Microsoft has announced that its Safe Links feature (which is a part of Microsoft 365 Defender) is being added to Teams. As the feature’s name implies, Microsoft Safe Links is designed to protect users who accidentally click on malicious links. As remote work and ransomware attacks increase in tandem, Microsoft’s expansion of the Safe Links feature to the popular Teams platform is welcome.
Safe Links scans URLs within various Microsoft 365 applications to determine if they are safe.
Anti-malware and anti-phishing tools also scan for malicious links, but Microsoft Safe Links takes things one step further by protecting against attackers who modify links to trick phishing and malware filters.
Here is how this type of attack works.
An attacker who wants to trick users into clicking on a URL knows chances are good that malware filtering mechanisms will be in place to detect such malicious links. The attacker will therefore set up a secondary URL and embed that URL in the message. This secondary URL points to a site that redirects to another site that is known to be legitimate. Because the message contains an indirect link to a legitimate site, the message will likely make it through the organization’s filtering mechanisms. Once the attacker is confident that enough time has passed that the message has been delivered to the users’ inboxes, the attacker will modify the site that the URL within the email message links to. This modification will make the site redirect to a malicious site rather than to the legitimate site it had previously redirected to.
Safe Links defends against this type of attack by performing time-of-click verification.
Microsoft Safe Links Availability
Safe Links is included in Microsoft Defender for Office 365 plans 1 and 2. As such, Safe Links is included with Microsoft 365 E5, A5, E5 Security, and Business Premium. If you have a lesser plan, you can upgrade or purchase Microsoft Defender as an add-on for your existing plan.
How to Enable Microsoft Safe Links
The first step in enabling Safe Links is to create a Safe Links policy. To do so, open the Microsoft 365 Defender console and go to the Policies and Rules page. Next, click on the Threat Policies link and then on Safe Links.
When Safe Links opens, you will need to create a policy. Click on the Create icon and you will be taken to a screen that prompts you to provide a name and description for the policy you are creating. From there, you must tell Microsoft 365 Defender which users and domains the new policy will apply to.
At this point, you will be taken to a screen that allows you to configure the protection settings that will be associated with your policy. The first setting on this screen controls what happens with unknown, potentially malicious URLs. Typically, you will want to set this setting to On, which will cause URLs to be rewritten and checked against a list of links that are known to be malicious.
The next setting controls what will happen to unknown or potentially malicious URLs within Microsoft Teams. Again, this setting should be set to On. This will cause Teams to compare the URL against a list of URLs that are known to be malicious. As it stands right now, these URLs will not be rewritten, but that will almost certainly change in the future.
The third option is to apply real-time URL scanning for suspicious links and to links that point to files. This setting should be enabled, as should a sub-setting that requires the URL scanning process to be completed before allowing a message to be delivered.
Optional Settings in Microsoft Safe Links
The next four settings are completely optional. They include:
- Apply safe links to email messages sent within the organization
- Do not track user clicks
- Do not let users click through to the original URL
- Display the organization branding on notifications and warning pages
These particular settings should be enabled or disabled based on the needs of your organization.
Microsoft Safe Links White Lists
The last setting that you will find on the Protection Settings page is the “Do not rewrite the following URLs” setting. This is essentially a white list for known good URLs that might be mistaken for suspicious or malicious URLs. You can add any URL you want to the white list, but populating the white list is not a requirement.
When you finish configuring the protection settings, you need to choose whether you want Defender to generate notifications. After that, apply the policy. It is worth noting, however, that there is one additional step that is required for other Office applications to be protected against malicious links. From the Safe Links screen, you will need to click on Global Settings and then enable the option to use Microsoft Safe Links in Office 365 apps.