Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

SafeLinks results in Microsoft 365 Defender incidents

Copper Contributor


in Microsoft 365 Defender we receive an incident "Initial access incident on one endpoint reported by multiple sources" with alerts about ZAP'd emails and a "Suspicious URL clicked" alert generated by Defender for Endpoint.

The "Suspicious URL clicked" alert is marked "via safelink" so SafeLinks has checked the URL and returned the information to Defender for Endpoint.


But is there any way to be sure, based on the information in the Defender portal, that SafeLink has also definitely blocked access to the website? The displayed result is only "Detected."


In today's case, I saw connections from the browser to Safelinks IP addresses after the click event, and no more after that. So I can assume that the link was blocked or the user did not proceed, but I can't be sure without asking the user.

1 Reply
best response confirmed by slaimer (Copper Contributor)
Within go to Explorer under Email & Collaboration. From here pop in the sender and go to the Top Clicks tab, this will show if it was blocked or allowed.