Skip to Content
EmailExchangeEmail SecuritySafe Links

Safe Links

Microsoft Defender for Office 365 Safe Links provides time-of-click protection against malicious URLs in email messages and Office documents. URLs are scanned and rewritten to route through Microsoft’s protection service.

Note: Safe Links is included with Microsoft Defender for Office 365 Plan 1 and Plan 2. Available in Microsoft 365 E5, E5 Security, or as an add-on.

  1. URL Rewriting — URLs in email are rewritten to route through Microsoft’s Safe Links service.
  2. User Clicks Link — When user clicks, request goes to Safe Links first.
  3. Real-Time Scan — URL is scanned against known bad URLs and analyzed for malicious content.
  4. Allow or Block — Safe URL: user proceeds. Malicious: blocked with warning page.

Note: Time-of-click protection catches URLs that were safe when email arrived but became malicious later — unlike static scanning at delivery.

Coverage Areas

Email Messages

URLs in email body and attachments are scanned. Works in Outlook desktop, web, and mobile clients.

Microsoft Teams

URLs shared in Teams chats and channels are protected. Requires global Safe Links settings enabled.

Office Apps

URLs in Word, Excel, PowerPoint, and Visio documents are scanned when clicked. Requires desktop apps.

SharePoint and OneDrive

Files in SharePoint and OneDrive are scanned. URLs in those files are protected by Safe Links.

Policy Settings

URL Scanning Options

  • On: Safe Links checks URLs when clicked — Enable real-time scanning
  • Apply to internal messages — Scan URLs in org-to-org mail
  • Scan URLs pointing to files — Follow links to downloadable files
  • Wait for URL scanning — Block user until scan completes

Click Protection

  • Track user clicks — Log when users click Safe Links URLs
  • Don’t let users click through — Block access to known bad URLs
  • Display organization branding — Show company logo on warning pages

URL Rewriting

  • Rewrite URLs — Standard mode, URLs visibly changed
  • Don’t rewrite, just scan — Native URL appearance, still protected

Do Not Rewrite List

Specify URLs that should not be rewritten (still scanned unless skipped):

  • Internal application URLs that break when rewritten
  • Third-party services that validate referrer headers
  • URLs that use tokens or session IDs in the path
  • Specific trusted domains

Warning: “Do not rewrite” URLs are still scanned at click time. To completely skip Safe Links, use the block/allow list, which is not recommended.

Warning Pages

Malicious URL Blocked

User is blocked from proceeding. URL is known malicious. If “don’t let users click through” is enabled, no option to continue.

Suspicious URL Warning

URL shows warning signs but isn’t confirmed malicious. User may proceed with caution if policy allows.

Scanning in Progress

URL is being scanned. User waits briefly before redirect or warning. Shown when “wait for scan” is enabled.

Error Page

Scan could not complete. User may be given option to proceed depending on policy configuration.

Global Settings

Enable Safe Links scanning for URLs in Word, Excel, PowerPoint files. Applies organization-wide.

Scan URLs in Teams messages. Requires this global setting plus policy for users.

Block Entries

URLs in the Tenant Allow/Block List are blocked regardless of Safe Links policy settings.

Click Reporting

When click tracking is enabled, Safe Links logs:

  • User who clicked
  • Original URL
  • Time of click
  • Verdict (safe, blocked, warned)
  • Application (Outlook, Teams, Office)
  • Whether user clicked through warning

Click data appears in Threat Explorer and URL Trace reports in the Security portal.

Best Practices

  • Enable for all users — Apply Safe Links protection to the entire organization.
  • Block click-through on malicious — Don’t allow users to proceed to known malicious URLs.
  • Enable Teams and Office protection — Turn on Safe Links for all supported applications.
  • Minimize exclusions — Keep the “do not rewrite” list as short as possible.

API Reference

GET /api/exchange/safe-links-policies List Safe Links policies

POST /api/exchange/safe-links-policies Create Safe Links policy

GET /api/exchange/safe-links-clicks Get click tracking data

GET /api/exchange/url-trace Trace URL detections

PUT /api/exchange/safe-links-global Update global settings

Last updated on
Safe AttachmentsSecurity Baselines