Set up Office 365 ATP safe links policies

ATP safe links, a feature of Office 365 Advanced Threat Protection, can help protect your organization from malicious links used in phishing and other attacks. If you're an Office 365 Enterprise global or security administrator, you can set up ATP safe links policies to help ensure that when people click hyperlinks, your organization is protected. You can set ATP safe links policies for hyperlinks email and for hyperlinks in Office documents.

Beginning in late October 2017, ATP safe links protection is being extended to apply to hyperlinks in email as well as hyperlinks in Office 365 ProPlus documents, such as Word, Excel, PowerPoint on Windows, iOS, and Android devices, and Visio files on Windows.

Note: The ATP safe links features are only available in Advanced Threat Protection, available with Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans. Make sure your organization is using the latest version of Office 365 ProPlus on Windows to take advantage of the extended ATP safe links features.

What to do:

  1. Review the prerequisites

  2. Review and edit your default policy, including setting up your custom blocked URLs list for ATP safe links

  3. Add a policy for specific email recipients, including setting up your custom "Do not rewrite" URLs list for ATP safe links

  4. Learn more about your policy options, including recent changes

Review the prerequisites

Review and edit your default policy in the Security & Compliance Center

By default, when you have Advanced Threat Protection in Office 365 Enterprise, you will have an ATP safe links policy already defined that applies to everyone in your organization. You cannot delete the default policy, but you can edit it in either the Security & Compliance Center or the Exchange admin center. We recommend using the Security & Compliance Center to review or edit your policies.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy > Safe links.

  3. In the Policies that apply to the entire organization section, select Default, and then choose Edit (the Edit button resembles a pencil).

    Click Edit to edit your default policy for Safe Links protection
  4. In the Block the following URLs section, specify one or more website addresses (URLs) that you want to prevent people in your organization from visiting. (See Set up a custom blocked URLs list using ATP safe links.)

  5. In the Settings that apply to content except email section, select (or clear) the options you want to use. (We recommend that you select all the options.)

  6. Choose Save.

Add a policy for specific email recipients using the Security & Compliance Center

After you have reviewed and edited your default policy, consider adding policies for specific email recipients. You can do this in either the Security & Compliance Center (recommended) or the Exchange admin center. We recommend using the Security & Compliance Center to review or edit your policies.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy.

  3. Choose Safe links.

  4. In the Policies that apply to specific recipients section, choose New (the New button resembles a plus sign (+)).

    Choose New to add a Safe Links policy for specific email recipients
  5. Specify the name, description, and settings for your policy.

    Example: To set up a policy called "no direct click through" that does not allow people in a certain group in your organization to click through to a specific website without ATP safe links protection, you might specify the following settings:

    • In the Name box, type no direct click through.

    • In the Description box, type a description like, Prevents people in certain groups from clicking through to a website without ATP safe links verification.

    • In the Select the action section, choose On. Also select Do not allow user to click through to original URL and Use Safe Attachments to scan downloadable content.

    • (This is optional) In the Do not rewrite the following URLs section, specify one or more website addresses (URLs) that are considered to be safe for your organization. (See Set up a custom "Do not rewrite" URLs list using ATP safe links)

    • In the Applied To section, choose The recipient is a member of, and then choose the group(s) you want to include in your policy. Choose Add, and then choose OK.

  6. Choose Save.

Learn about ATP safe links policy options

As you set up or edit your ATP safe links policies, you can choose from several options, as described in the following table:

For this policy

This option

Does this

Default (the default policy that applies to everyone in the organization)

Block the following URLs

Enables your organization to have a custom list of website addresses that are automatically blocked. When users click a hyperlink pointing to any website in this list, they'll be taken to a warning page that explains why the website is blocked.

See Set up a custom blocked URLs list using ATP safe links for more details, such as newly added support for up to three wildcard asterisks (*).

Default

Office 365 ProPlus, Office for iOS and Android

When this option is selected, ATP safe links protection is applied to hyperlinks in documents that are open in Word 2016, Excel 2016, PowerPoint 2016 on Windows, iOS, or Android devices, or Visio 2016 on Windows, with the user signed into Office 365.

Note: If you see Office 2016 on Windows, then the feature update has not reached your Office 365 environment yet (and it's coming soon). Until then, ATP safe links protection applies to Word 2016, Excel 2016, PowerPoint 2016 or Visio 2016 running on Windows.

Default

Don't track when users click ATP safe links

When this option is selected, click data for hyperlinks in Word, Excel, PowerPoint, and Visio documents is not stored.

Default

Don't let users click through ATP safe links to original URL

When this option is selected, users cannot proceed past a warning page to a website that is determined to be malicious.

Any additional policy created for specific email recipients

Off

Does not scan links in email messages.

Enables you to define an exception rule, such as a rule that does not scan links in email messages for a specific group of recipients.

Any additional policy created for specific email recipients

On

Rewrites URLs to route users through ATP safe links protection when the users click links in email messages.

Checks a website address when clicked against a list of blocked or malicious URLs.

Any additional policy created for specific email recipients

Use Safe Attachments to scan downloadable content

When this option is selected, hyperlinks that point to downloadable content are scanned.

Any additional policy created for specific email recipients

Do not track user clicks

When this option is selected, click data for hyperlinks in email is not stored.

Any additional policy created for specific email recipients

Do not allow users to click through to original URL

When this option is selected, users cannot proceed past a warning page to a website that is determined to be malicious.

Any additional policy created for specific email recipients

Do not rewrite the following URLs

Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning for a specific group of email recipients in your organization.

See Set up a custom "Do not rewrite" URLs list using ATP safe links for more details, including recent changes to support for wildcard asterisks (*).

Related topics

Office 365 Advanced Threat Protection
ATP safe links in Office 365
ATP safe attachments in Office 365
Set up a custom blocked URLs list using ATP safe links
Set up a custom "Do not rewrite" URLs list using ATP safe links
View the reports for Advanced Threat Protection

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×