This chapter covers Microsoft Defender for Office 365 Safe Links and Safe Attachments policies — two critical protections against phishing and malware delivered via email. For the MS-102 exam, this topic appears in approximately 10–15% of questions across the Security Threats domain (Objective 3.2). You must understand how these features work at the protocol level, the exact configuration options and default values, and the differences between Standard and Strict policy presets. The exam will test your ability to choose the right policy settings for a given threat scenario and to troubleshoot delivery failures caused by these protections.
Jump to a section
Imagine a large corporate mailroom that handles thousands of letters and packages daily. The mailroom has two key security checks. First, every letter (email) that arrives is scanned for suspicious links. Instead of delivering the letter with the original link, the mailroom rewrites the link to point to their own scanning proxy. When an employee clicks that rewritten link, the proxy checks the destination in real time before allowing the employee through. If the destination is malicious, the employee sees a warning block page. This is Safe Links — it doesn't block the email, but it protects the click. Second, every package (email attachment) goes through an explosive detection scanner. The scanner opens each package in a safe, isolated detonation chamber — a virtual sandbox — and observes its behaviour. If the attachment tries to write to the registry, call home, or drop a payload, the scanner flags it as malicious and the package is never delivered to the employee's desk. This is Safe Attachments. The mailroom also has a policy manager that decides which types of packages get scanned and which employees get the rewritten links. Some high-risk employees (like finance) get stricter policies. The mailroom logs every scan result, and if a package is later found dangerous, it can retroactively delete it from all desks. Together, these two systems form Microsoft Defender for Office 365's protection against weaponised links and attachments.
What Are Safe Links and Safe Attachments?
Safe Links and Safe Attachments are two features of Microsoft Defender for Office 365 (MDO) that protect users from malicious URLs and file attachments in email messages and other Microsoft 365 communication channels (Teams, SharePoint, OneDrive). They are part of the anti-phishing and anti-malware layers and are configured through policies in the Microsoft 365 Defender portal.
Safe Links rewrites URLs in incoming email messages so that when a user clicks a link, the click is first checked against a real-time threat intelligence feed. If the URL is malicious, the user is blocked and shown a warning page. Safe Links also protects links in Office documents (e.g., Word, Excel, PowerPoint) and in Teams conversations.
Safe Attachments uses a virtual sandbox environment (detonation) to open and analyse email attachments before delivery. If the attachment exhibits malicious behaviour, the message is quarantined or the attachment is stripped. Safe Attachments can also be used for SharePoint, OneDrive, and Teams files (known as Safe Attachments for SharePoint, OneDrive, and Microsoft Teams).
How Safe Links Works — Step by Step
Email Arrival: An email arrives at Exchange Online Protection (EOP). The message is scanned by anti-malware, anti-spam, and anti-phishing filters.
URL Rewriting: If a Safe Links policy applies to the recipient, all URLs in the email body are rewritten. The original URL https://evil.com becomes something like https://nam01.safelinks.protection.outlook.com/?url=https://evil.com&data=.... This rewritten URL points to Microsoft's Safe Links service.
URL Verification at Time of Click: When the user clicks the rewritten link, their browser sends a request to safelinks.protection.outlook.com. The service performs a real-time check:
- It queries the Microsoft threat intelligence database (which includes reputation data from Bing, SmartScreen, and the Microsoft Intelligent Security Graph). - If the URL is known malicious, the user is redirected to a block page (a warning page). - If the URL is known safe, the user is forwarded to the original URL. - If the URL is unknown, it may be allowed or blocked based on policy settings (e.g., "Block the following URLs" list, or wait for verdict). 4. Tracking and Reporting: Each click is logged. Administrators can view click reports in the Defender portal. Users can report false positives (a safe link blocked) or false negatives (a malicious link allowed) through the warning page.
Key Defaults and Timers:
Safe Links URL rewrite is enabled by default for all users in organisations with Defender for Office 365 Plan 1 or Plan 2.
The default policy applies to all recipients. You can create custom policies for specific users, groups, or domains.
Block URLs list: You can add specific URLs or URL patterns that are always blocked.
Do not rewrite URLs list: You can specify URLs that are never rewritten (e.g., trusted internal links).
Track user clicks: Default enabled. Logs every click.
Let users click through to original URL: Default disabled. If enabled, users can bypass the warning for a specific URL once (requires justification).
Safe Links scanning for email: Default enabled.
Safe Links scanning for Office apps: Default enabled for supported apps (Word, Excel, PowerPoint, OneNote, Visio, Outlook for Windows, etc.).
Safe Links scanning for Teams: Default enabled for Teams links in conversations.
How Safe Attachments Works — Step by Step
Email Arrival: An email with an attachment arrives at EOP. The message passes initial anti-malware scanning (which uses signature-based detection).
Policy Check: If a Safe Attachments policy applies to the recipient, the attachment is routed to the detonation chamber.
Detonation: The attachment is opened in a virtualised sandbox environment that mimics a Windows desktop with Office applications. The sandbox observes:
- File system changes - Registry modifications - Network connections (outbound calls) - Process creation - Any other suspicious behaviour. 4. Verdict: After a short period (typically a few seconds to a few minutes), the sandbox returns a verdict: - Malicious: The email is quarantined (or attachment stripped, based on policy). - Clean: The email is delivered as normal. - Unknown: The email may be delivered or delayed based on policy (e.g., "Monitor" action). 5. Delivery: Based on the policy action, the email is either delivered, quarantined, or the attachment is replaced with a warning file.
Key Defaults and Timers:
Safe Attachments is not enabled by default. You must create a policy to activate it.
Default action for malicious attachments: Quarantine.
Default action for unknown attachments: Monitor (deliver with tracking).
Redirect attachment on timeout: If the detonation takes too long (default: 30 seconds), the email may be delivered without the attachment, or the attachment may be replaced.
Sandbox timeout: The maximum time the sandbox runs before giving a verdict. Default is 10 minutes.
File types scanned: All common executable and document types (e.g., .exe, .docx, .pdf, .zip containing executables).
Dynamic Delivery: A feature that delivers the email body immediately while the attachment is still being scanned. The attachment is replaced with a placeholder; once the scan completes, the real attachment is made available. This is the recommended setting for user experience.
Configuration and Verification Commands
Policies are configured via the Microsoft 365 Defender portal at https://security.microsoft.com. Under Email & Collaboration > Policies & Rules > Threat Policies, you find Safe Links and Safe Attachments.
You can also use PowerShell with the Exchange Online Protection module. Example commands:
# Get Safe Links policies
Get-SafeLinksPolicy | Format-List Name, IsEnabled, TrackClicks, AllowClickThrough, ScanUrls
# Create a new Safe Links policy
New-SafeLinksPolicy -Name "Finance Strict" -IsEnabled $true -TrackClicks $true -AllowClickThrough $false -ScanUrls $true
# Get Safe Attachments policies
Get-SafeAttachmentPolicy | Format-List Name, IsEnabled, Action, Redirect, Timeout
# Create a new Safe Attachments policy
New-SafeAttachmentPolicy -Name "Executives" -IsEnabled $true -Action Block -Redirect $true -RedirectAddress admin@contoso.com -Timeout 60Verification:
Use the Threat Explorer in Defender to see detonation results.
Use Message Trace to check if a message was quarantined due to Safe Attachments.
Use Safe Links report to view click-time verdicts.
Interaction with Related Technologies
Exchange Online Protection (EOP): EOP provides baseline anti-malware and anti-spam. Safe Links and Safe Attachments are add-on features of Defender for Office 365. If you have only EOP, Safe Links and Safe Attachments are not available.
Anti-Malware Policy: Standard anti-malware scanning runs first. Safe Attachments runs after that, only if the file type is not already blocked by anti-malware.
Anti-Phishing Policy: Anti-phishing policies can work alongside Safe Links. Safe Links protects against malicious URLs even if anti-phishing didn't detect the email as phishing.
Quarantine: Both features can send messages to quarantine. Quarantine policies control how long messages are held and who can release them.
Automated Investigation and Response (AIR): In Defender for Office 365 Plan 2, AIR can automatically remediate threats identified by Safe Links and Safe Attachments, such as moving messages to quarantine or deleting them from mailboxes.
ZAP (Zero-Hour Auto Purge): ZAP can retroactively move messages that were delivered but later found malicious. Safe Attachments can trigger ZAP if a file is later determined malicious after initial delivery.
Policy Priority and Processing Order
When multiple policies apply to a user, the policy with the highest priority (lowest number) is applied. For Safe Links and Safe Attachments, the processing order is: 1. Custom policies (in order of priority as listed in the portal) 2. Default policy (applies to all recipients not covered by custom policies)
If a user is a member of multiple groups that have different policies, the policy with the highest priority (lowest number) wins. There is no merging of policies — the highest priority policy is applied exclusively.
Safe Links in Teams, SharePoint, and OneDrive
Safe Links for Microsoft Teams: URLs in Teams conversations are checked against the malicious link list at the time of message send. URLs are not rewritten. If a URL is found malicious, the message is not delivered.
Safe Links for Office 365 Apps: URLs in Office documents are checked at the time of click. The user sees a warning if the URL is malicious.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: Files are scanned by the same detonation process. Malicious files are blocked from being opened, and users see a warning. This is enabled by default in organisations with Defender for Office 365.
Email arrives at Exchange Online Protection
An inbound email passes through the Exchange Online Protection (EOP) transport pipeline. EOP performs initial checks: sender reputation, IP allow/block lists, domain authentication (SPF, DKIM, DMARC), and anti-malware signature scanning. If the email is already determined to be spam or malware at this stage, it may be quarantined or rejected before Safe Links or Safe Attachments policies are evaluated. For emails that pass EOP, the transport rule engine then checks if a Safe Links or Safe Attachments policy applies to any recipient. The policy is selected based on the recipient's email address, group membership, or domain. If multiple policies match, the highest priority (lowest numerical priority value) policy is applied.
Safe Links rewrites URLs in email body
If a Safe Links policy applies and the policy has URL scanning enabled, the transport pipeline rewrites all URLs in the email body. The original URL is encoded into a new URL that points to Microsoft's Safe Links service (e.g., `https://nam01.safelinks.protection.outlook.com/?url=...`). This rewriting occurs at the time of delivery, not at the time of click. The rewritten URL includes a unique identifier that allows Microsoft to track the click and correlate it to the specific email and recipient. URLs in attachments (e.g., .docx, .pdf) are not rewritten — only URLs in the email body. The rewriting process is transparent to the user; they see the original URL text, but the hyperlink points to the rewritten URL.
Safe Attachments routes attachment to detonation chamber
If a Safe Attachments policy applies and the policy's action is not 'Off', the attachment is extracted from the email and sent to a virtual sandbox environment. The sandbox is a hypervisor-isolated Windows instance with Office applications installed. The attachment is opened in the appropriate application (e.g., Word for .docx, Excel for .xlsx). The sandbox monitors the behaviour of the application and the attachment for a configurable period (default 10 minutes). During this time, the email may be held (if action is 'Block') or the body may be delivered with a placeholder attachment (if Dynamic Delivery is enabled). The sandbox checks for indicators of compromise such as spawning processes, writing to startup folders, modifying registry keys, or making outbound network connections.
Detonation sandbox returns verdict
After the sandbox analysis completes, it returns one of three verdicts: Clean, Malicious, or Unknown. A Clean verdict means no suspicious behaviour was observed. A Malicious verdict means the attachment exhibited behaviour matching known malware patterns or heuristic rules. An Unknown verdict means the sandbox could not reach a definitive conclusion within the timeout. The verdict is logged in the threat detection logs. If the verdict is Malicious, the policy action is executed: typically quarantine the entire email, or deliver the email but replace the attachment with a warning file. If the verdict is Clean, the email is delivered normally (or the placeholder is replaced with the real attachment if Dynamic Delivery was used). If the verdict is Unknown, the policy's action for unknown files is applied: Monitor (deliver with tracking), Block, or Allow.
User clicks a Safe Links rewritten URL
When a user clicks a rewritten URL, their browser sends a GET request to the Safe Links service. The service decodes the original URL from the query parameters. It then performs a real-time reputation check against Microsoft's threat intelligence. The check includes: (1) static analysis of the URL (e.g., known malicious domains, IP addresses), (2) dynamic analysis if the URL is unknown (e.g., visiting the URL in a headless browser sandbox to check for drive-by downloads), and (3) checking the URL against any custom block/allow lists defined in the policy. If the URL is malicious, the user is redirected to a block page that explains the threat. If the URL is safe, the user is redirected to the original destination. If the URL is unknown and the policy allows unknown URLs, the user is redirected with a warning. The entire process typically takes less than a second. The click is logged with details such as user, original URL, verdict, and timestamp.
Enterprise Scenario 1: Finance Department Protection
A multinational corporation with 50,000 mailboxes deploys Defender for Office 365 Plan 2. The finance department (500 users) is a high-risk target for phishing. The security team creates a custom Safe Links policy named "Finance Strict" with the following settings: - Track user clicks: Enabled - Let users click through to original URL: Disabled (users cannot bypass warnings) - Scan URLs in email: Enabled - Apply real-time URL scanning for suspicious links and links that point to files: Enabled - Wait for URL scanning to complete before delivering the message: Enabled - Do not rewrite URLs: (empty) - Block the following URLs: A list of known phishing domains from threat intel feeds.
Additionally, a Safe Attachments policy is created with action "Block" and Dynamic Delivery enabled. The policy is applied to the finance group. In production, this configuration results in near-zero successful phishing clicks in finance. However, a common issue arises when a legitimate URL is blocked due to false positive. Users can report the false positive via the warning page, and the security team can whitelist the URL in the policy. The performance impact is minimal because URL scanning is near-instant; detonation of attachments adds a few seconds delay for Dynamic Delivery, but users receive the email body immediately.
Enterprise Scenario 2: Merged Organisation with Multiple Policies
After an acquisition, a company has two distinct user populations: legacy users with basic EOP protection and acquired users with Defender for Office 365. The security team wants to roll out Safe Links and Safe Attachments to all users but must avoid disrupting the legacy users who are not licensed. They create a custom policy for licensed users and leave the default policy disabled for unlicensed users. However, a problem arises: some licensed users are not getting protection because they are members of a distribution group that has an explicit Safe Links policy with priority 0 (highest) that has all scanning disabled. The team learns that policy priority is absolute — the highest priority policy wins, even if it has less restrictive settings. They resolve this by ensuring that the restrictive policies have the lowest priority numbers (highest priority) and that no policy inadvertently disables protection.
Scenario 3: Retroactive Remediation with ZAP
A financial services firm uses Safe Attachments with action "Block". One day, a new malware variant bypasses the detonation chamber because it uses a zero-day exploit that the sandbox didn't trigger. The email is delivered. Later, Microsoft updates the threat intelligence and identifies the attachment as malicious. Zero-Hour Auto Purge (ZAP) is triggered: the email is moved from the user's Inbox to quarantine. The security team receives an alert and investigates. This scenario highlights the importance of enabling ZAP and having a process to review quarantined items. The exam may test that ZAP works with Safe Attachments to retroactively remediate messages after a verdict changes.
Common Misconfigurations
Not enabling Dynamic Delivery: Without Dynamic Delivery, users experience delays in receiving email with attachments, causing frustration and helpdesk tickets.
Blocking all unknown URLs: This can lead to a high false positive rate, as many legitimate websites are unknown to Microsoft's threat intelligence at the time of click.
Ignoring the URL block list: Security teams often forget to populate the custom block list with known malicious URLs from internal threat feeds.
Not testing policies in audit mode: Before enforcing, policies should be tested with a pilot group to measure false positive rates.
What MS-102 Tests on This Topic
The MS-102 exam objective 3.2 covers "Evaluate, plan, and implement Microsoft Defender for Office 365". Within this, Safe Links and Safe Attachments are key sub-objectives. The exam expects you to:
Understand the difference between Safe Links and Safe Attachments.
Know the default settings for each.
Be able to recommend policy settings for specific scenarios (e.g., high security for executives, low false positive tolerance for general users).
Understand how policies are applied (priority, recipient filtering).
Know the actions available (Off, Block, Replace, Dynamic Delivery for Safe Attachments; On, Off, Track clicks for Safe Links).
Understand the integration with Teams, SharePoint, and OneDrive.
Know the role of ZAP and AIR.
Common Wrong Answers and Why Candidates Choose Them
"Safe Links scans attachments" — Wrong. Safe Links scans URLs, not attachments. Safe Attachments scans attachments. Candidates confuse the two because both names start with "Safe".
"Safe Attachments is enabled by default" — Wrong. Safe Attachments requires a policy to be created; it is not enabled by default. Only Safe Links has a default policy that applies to all users.
"Dynamic Delivery delivers the email and attachment together after scanning" — Wrong. Dynamic Delivery delivers the email body immediately and replaces the attachment with a placeholder; the real attachment is made available after scanning completes. Candidates think it delays the whole email.
"Safe Links rewrites URLs in attachments" — Wrong. Safe Links only rewrites URLs in the email body. URLs inside attachments (e.g., a Word document) are not rewritten; they are scanned at click time when opened in Office apps.
Specific Numbers, Values, and Terms That Appear on the Exam
Default Safe Links policy: Applies to all recipients.
Default Safe Attachments action: Block (but no default policy exists).
Sandbox timeout: 10 minutes.
Dynamic Delivery: Recommended for user experience.
Policy priority: Lower number = higher priority.
URL rewrite domain: safelinks.protection.outlook.com.
ZAP: Zero-Hour Auto Purge can retroactively remove messages after Safe Attachments verdict changes.
Edge Cases and Exceptions
Safe Links in Teams: URLs are not rewritten; they are checked at send time. If malicious, the message is blocked.
Safe Attachments for SharePoint: Malicious files are blocked from being opened, but the file remains in SharePoint with a warning. It is not automatically deleted.
Multiple policies: The highest priority policy wins. There is no merging of settings.
Safe Links for Office apps: Only works in supported apps (e.g., Outlook for Windows, Word, Excel, PowerPoint). Not supported in all third-party email clients.
How to Eliminate Wrong Answers
If the question mentions "attachment", eliminate answers about URL rewriting.
If the question mentions "real-time click protection", eliminate answers about detonation sandbox.
If the question mentions "default", remember that only Safe Links has a default policy; Safe Attachments does not.
If the question mentions "delay", consider Dynamic Delivery as the solution to reduce user wait time.
Safe Links rewrites URLs in email body and scans them at click time; it does not block the email itself.
Safe Attachments detonates attachments in a sandbox and can quarantine or replace malicious files.
Safe Links has a default policy enabled for all users; Safe Attachments requires a custom policy.
Dynamic Delivery improves user experience by delivering the email body immediately while scanning the attachment.
Policy priority is determined by the numeric priority value; lower number = higher priority.
Safe Links for Teams does not rewrite URLs; it checks at message send time.
ZAP (Zero-Hour Auto Purge) can retroactively remove messages if a Safe Attachments verdict changes to malicious.
The default sandbox timeout for Safe Attachments is 10 minutes.
Safe Links scanning for Office apps protects URLs in Word, Excel, PowerPoint, and Outlook.
Custom block/allow lists can be configured for both Safe Links and Safe Attachments policies.
These come up on the exam all the time. Here's how to tell them apart.
Safe Links
Protects against malicious URLs in email body and Office documents.
Rewrites URLs to point to Microsoft's scanning proxy.
Scans URLs at the time of click (real-time).
Has a default policy that applies to all users.
Can be configured to block, allow, or warn on click.
Safe Attachments
Protects against malicious file attachments in email and cloud storage.
Detonates attachments in a virtual sandbox (behavioural analysis).
Scans attachments at the time of delivery (pre-delivery).
No default policy; must be explicitly created.
Actions include Block, Replace, Dynamic Delivery, and Monitor.
Mistake
Safe Links and Safe Attachments are the same feature.
Correct
Safe Links protects against malicious URLs by rewriting and scanning them at click time. Safe Attachments protects against malicious files by detonating them in a sandbox. They are separate features with different mechanisms.
Mistake
Safe Attachments is enabled by default for all users.
Correct
Safe Attachments has no default policy. An administrator must create a policy and assign it to recipients. In contrast, Safe Links has a default policy that applies to all users.
Mistake
Safe Links rewrites URLs inside email attachments.
Correct
Safe Links only rewrites URLs in the email body. URLs inside attachments (e.g., a Word document) are not rewritten; they are protected by Safe Links for Office apps, which scans at click time when the document is opened.
Mistake
Dynamic Delivery scans the attachment before delivering the email.
Correct
Dynamic Delivery delivers the email body immediately and replaces the attachment with a placeholder. The attachment is scanned in the background. Once scanning completes, the real attachment is made available. The user does not have to wait for the email body.
Mistake
Safe Links blocks the email if it contains a malicious URL.
Correct
Safe Links does not block the email; it rewrites the URL and blocks the click at the time the user clicks. The email is delivered regardless. To block the email itself, you need anti-phishing or anti-spam policies.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Safe Links protects against malicious URLs by rewriting them and scanning at click time. Safe Attachments protects against malicious file attachments by detonating them in a sandbox. They are separate features that address different threat vectors. On the exam, if the question mentions 'URL' or 'link', think Safe Links; if it mentions 'attachment' or 'file', think Safe Attachments.
No. Safe Attachments does not have a default policy. You must create a policy and assign it to recipients. In contrast, Safe Links has a built-in default policy that applies to all users in organisations with Defender for Office 365.
Dynamic Delivery delivers the email body to the user immediately while the attachment is being scanned in the sandbox. The attachment is replaced with a placeholder. Once scanning completes, the real attachment is made available (if clean) or the placeholder remains (if malicious). This improves user experience by eliminating delays.
Safe Links only rewrites URLs in the email body. URLs inside attachments (e.g., a Word document) are not rewritten. However, Safe Links for Office apps protects those URLs when the user opens the attachment in a supported Office application — the URL is scanned at click time.
Safe Links for Teams checks URLs in Teams conversations at the time the message is sent. If the URL is malicious, the message is blocked from delivery. URLs are not rewritten in Teams. This is enabled by default in organisations with Defender for Office 365.
The default action in a Safe Attachments policy for malicious files is 'Block' — the entire email is quarantined. However, since there is no default policy, the action only applies to custom policies. You can also choose 'Replace' (deliver email with a warning file) or 'Dynamic Delivery'.
If a file that was originally deemed clean by Safe Attachments is later identified as malicious (e.g., after a threat intelligence update), ZAP can retroactively move the email from the user's Inbox to quarantine. ZAP is automatically triggered for malicious verdicts after detonation.
You've just covered Safe Links and Safe Attachments Policies — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?