Cybersecurity

Safe Links and Safe Attachments: Full Configuration Guide

Published 19 November 2025 · 8 min read

Safe Links and Safe Attachments are the URL and attachment detonation features in Microsoft Defender for Office 365. Safe Links rewrites URLs and checks them at click time. Safe Attachments sandboxes suspicious files before delivery.

Safe Links configuration

Microsoft 365 Defender → Policies & rules → Threat policies → Safe Links → + Create
⚙️
Safe Links settings
Apply real-time URL scanningWaits for sandbox result - catches novel URLs
Yes
Do not let users click throughPrevents bypassing block warnings
Yes
Apply to email within the org
Yes
Track user clicksRequired for threat investigation
Yes

Safe Links rewrites every URL to https://safelinks.protection.outlook.com/?url=... and checks it at click time against real-time threat intelligence.

Safe Attachments and Dynamic Delivery

Defender → Safe Attachments → Action → Dynamic Delivery

Standard Safe Attachments holds email while attachment is sandboxed (2-5 minute delay). Dynamic Delivery sends the email body immediately and replaces the attachment with a placeholder while scanning - recommended for most organisations.

Protect SharePoint and Teams

Defender → Policies & rules → Threat policies → Safe Attachments → Global settings
⚙️
Global settings
Turn on Defender for SharePoint OneDrive and TeamsScans files uploaded to these services
Yes
Turn on Safe DocumentsVerifies Office files before removing Protected View
Yes

Threat reports

Defender → Reports → Email & collaboration → Threat protection status

Shows all email processed by EOP and Defender, broken down by detection technology. Use to see how many phishing and malware emails are caught daily.

Frequently Asked Questions

Q: Does Safe Links protect links in Teams messages?

Yes if you have Defender for Office 365 P1 or P2. Enable Safe Links protection for Teams in the Safe Links policy settings.

Q: Can I whitelist URLs from Safe Links?

Yes. Add to the "Do not rewrite" list in your Safe Links policy. Use sparingly - every whitelisted URL is unprotected.

Q: What does Safe Links do with URLs that become malicious after delivery?

Zero-hour auto purge (ZAP) can retroactively move emails with newly-detected malicious URLs from inbox to quarantine.

Related Guides
-> Defender for Office 365-> Anti-Phishing Policies-> DMARC DKIM SPF
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages