you run the command above, it will overwrite any previous values that were in the blocklist, so you need to use the @Add to append.
set-AtpPolicyForO365 -BlockUrls @{add='contoso.com'}

If you wish to automate, you could use Azure Automation Runbook to read phishing sites from various sources, and then run Set-AtpPolicyForO365 to update the block policy.
https://docs.microsoft.com/en-us/azure/automation/learn/automation-tutorial-runbook-textual-powershe...

If this was helpful please click 'Mark as best response.'

-Joe