Skip to Content
ReportsExchange ReportsSafe Links Report

Safe Links Report

URL clicks rewritten by Microsoft Defender Safe Links. Shows blocked clicks, user click behavior, and most targeted URLs across your Exchange Online environment.

Overview

The Safe Links Report tracks all URL clicks that were processed by Microsoft Defender for Office 365 Safe Links. This includes URLs in emails and Teams messages that were rewritten for time-of-click protection. Use this report to identify phishing targets, monitor user click behavior, and evaluate URL threat trends.

Report Columns

ColumnDescription
DateDate and time of the URL click
UserUser who clicked the link
Original URLThe original URL before Safe Links rewriting
VerdictSafe, Malicious, or Blocked
ActionAllowed, Blocked, or User Override
Click SourceEmail, Teams, or other Office app
IP AddressIP address from which the click originated
DeviceDevice type and operating system
Message SubjectSubject of the email containing the link

Click Verdicts

  • Safe — URL was scanned and determined to be clean
  • Malicious — URL was identified as hosting phishing, malware, or exploit content
  • Blocked — URL matched a block list and the user was prevented from accessing it
  • Pending Verdict — URL is being analyzed in real time
  • User Override — URL was blocked but the user clicked through the warning page

Warning: User overrides of blocked URLs should be investigated. Frequent overrides may indicate users need additional security awareness training.

Top Targeted URLs

The report highlights the most frequently clicked malicious URLs:

  • Most clicked malicious domains
  • Users who clicked the most blocked URLs
  • Click patterns by time of day and day of week
  • Repeat offenders who regularly click suspicious links

Filters

  • Date Range — Last 7 days, 30 days, 90 days, or custom
  • Verdict — Safe, Malicious, Blocked
  • Action — Allowed, Blocked, User Override
  • Source — Email, Teams
  • User — Filter by specific user or group
  • Tenant — Filter by managed tenant

Security Insights

  1. Identify users who frequently click malicious links for targeted training
  2. Track phishing campaign effectiveness over time
  3. Monitor user override rates to assess policy effectiveness
  4. Correlate click data with phishing simulation results

API Reference

  • GET /api/reports/exchange/safe-links — Get Safe Links click report
  • GET /api/reports/exchange/safe-links/top-urls — Get most targeted URLs
  • GET /api/reports/exchange/safe-links/top-users — Get users with most blocked clicks
  • POST /api/reports/exchange/safe-links/export — Export report data
Last updated on
Safe Attachments ReportScheduled Reports