Office 365 ATP safe links overview

ATP safe links (along with ATP safe attachments) is a set of security features offered as part of Office 365 Advanced Threat Protection. ATP safe links can help protect your organization through ATP safe links policies that are set by your Office 365 global or security administrators. Office 365 global administrators, security administrators, and security analysts can view reports for Advanced Threat Protection in the Office 365 Security & Compliance Center dashboard. The information in those can help your security team take further steps to protect your organization or research security incidents.

Beginning in late October 2017, ATP safe links protection is being extended to apply to hyperlinks in email as well as hyperlinks in Office 365 ProPlus documents, such as Word, Excel, PowerPoint on Windows, iOS, and Android devices, and Visio files on Windows.

Note: The ATP safe links features are only available in Advanced Threat Protection, which is included in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans. Make sure your organization is using the latest version of Office 365 ProPlus on Windows to take advantage of the extended ATP safe links features.

In this article:

ATP safe links in email

At a high level, here's how ATP safe links protection works for hyperlinks in email (hosted in Office 365, not on-premises):

  1. People receive email messages that contain hyperlinks.

  2. All email goes through Exchange Online Protection, where IP and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied.

  3. Email arrives in people's inboxes.

  4. A user signs in to Office 365, and goes to their email inbox.

  5. The user opens an email message, and then clicks on a hyperlink in the email message.

  6. The ATP safe links feature immediately checks the link before opening the website. The link is identified as blocked, malicious, or safe.

    1. If the link is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, the website opens.

    2. If the link is to a website that is included in the organization's custom blocked URLs list, a warning page opens.

    3. If the link is to a website that has been determined to be malicious, a warning page opens.

    4. If the link goes to a downloadable file and your organization's ATP safe links policies are configured to scan such content, the downloadable file is checked.

    5. If the link is determined to be safe, the website opens.

ATP safe links in Office documents

At a high level, here's how ATP safe links protection works for hyperlinks in Office 365 ProPlus applications (current versions of Word, Excel, and PowerPoint on Windows, iOS, or Android devices, and Visio on Windows):

  1. People have installed Office 365 ProPlus on their computer, smartphone, or tablet.

  2. A user opens a Word, Excel, PowerPoint, or Visio, and is signed in to Office 365 Enterprise using their work or school account. The document contains hyperlinks.

  3. When the user clicks on a hyperlink in the document, the link is checked by the ATP safe links service.

    • If the link is to a website that is included in a custom "Do not rewrite" URLs list for a policy that applies to the user, that user is taken to the website.

    • If the link is to a website that is included in the organization's custom blocked URLs list, the user is taken to a warning page.

    • If the link is to a website that has been determined to be malicious, the user is taken to a warning page.

    • If the link goes to a downloadable file and the ATP safe links policies are configured to scan such downloads, the downloadable file is checked.

    • If the link is considered safe, the user is taken to the website.

How do we get ATP safe links protection?

The ATP safe links feature is part of Advanced Threat Protection, which is included in Office 365 Enterprise E5. Advanced Threat Protection can also be purchased as an add-on to Office 365 Enterprise E1 or Office 365 Enterprise E3. For more information about plan options, see Compare All Office 365 for Business Plans

The ATP safe links features are active when:

How do we know if ATP safe links protection is in place?

One good way to see how ATP safe links protection is working for your organization is by viewing reports for Advanced Threat Protection. Additionally, as a global or security administrator, be sure to review your ATP safe links policies. ATP safe links policies determine whether protection applies to hyperlinks in email messages only or to Office documents as well.

The following table describes some example scenarios where ATP safe links protection might or might not be in place. In all of these cases, we assume the organization has Office 365 Enterprise E5, which includes Advanced Threat Protection.

Example scenario

Does ATP safe links protection apply in this case?

Jean is a member of a group that has ATP safe links policies covering hyperlinks in email and Office documents. Jean opens a presentation that someone sent in PowerPoint 2016, and then clicks a hyperlink in the presentation.

Yes. The ATP safe links policies that are defined apply to Jean's group, Jean's email, and Word, Excel, PowerPoint, or Visio documents that Jean opens, so long as Jean is signed in and using Office 365 ProPlus on Windows, iOS, or Android devices.

In Chris's organization, no global or security administrators have defined any ATP safe links policies yet. Chris receives an email that contains a hyperlink to a malicious website. Chris is unaware the link is malicious and clicks the link.

Yes. A default policy is in place that covers hyperlinks for everyone in the organization.

In Pat's organization, no global or security administrators have defined or edited any ATP safe links policies yet. Pat opens a Word document and clicks a link in the file.

No. The default policy that applies to the entire organization does not include Word, Excel, PowerPoint, or Visio files unless and until a global or security administrator configures policies that include Office documents. See Set up ATP safe links policies in Office 365.

Lee's organization has a ATP safe links policy that has http://tailspintoys.com listed as a blocked website. Lee receives an email message that contains a link to http://tailspintoys.com/aboutus/trythispage. Lee clicks the link.

It depends on whether the entire site and all its subpages are included in the list of blocked URLs. See Set up a custom blocked URLs list using ATP safe links.

Related topics

Office 365 Advanced Threat Protection
Set up ATP safe links policies in Office 365
ATP safe attachments in Office 365
View the reports for Advanced Threat Protection

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×