What is Safe Links and Safe Attachments?
Safe Links and Safe Attachments is a feature of Microsoft 365 Advanced Threat Protection. When configured, it protects users at click time from malicious links or compromised attachments.
Scammers are rampant
Today more than ever, emails are sent to employees of organizations with embedded virus or they send employees to malicious web sites. Some are quite clever they will claim to be within the organization’s IT and lead a user to believe they need to take action now.
- 91% of cyber-attacks start with a phishing email
- 15% of phishing attack victims fall victim a second time—attackers have sophisticated methods to easily steal credentials
- 95% of phishing attacks that led to a breach were followed by some form of software installation
- Users can unwittingly click on ransomware and phishing links
How do Safe Links work?
Safe Links checks at click time any URLs that are embedded in the message body of an email by validating them against a list of URLs that are known to be malicious. If URL detonation is enabled and a link that is embedded in a message or attachment points to a file on an external web server, Safe Links download the file to the sandbox environment where it is analyzed in the same manner as a suspicious email attachment. With policies, a list of known safe links for an organization can be set, so they are not scanned.
Will ATP detect malicious links within Office documents sent as an attachment?
Yes, ATP will scan these links as long as the user is using Microsoft 365 Apps for enterprise or Business Premium on their computer.
How do Safe Attachments work?
Safe Attachements analyze attachments by detonating them in a hypervisor sandbox environment where the attachment undergoes behavioral analysis to determine if it delivers a malicious payload that modifies the registry, system settings, access rights, and so on.
What licenses are needed?
To use Safe Links and Safe Attachments, one must have Microsoft 365 Advanced Threat Protection Plan 1 or 2. Plan 2 allows for more advanced features like automated investigations and attack simulators. Safe Links and Safe attachments are both included in Plan 1. Here are the Microsoft 365 subscriptions that include ATP.
- Microsoft Business Premium
- Office 365 E5
- Microsoft 365 Enterprise E5
- Microsoft 365 Education A5
- These are the most popular, contact us to see if your subscription includes ATP.
One can also add Microsoft 365 Advanced Protection to most plans. Again users only need Plan 1 to get Safe Links and Safe Attachments. ATP currently goes for about $2.60/user CAD. With our clients we bundle this with our plans because ATP adds a lot of value and we consider it a must have.
Where in Microsoft 365 do Safe links and Safe attachments work?
Safe Attachments and Safe Links are only used with emails, However ATP can be used with SharePoint, OneDrive and Teams (currently in public preview). ATP helps detect and block files that are identified as malicious in team sites and document libraries.
User experience – Safe Attachments
There are many different ways to configure safe links and safe attachments. Depending on how it is configured the experience will vary. Below are screenshots of how it would look like to the end user if Safe Attachments were configured for Dynamic Delivery, which is currently our preferred method. This allows for the message to be delivered immediately; however, any attachment will be scanned and replaced with a placeholder until the file can be scanned and reattached.
User experience – Safe Links
There are various scenarios possible with Safe Links. Below are some examples of what users would see when clicking on links from emails when Safe Links is configured in the organization.
ATP is scanning the link
A URL is being scanned by ATP Safe Links. You might have to wait a few moments to try the link again.
A URL is in a suspicious email message
The URL is in an email message that seems similar to other email messages that are considered suspicious. We recommend that you double-check the email message before proceeding to the site.
A URL is in a message identified as a phishing attempt
The URL is in an email message that has been identified as a phishing attack. As a result, all URLs in the email message are blocked. We recommend that the user not proceed to the site.
A site has been identified as malicious
The URL points to a site that has been identified as malicious.
We recommend that the use not proceed to the site.
Safe Links and Safe Attachments are only part of the advanced threat protection features from Microsoft 365. They can make a great addition in protecting employees. Contact Teknertia to learn about the different methods to protect your organization for device security, identity protection, email protection and information protection. Email us at firstname.lastname@example.org or use the contact form from our web page.
How ATP Safe Attachments works: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-atp-safe-attachments-works?view=o365-worldwide