Safe Links

What is Safe Links?

Safe Links is part of Microsoft Defender for Office 365 (formerly known as Office 365 Advanced Threat Protection - ATP). This feature rewrites every URL found in an incoming email in order to redirect users through a Microsoft proxy server which checks at the time of click if the URL is safe to view.
When a URL in an email or Microsoft Office Online document is clicked, Safe Links performs a scan to determine if the hyperlink is malicious. Safe Links also scans any documents available on that link at the time of click to prevent malicious file downloads to your system.  
If the link is determined to be safe to view, you will proceed as expected; if the link is determined to contain malicious content, you are redirected to a warning page instead. 
Only incoming links are rewritten. When a user writes an email to an external party, the URLs in that message are not rewritten.

What does Safe Links look like? 

The hyperlink in the email that you receive will be rewritten and may appear differently than they are originally displayed.

Here is an example when you put your mouse over a Book_Now>> hyperlink and you will notice the URL starts with the Microsoft Defender proxy server like


Another example of a URL rewritten with Safe Links:
The highlighted sections include:  - the Microsoft Defender proxy server – the destination web address, address ends just before &data= – the email address of the recipient (your email address will only appear in emails within your own inbox)
When you click on one of these links and the webpage is deemed malicious, you will also see a warning message that prompts you to navigate away from the site.

What do I do if I see a phishing email in my inbox?

When you see a suspicious email, you can use the Report Message function and mark is as Junk or Phishing in Outlook and Exchange Online.

What do I do if I am blocked from accessing a legitimate website?

Please send email to to report any false positives, a white list is available to help manage URLs that should not be scanned.