Sign In
In this module

AD2.2 Safe Links: URL Protection That Works at Click Time

5-6 hours · Module 2 · Free
Operational Objective
The fundamental problem with URL filtering at delivery time is that attackers control the timing. They send the email with a clean URL, wait for it to pass email filtering and land in the inbox, and then activate the phishing page hours later. By the time the user clicks, the URL that was clean at delivery is now a credential harvesting page. Safe Links solves this by rewriting URLs at delivery and scanning them again at click time — so the protection applies when the user actually interacts with the link, not when the email was received. This subsection walks you through creating the Safe Links policy with the exact settings, testing it, and understanding what users see when Safe Links blocks a malicious URL.
Deliverable: A production Safe Links policy configured, tested, and deployed to all users — with URL rewriting, click-time scanning, and real-time detonation enabled.
Estimated completion: 30 minutes
SAFE LINKS — URL PROTECTION AT CLICK TIME 1. EMAIL ARRIVES URL is clean at delivery EOP passes the email Safe Links rewrites URL href → safelinks.protection .outlook.com/?url=original 2. USER CLICKS Hours/days later Safe Links intercepts click Scans destination NOW Checks current reputation Detonates if unknown CLEAN User reaches destination Transparent experience MALICIOUS User sees warning page Link blocked · Click logged Admin notified via alert ADMIN VISIBILITY Who clicked What URL When (timestamp) Blocked or allowed URL trace report

Figure AD2.2 — Safe Links intercepts URL clicks in real-time. The email arrives with a rewritten URL. When the user clicks hours or days later, Safe Links scans the destination again. Clean URLs pass through transparently. Malicious URLs show a warning page and log the click for admin review.

Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Safe Links. Click "Create" to build a new policy.

Name: "Safe Links — All Users"

Users and domains: Click "Users" → Include → "All recipients." This applies the policy to every user in the tenant. You can exclude specific users later if needed (rarely necessary for Safe Links — the false positive rate is very low).

URL & click protection settings — configure each one:

On: Safe Links checks a list of known, malicious links when users click links in email. Enable this. This is the core Safe Links function — every URL click is checked against Microsoft's threat intelligence at click time.

On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. Enable this. Teams messages contain URLs too, and attackers increasingly use Teams for phishing (especially via guest access or compromised accounts).

On: Safe Links checks a list of known, malicious links when users click links in Office apps. Enable this. Covers URLs in Word, Excel, PowerPoint documents opened from email or SharePoint.

Apply real-time URL scanning for suspicious links and links that point to files. Enable this. When the URL destination is unknown (no prior reputation), Safe Links detonates it in a sandbox before allowing the user through. This catches zero-day phishing pages.

Wait for URL scanning to complete before delivering the message. Enable this. Without this setting, the email is delivered immediately and Safe Links scans the URL asynchronously — which creates a window where the user could click before scanning completes. With this enabled, the URL must be scanned before the email reaches the inbox. The delay is typically under 10 seconds and users rarely notice.

Do not rewrite URLs, do checks via Safe Links API only. Leave this OFF (disabled). URL rewriting is what makes Safe Links work — if you disable rewriting, Safe Links can only check URLs in the Outlook client (not webmail, not mobile, not other email clients). Keep rewriting enabled for full coverage.

Do not rewrite the following URLs: Leave empty unless you have specific URLs that break when rewritten (internal SharePoint sites, specific vendor portals). Add exceptions only when users report that a specific URL doesn't work with Safe Links — and document each exception.

Notification: Use the default notification page. This is the warning page users see when Safe Links blocks a URL. The default page is clear and professional — it tells the user the link was blocked for safety and provides a "back to safety" button.

Click "Submit" to create the policy.

What users experience

For clean URLs, the experience is transparent. The user clicks a link, there's a brief redirect through safelinks.protection.outlook.com (typically under 1 second), and they arrive at the destination. Most users never notice Safe Links is active.

For malicious URLs, the user sees a full-page warning: "This website has been classified as malicious." The page explains that the link was blocked, provides a "Go back" button, and does not provide a way to proceed to the malicious site. The user cannot override the block — which is the correct behavior. If a user reports that a blocked URL is legitimate, you investigate and add it to the exception list if confirmed safe.

For unknown URLs undergoing real-time detonation, the user sees a brief scanning page: "This link is being scanned." This typically takes 5-15 seconds. If the URL is clean after detonation, the user proceeds normally. If malicious, the warning page appears.

The most common user complaint about Safe Links is that rewritten URLs look ugly in emails — instead of seeing https://example.com/document, the user sees a long safelinks.protection.outlook.com URL. This is cosmetic. If users complain, explain that the rewritten URL is what protects them from phishing — the original URL is still the destination, Safe Links just checks it first. In Outlook desktop and mobile, the original URL is shown in a tooltip when hovering — the rewritten URL is only visible if the user copies the link.

After creating the policy, test it to confirm it's working.

Test 1 — Clean URL. Send yourself an email with a link to a known-safe URL (https://www.microsoft.com). Click the link. You should be redirected through safelinks.protection.outlook.com and arrive at Microsoft's homepage. Check the URL in your browser address bar during the redirect — you'll briefly see the safelinks URL before being redirected to the destination.

Test 2 — Verify rewriting. Send yourself an email and view the message source (in Outlook: open the email → File → Properties → Internet headers, or right-click → View source in Outlook Web). Search for "safelinks" in the source. All URLs in the email body should be rewritten to safelinks.protection.outlook.com URLs. If they're not rewritten, the policy isn't applying to your account — check the user scope in the policy configuration.

Test 3 — Check the URL trace. Navigate to security.microsoft.com → Email & collaboration → Explorer (or Reports → URL trace). After clicking the test URL, you should see an entry showing your click, the destination URL, and the verdict (allowed). This confirms that Safe Links is logging clicks — which is the data you'll use to investigate phishing clicks later.

Microsoft provides a specific test URL for Safe Links: https://smartscreentestratings2.net. This URL is maintained by Microsoft specifically for testing Safe Links and SmartScreen. Send yourself an email containing this URL, click it, and Safe Links should block it with the warning page. If the warning page appears, Safe Links is working correctly.

Compliance Myth: "Safe Links breaks too many legitimate URLs to be worth enabling"
Safe Links has a very low false positive rate — under 0.1% of legitimate URLs are blocked. The most common issue is not false blocking but URL rewriting that breaks specific web applications that validate the referring URL. If a vendor portal or internal application breaks with Safe Links rewriting, add that specific URL to the exception list. Don't disable Safe Links for all users because one URL doesn't work — that's like removing the seatbelts from every car because one driver finds them uncomfortable. Add the specific exception and move on.

After deployment, check the Safe Links URL trace weekly as part of your Monday morning review. Navigate to security.microsoft.com → Email & collaboration → URL trace (or Reports → URL protection report).

The key metrics to track: total URL clicks per week (this is your baseline — how many URLs are your users clicking in email), blocked clicks (URLs that Safe Links prevented users from reaching), and allowed clicks that were later reclassified as malicious (URLs that were clean at click time but subsequently identified as phishing — these are the "time-of-click" catches that Safe Links provides).

If you see a specific user with 10+ blocked clicks in a week, they're either being heavily targeted or they're clicking everything they receive. Either way, a conversation with that user is warranted — targeted awareness training or a discussion about email habits.

The URL trace also shows you which URLs are being targeted at your organization. If you see the same phishing domain appearing in multiple blocked clicks, you can proactively block that domain in your tenant's block list (security.microsoft.com → Policies & rules → Threat policies → Tenant Allow/Block Lists → URLs).

Decision point

After deploying Safe Links, the marketing team reports that their email campaign tracking links (which redirect through a marketing automation platform) are being rewritten by Safe Links, and the marketing platform can't track click-through rates accurately because all clicks appear to come from Microsoft's Safe Links infrastructure instead of the actual recipients. The marketing manager asks you to exclude the marketing platform's domains from Safe Links. What do you do?

Option A: Add the marketing platform's domains to the Safe Links exception list — marketing tracking is a legitimate business need.

Option B: Refuse — Safe Links must scan all URLs without exception.

Option C: Add the marketing platform's specific tracking domains to the exception list, but only after verifying the domains with the marketing team and documenting the exception with a quarterly review date.

The correct answer is Option C. Marketing tracking URLs from your own platform are legitimate and the risk of them being compromised is low (though not zero — marketing platforms have been compromised before). Add the specific domains (not wildcards), document the exception with the justification, and set a quarterly review. If the marketing platform changes domains, update the exception. This balances the business need with security — you're not disabling Safe Links for everything, you're making a documented exception for a specific, verified use case.

Try it: Create and test your Safe Links policy

Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Safe Links. Create the policy following the settings in this subsection.

After the policy is created, wait 15-30 minutes for it to propagate (policies don't take effect instantly across the entire Exchange Online infrastructure).

Send yourself a test email containing two URLs: https://www.microsoft.com (should pass) and https://smartscreentestratings2.net (should be blocked). Click both links. Verify the first opens normally (with a brief safelinks redirect) and the second shows the Safe Links warning page.

Check the URL trace report after your test: security.microsoft.com → Email & collaboration → Reports → URL protection report. You should see both clicks — one allowed, one blocked.

If the test URL is not blocked, check three things: is the policy enabled and assigned to your account? Has the propagation delay passed (try again after 30 minutes)? Is the "Apply real-time URL scanning" setting enabled?

A user clicks a URL in an email. The URL was clean when the email was delivered 3 days ago, but the attacker activated the phishing page 2 days ago. Safe Links is configured with "Apply real-time URL scanning" and "Wait for URL scanning to complete." What happens?
The user reaches the phishing page because the URL was clean at delivery — No. Safe Links doesn't rely on the delivery-time scan. It scans the URL again at click time, regardless of the delivery-time verdict.
Safe Links intercepts the click, scans the URL in real-time, detects the phishing page, and shows the user a warning page — the user never sees the phishing page — Correct. This is the core Safe Links value proposition: click-time scanning catches URLs that become malicious after delivery. The 3-day gap between delivery and click is irrelevant — Safe Links evaluates the URL at the moment the user clicks.
Safe Links logs the click but doesn't block it because the URL passed EOP at delivery — No. Safe Links makes its own determination at click time, independent of the EOP delivery verdict. Even if EOP passed the email, Safe Links can block the URL.
The user sees a "scanning" page briefly, then is allowed through because Safe Links only blocks known-bad URLs, not newly activated phishing pages — No. The "Apply real-time URL scanning" setting enables detonation of unknown URLs. A newly activated phishing page is detonated in a sandbox, and if phishing behavior is detected, the URL is blocked.
Operational Artifact — Safe Links Policy Configuration Reference
Your Safe Links policy: applied to all recipients, URL checking enabled for email, Teams, and Office apps, real-time URL scanning enabled, wait for scanning enabled, URL rewriting enabled (not API-only), default notification page. Document the policy name, creation date, and any exceptions in your security configuration register alongside the conditional access policies from Module AD1. Monitor the URL trace weekly. Track: total clicks, blocked clicks, and users with high click volumes. This data feeds your quarterly email protection metrics.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →