Select Page

Cyren Security Blog

Safe Links in Office 365

Safe Links is a feature of Microsoft Defender for Office 365 (formerly known as Advanced Threat Protection) that helps protect from users clicking on malicious URLs. Proofpoint calls their version, URL Defense. Mimecast calls theirs, URL Protect. All these feature names describe the same thing – URL rewriting.

It’s much easier to explain Safe Links and URL rewriting with examples and diagrams. Let’s use three URLs from an imaginary email message:

1. A safe website – www.amazon.com

2. Let’s pretend this is a well-known phishing site –www.Phishing-R-Us.com

3. We’ll use this as a new, uncategorized website – www.o365-shop.com

Safe Links rewrites the above URLs a format similar to these:

1. na01.safelinks.protection.com/?url=www.amazon.com

2. na01.safelinks.protection.com/?url=www.phishing-r-us.com

3. na01.safelinks.protection.com/?url=www.o365-shop.com

Due to the magic of HTML, Microsoft ATP can rewrite URLs without changing how they’re displayed to the users. For the most part, users only know if ATP has written a URL if they click and watch the location bar in their browsers.

Figure 1 A Safe Links URL in the browser location bar

When a user clicks one of these rewritten URLs, they are first directed to the na01.safelinks.protection.com server which checks if the destination URL, defined in the portion of the URL after the equal sign, is safe or a threat. If the URL is safe, the user is redirected to the destination as though nothing ever happened – although there is often a noticeable delay. If the URL is a threat, the user is redirected to a warning page instead of the intended destination.

Graphical user interface, text, application, website Description automatically generated

Figure 2 Safe Links blocking access to a phishing page

The intent of URL rewriting is to provide something called time of click protection. It’s a belt and suspenders approach to applying static threat databases to defend against phishing. If the URL isn’t known to be a threat at the time it’s scanned (prior to delivery) then URL rewriting allows the email security server to check again when a user clicks the URL. However, there are a few problems with this approach:

  • URL rewriting cannot be applied to URLs in files attached to a message or files shared from, for example, Google Drive. Attackers know this and Cyren has observed a big increase in the number of phishing URLs contained in files.
  • Since the display name of the URL isn’t rewritten, users can simply copy that text and paste it into a browser. I do this all the time to skip the delay associated with the email security server.
  • The security is only as effective as your threat intelligence. We’ve found the best way to identify zero-day and targeted phishing URLs is to analyze them in real-time.
  • URL rewriting can break the association of URLs and app on your phone. I just ran into this when trying to reset the password for a mobile app using a reset link delivered to my inbox.
  • URL rewriting is reactive, so administrators still need to respond to threats. Really what you need is a system that not only continuously detects phishing threats as they evolve but can also automatically remediate all the affected messages.

Safe Links is a handy feature of Microsoft Defender for Office. Just don’t let it give you a false sense of security. No single feature or solution can address all email security threats. We’ve found the best approach is to leverage everything Microsoft Defender for Office 365 (read: ATP) provides and complement it with a specialized anti-phishing and automated incident response solution. This combination allows you to filter out the known threats and then continuously scan and remove targeted and zero-day phishing.

Aug 19, 2021 | Office 365, Phishing

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...