Set up a custom "do not rewrite" URLs list using Office 365 ATP safe links

With Office 365 Advanced Threat Protection, your organization can have a custom blocked URLs, such that when people click on hyperlinks in email messages or certain Office documents, they are prevented from going to those websites (URLs). Your organization can also have custom "do not rewrite" lists for specific groups in your organization. A "do not rewrite" list enables some people to visit websites that are otherwise blocked by ATP safe links in Office 365. This article describes how to specify a list of URLs that are excluded from ATP safe links scanning, and an overview of what's changing.

Note: The ATP safe links features are only available in Advanced Threat Protection, available with Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans. Make sure your organization is using the latest version of Office 365 ProPlus on Windows to take advantage of the extended ATP safe links features.

What's new?

  • When you specify a "do not rewrite" list for an ATP safe links policy, you can include up to three wildcard asterisks (*). Wildcards (*) are assumed for entries such as contoso.com, which do not explicitly include prefixes or subdomains, like http:// or https://. This means an entry, such as contoso.com is similar to *contoso.com* for your "do not rewrite" list. (More details are included below.)

  • If you already have a list of URLs in your "do not rewrite" list, you should review that list and add wildcards as appropriate. For example, if your existing list has an entry like http://contoso.com/a and you want to include subpaths like http://contoso.com/a/b in your policy, add a wildcard to your entry so it looks like this: http://contoso.com/a*.

  • Do not include a forward slash (/) in the URLs that you specify in your "do not rewrite" list. For example, rather than enter contoso.com/ in your "do not rewrite" list, enter contoso.com.

Set up a "do not rewrite" list for specific groups

ATP safe links protection uses several lists, including your organization's blocked URLs list and the "do not rewrite" lists for exceptions. If you are a global administrator or a security administrator, you can set up your custom "do not rewrite" lists when you add or edit safe links policies that apply to specific recipients in your organization.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Safe links.

  3. In the Policies that apply to specific recipients section, choose New (the New button resembles a plus sign (+)) to create a new policy. (Alternatively, you can edit an existing policy.)

    Choose New to add a Safe Links policy for specific email recipients
  4. Specify a name and description for your policy.

  5. In the Do not rewrite the following URLs section, select the Enter a valid URL box, and then type a URL, and then choose the plus sign (+). Here are a few things to keep in mind:

    • Any URLs that you specify in the "do not rewrite" list will be excluded from ATP safe links scanning for the recipients that you specify.

    • Do not include a forward slash (/) at the end of the URL for a domain you want to allow. For example, instead of entering http://www.contoso.com/, enter http://www.contoso.com.

    • You can include up to three wildcard asterisks (*) per URL. The following table lists examples of what you can enter and what effect those entries have.

      Example Entry

      What It Does

      *contoso.com*

      Allows specific recipients to visit a domain, subdomains, and paths, such as http://www.contoso.com, https://www.contoso.com, https://maps.contoso.com, or http://www.contoso.com/a

      http://contoso.com/a

      Allows specific recipients to visit a site like http://contoso.com/a, but not subpaths like http://contoso.com/a/b

      http://contoso.com/a*

      Allows specific recipients to visit a site like http://contoso.com/a and subpaths like http://contoso.com/a/b

  6. In the Applied To section, choose The recipient is a member of, and then choose the group(s) you want to include in your policy. Choose Add, and then choose OK.

  7. When you are finished adding URLs, in the lower right corner of the screen, choose Save.

Note: Make sure to review your organization's custom list of blocked URLs. See Set up a custom blocked URLs list using ATP safe links.

Related topics

Office 365 Advanced Threat Protection
ATP safe links in Office 365
Set up ATP safe links policies in Office 365
Set up a custom blocked URLs list using ATP safe links

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×