Let’s Talk About Office 365 Advanced Threat Protection: Part Two


Last time, we reviewed Office 365 Advanced Threat Protection (ATP), an enhancement to Exchange Online Protection focused on protecting end-users from two categories of email delivered threats: zero day compromised attachments and malicious URLs.

Specifically, we discussed ATP’s safe attachments policies, reporting capabilities and the labor-intensive workflow required to confirm that what ATP is telling you is, in fact accurate (i.e., that the attachment is actually malware).

This time, we’ll review ATP’s safe links, which analyzes URLs before you click through, and the PowerShell cmdlets associated with Advanced Threat Protection.

To configure ATP’s safe links, you can go to the Office 365 ECP:


From the menu on the left-hand side of the Exchange admin center interface, choose “advanced threats” –








From the ATP sub-menu, choose “safelinks



In our example, we’re using the default Safe Links Policy; to edit its properties, click the pencil icon (a common design theme in the Office 365 admin interface):





The first setting option is “general” –





Note that both the Name and Description fields are labels and can be changed.

The real action starts with “settings” –






Let’s walk through the options you see above.

Configuration Options

  • On or Off are self-explanatory
  • When the setting is On, potentially malicious URLs are rewritten to https://na01/safelinks.protection.outlook.com/?=url to analyze here).
  • If “Do not track user clicks” is selected, ATP will not record user click-through attempts (which means no reporting data on this action)
  • If “Do not allow users to click through to original URL” is selected, end-users will not be able to reach the original URL via the link embedded within their email

Above I mentioned that if the “Do not track user clicks” option is selected, ATP won’t gather reporting data.  But what if it is selected?


To access safe links reporting, choose the “mail flow” option from the Exchange Admin Center interface:


This works the same as other Office 365 mail flow reporting widgets. As you can see, you can choose the date and time range for your output.  You can also choose to search for an individual’s results by using the ‘recipient’ option (not shown but on the page if you look towards the bottom). It’s also possible to search for a specific URL.


To demonstrate a search, let’s click ‘search” (not shown in the screenshot but at the bottom of the interface, as usual) and gather a broad report:


The recipient addresses have been obscured for obvious reasons.

By clicking on one of the line items, it’s possible to view greater detail:


This gives you the ability to analyze safe links’ actions more closely for a particular user.

I know that I mentioned PowerShell cmdlets at the top; we’ll tackle that in the next post.