September 12, 2020

Protecting user’s email with Safe Links and Safe Attachments

Safe Link Phishing email

What is Safe Links and Safe Attachments?

Safe Links and Safe Attachments is a feature of Microsoft 365 Advanced Threat Protection. When configured, it protects users at click time from malicious links or compromised attachments.

Scammers are rampant

Today more than ever, emails are sent to employees of organizations with embedded virus or they send employees to malicious web sites. Some are quite clever they will claim to be within the organization’s IT and lead a user to believe they need to take action now.

Some stats

  • 91% of cyber-attacks start with a phishing email
  • 15% of phishing attack victims fall victim a second time—attackers have sophisticated methods to easily steal credentials
  • 95% of phishing attacks that led to a breach were followed by some form of software installation
  • Users can unwittingly click on ransomware and phishing links

How do Safe Links work?

Safe Links checks at click time any URLs that are embedded in the message body of an email by validating them against a list of URLs that are known to be malicious. If URL detonation is enabled and a link that is embedded in a message or attachment points to a file on an external web server, Safe Links download the file to the sandbox environment where it is analyzed in the same manner as a suspicious email attachment. With policies, a list of known safe links for an organization can be set, so they are not scanned.

Will ATP detect malicious links within Office documents sent as an attachment?

Yes, ATP will scan these links as long as the user is using Microsoft 365 Apps for enterprise or Business Premium on their computer.

How do Safe Attachments work?

Safe Attachements analyze attachments by detonating them in a hypervisor sandbox environment where the attachment undergoes behavioral analysis to determine if it delivers a malicious payload that modifies the registry, system settings, access rights, and so on.

What licenses are needed?

To use Safe Links and Safe Attachments, one must have Microsoft 365 Advanced Threat Protection Plan 1 or 2. Plan 2 allows for more advanced features like automated investigations and attack simulators. Safe Links and Safe attachments are both included in Plan 1. Here are the Microsoft 365 subscriptions that include ATP.

  • Microsoft Business Premium
  • Office 365 E5
  • Microsoft 365 Enterprise E5
  • Microsoft 365 Education A5
  • These are the most popular, contact us to see if your subscription includes ATP.

One can also add Microsoft 365 Advanced Protection to most plans. Again users only need Plan 1 to get Safe Links and Safe Attachments. ATP currently goes for about $2.60/user CAD. With our clients we bundle this with our plans because ATP adds a lot of value and we consider it a must have.

Where in Microsoft 365 do Safe links and Safe attachments work?

Safe Attachments and Safe Links are only used with emails, However ATP can be used with SharePoint, OneDrive and Teams (currently in public preview). ATP helps detect and block files that are identified as malicious in team sites and document libraries.

User experience – Safe Attachments

There are many different ways to configure safe links and safe attachments. Depending on how it is configured the experience will vary. Below are screenshots of how it would look like to the end user if Safe Attachments were configured for Dynamic Delivery, which is currently our preferred method. This allows for the message to be delivered immediately; however, any attachment will be scanned and replaced with a placeholder until the file can be scanned and reattached.

ATP Scan in Progress

User experience – Safe Links

There are various scenarios possible with Safe Links. Below are some examples of what users would see when clicking on links from emails when Safe Links is configured in the organization.

A URL is being scanned by ATP Safe Links. You might have to wait a few moments to try the link again.

ATP is scanning the link

A URL is in a suspicious email message

The URL is in an email message that seems similar to other email messages that are considered suspicious. We recommend that you double-check the email message before proceeding to the site.

This URL is in a suspicious email message

A URL is in a message identified as a phishing attempt

The URL is in an email message that has been identified as a phishing attack. As a result, all URLs in the email message are blocked. We recommend that the user not proceed to the site.

Safe Link Phishing email

A site has been identified as malicious

The URL points to a site that has been identified as malicious.
We recommend that the use not proceed to the site.

This site has been identified as malicious


Safe Links and Safe Attachments are only part of the advanced threat protection features from Microsoft 365. They can make a great addition in protecting employees. Contact Teknertia to learn about the different methods to protect your organization for device security, identity protection, email protection and information protection. Email us at or use the contact form from our web page.


ATP Safe Links warning pages:

How ATP Safe Links works:

How ATP Safe Attachments works:

Microsoft 365, Security , , , , , , , , , , , ,
About Robby Garon

Leave a Reply

Your email address will not be published. Required fields are marked *