Safe Links and Safe Attachments – Email Protection
What are Safe Links and Safe Attachments?
Safe Links and Safe Attachments is a feature of Microsoft 365 Advanced Threat Protection. When configured, it protects users at click time from malicious links or compromised attachments.Â
Scammers are rampant
Today more than ever, emails are sent to employees of organizations with an embedded virus, or they send employees to malicious websites. Some are pretty clever; they will claim to be within the organization’s IT and lead users to believe they need to take action now.
Some stats
- 91% of cyber-attacks start with a phishing email
- 15% of phishing attack victims fall victim, a second time—attackers have sophisticated methods to steal credentials easily
- 95% of phishing attacks that led to a breach, followed by some form of software installation
- Users can unwittingly click on ransomware and phishing links.
How do Safe Links work?
Safe Links checks at click-time any URLs embedded in the message body of an email by validating them against a list of URLs that are known to be malicious. Suppose URL detonation is enabled and a link embedded in a message or attachment points to a file on an external web server. In that case, Safe Links downloaded the file to the sandbox environment and analyzed it in the same manner as a suspicious email attachment. A list of known safe links for an organization can be set with policies not to scan.
Will ATP detect malicious links within Office documents sent as an attachment?
Yes, ATP will scan these links as long as they use Microsoft 365 Apps for enterprise or Business Premium on their computer.
How do Safe Attachments work?
Safe Attachments analyze attachments by detonating them in a hypervisor sandbox environment where the attachment undergoes behavioural analysis to determine if it delivers a malicious payload that modifies the registry, system settings, access rights, and so on.
Licenses needed
To use Safe Links and Safe Attachments, one must have Microsoft 365 Advanced Threat Protection Plan 1 or 2. Plan 2 allows for more advanced features like automated investigations and attack simulators. Included in Plan 1, both Safe Links and Safe Attachments. Here are the Microsoft 365 subscriptions that include ATP.
- Microsoft Business Premium
- Office 365 E5
- Microsoft 365 Enterprise E5
- Microsoft 365 Education A5
- These are the most popular; contact us to see if your subscription includes ATP.
One can also add Microsoft 365 Advanced Protection to most plans. Again users only need Plan 1 to get Safe Links and Safe Attachments. ATP currently goes for about $2.60/user CAD. We bundle this with our plans because ATP adds a lot of value, considering it a must-have.
Where in Microsoft 365 do Safe links and Safe attachments work?
Safe Attachments and Safe Links are only used in emails. On the other hand, ATP can be used with SharePoint, OneDrive and Teams (currently in public preview). ATP helps detect and block files identified as malicious in team sites and document libraries.
User experience – Safe Attachments
There are many different ways to configure safe links and safe attachments. Depending on how you configure it, the experience will vary. Below are screenshots of how it would look like to the end-user when Safe Attachments are configured for Dynamic Delivery, which is our preference. This configuration allows the message to be delivered immediately; however, any attachment will be scanned and replaced with a placeholder until the file can be scanned and reattached.
User experience – Safe Links
There are various scenarios possible with Safe Links. Below are some examples of what users would see when clicking on links from emails when Safe Links when you configure it in the organization.
ATP is scanning the link
A URL is being scanned by ATP Safe Links. You might have to wait a few moments to try the link again.
A URL is in a suspicious email message
The URL is in an email message that seems similar to other email messages that are considered suspicious. We recommend that you double-check the email message before proceeding to the site.
ATP is scanning the link
A URL is being scanned by ATP Safe Links. You might have to wait a few moments to try the link again.
A URL is in a suspicious email message
The URL is in an email message that seems similar to other email messages that are considered suspicious. We recommend that you double-check the email message before proceeding to the site.
Conclusion
Safe Links and Safe Attachments are only part of the advanced threat protection features from Microsoft 365. They can make a great addition to protecting employees. Contact Teknertia to learn about the different methods to protect your organization for device security, identity protection, email protection and information protection. Please email us at info@teknertia.com or use the contact form from our web page.
Still not sure how Safe Links and Safe Attachments work?
With our managed IT services, we configure Safe Links and Safe Attachments for you, along with many other security configurations, to ensure your Microsoft 365 environment is safe.
References:
ATP Safe Links warning pages: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links-warning-pages?view=o365-worldwide
How ATP Safe Links works: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-atp-safe-links-works?view=o365-worldwide
How ATP Safe Attachments works: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-atp-safe-attachments-works?view=o365-worldwide
