Set up Office 365 ATP Safe Links policies

ATP Safe Links, a feature of Office 365 Advanced Threat Protection, can help protect your organization from malicious links used in phishing and other attacks. If you're an Office 365 global administrator or security administrator, you can set up ATP Safe Links policies to help ensure that when people click web addresses (URLs), your organization is protected. Your ATP Safe Links policies can be configured to scan URLs in email and URLs in Office documents.

New features are being added to ATP Safe Links:

  • Beginning in late October 2017, ATP Safe Links protection is being extended to apply to URLs in email as well as URLs in Office 365 ProPlus documents, such as Word, Excel, PowerPoint on Windows, iOS, and Android devices, and Visio files on Windows.

  • Beginning in April 2018, ATP Safe Links protection is being extended to apply to email sent between people in an organization.

Note: The ATP Safe Links features are only available in Advanced Threat Protection, which is included in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.
Make sure your organization is using the latest version of Office 365 ProPlus on Windows to take advantage of the extended ATP Safe Links features.

What to do:

  1. Review the prerequisites

  2. Review and edit your default policy, including setting up your custom blocked URLs list for ATP Safe Links

  3. Add a policy for specific email recipients, including setting up your custom "Do not rewrite" URLs list for ATP Safe Links

  4. Learn more about your policy options, including recent changes

Review the prerequisites

Define an ATP Safe Links policy that applies to everyone

When you have Advanced Threat Protection in Office 365 Enterprise, you will have an ATP Safe Links policy to define that applies to everyone in your organization. You can edit your policy in either the Security & Compliance Center or the Exchange admin center. We recommend using the Security & Compliance Center to review or edit any of your ATP policies.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy > Safe Links.

  3. In the Policies that apply to the entire organization section, select Default, and then choose Edit (the Edit button resembles a pencil).

    Click Edit to edit your default policy for Safe Links protection
  4. In the Block the following URLs section, specify one or more URLs that you want to prevent people in your organization from visiting. (See Set up a custom blocked URLs list using ATP Safe Links.)

  5. In the Settings that apply to content except email section, select (or clear) the options you want to use. (We recommend that you select all the options.)

  6. Choose Save.

Add a policy for specific email recipients

After you have defined a policy for all users, consider adding policies for specific groups of email recipients. This enables you to specify exceptions to your default policy. You can add policies using either the Security & Compliance Center (recommended) or the Exchange admin center. We recommend using the Security & Compliance Center to review or edit any of your ATP policies.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy.

  3. Choose Safe Links.

  4. In the Policies that apply to specific recipients section, choose New (the New button resembles a plus sign (+)).

    Choose New to add a Safe Links policy for specific email recipients
  5. Specify the name, description, and settings for your policy.

    Example: To set up a policy called "no direct click through" that does not allow people in a certain group in your organization to click through to a specific website without ATP Safe Links protection, you might specify the following recommended settings:

    • In the Name box, type no direct click through.

    • In the Description box, type a description like, Prevents people in certain groups from clicking through to a website without ATP Safe Links verification.

    • In the Select the action section, choose On.

    • Select Use Safe Attachments to scan downloadable content.

    • If this option is available, select Apply Safe Links to messages sent within the organization.

    • Select Do not allow user to click through to original URL.

    • (This is optional) In the Do not rewrite the following URLs section, specify one or more URLs that are considered to be safe for your organization. (See Set up a custom "Do not rewrite" URLs list using ATP Safe Links)

    • In the Applied To section, choose The recipient is a member of, and then choose the group(s) you want to include in your policy. Choose Add, and then choose OK.

  6. Choose Save.

Learn about ATP Safe Links policy options

As you set up or edit an ATP Safe Links policy, will see several options available. In case you are wondering what these options are, the following table describes each one and its effect. Note that there are two main kinds of policies to define or edit: a default policy that applies to everyone, and additional policies that are defined for specific recipients.

For this policy

This option

Does this

Default (once defined, the default policy applies to everyone in the organization)

Block the following URLs

Enables your organization to have a custom list of URLs that are automatically blocked. When users click a URL in this list, they'll be taken to a warning page that explains why the URL is blocked.

See Set up a custom blocked URLs list using ATP Safe Links for more details, such as newly added support for up to three wildcard asterisks (*).

Default

Office 365 ProPlus, Office for iOS and Android

When this option is selected, ATP Safe Links protection is applied to URLs in documents that are open in Word 2016, Excel 2016, PowerPoint 2016 on Windows, iOS, or Android devices, or Visio 2016 on Windows, with the user signed into Office 365.

Tip: If you see Office 2016 on Windows, then the feature update has not reached your Office 365 environment yet (and it's coming soon). Until then, ATP Safe Links protection applies to Word 2016, Excel 2016, PowerPoint 2016 or Visio 2016 running on Windows.

Default

Don't track when users click ATP Safe Links

When this option is selected, click data for URLs in Word, Excel, PowerPoint, and Visio documents is not stored.

Default

Don't let users click through ATP Safe Links to original URL

When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious.

A policy created for specific email recipients

Off

Does not scan URLs in email messages.

Enables you to define an exception rule, such as a rule that does not scan URLs in email messages for a specific group of recipients.

A policy created for specific email recipients

On

Rewrites URLs to route users through ATP Safe Links protection when the users click URLs in email messages.

Checks a URL when clicked against a list of blocked or malicious URLs.

A policy created for specific email recipients

Use Safe Attachments to scan downloadable content

When this option is selected, URLs that point to downloadable content are scanned.

A policy created for specific email recipients

Apply Safe Links to messages sent within the organization

This feature is rolling out beginning in March 2018.

When this option is available and selected, ATP Safe Links protection is applied to email messages sent between people in your organization, provided the email accounts are hosted in Office 365.

A policy created for specific email recipients

Do not track user clicks

When this option is selected, click data for URLs in email from external senders is not stored.

URL click tracking for links within email messages sent within the organization is currently not supported.

A policy created for specific email recipients

Do not allow users to click through to original URL

When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious.

A policy created for specific email recipients

Do not rewrite the following URLs

Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning for a specific group of email recipients in your organization.

See Set up a custom "Do not rewrite" URLs list using ATP Safe Links for more details, including recent changes to support for wildcard asterisks (*).

Related topics

Office 365 Advanced Threat Protection
ATP Safe Links in Office 365
ATP Safe Attachments in Office 365
Set up a custom blocked URLs list using ATP Safe Links
Set up a custom "Do not rewrite" URLs list using ATP Safe Links
View the reports for Advanced Threat Protection

Get support
Contact us
Expand your Office skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×