Safe Links


Safe Links Protection is enabled for all NHSmail accounts to protect and enhance the security of the platform. Safe Links is part of Microsoft Defender for Office 365 and identifies and blocks malicious web addresses received by NHSmail accounts.

Important Note:

All NHSmail users should continue to adhere to email security best practice i.e., only interacting with content which they believe to be safe and reporting any suspicious emails.

For a further information on email security best practices, please see this section of the NHSmail Support Site.

The below guidance is for NHSmail users and Local Administrators who wish to understand more about how this functionality works.


Safe Links will cover all emails from external to accounts and to accounts.

Emails sent from accounts to external accounts are not covered by Safe Links.

Important Note:

New application accounts created after 28th October 2022 will have Safe Links applied to them.

It is important that application owners read the appropriate Microsoft guidance to ensure their applications are configured to correctly work with these enhanced security features.

Note: Safe Links is not a web filter and will does not block specific types of sites i.e., gambling sites. It will only block a web address that is received via email based on malicious content.

How Safe Links works

Safe Links provides time-of-click protection by scanning web addresses in received emails at the point at which they are clicked. In the background web addresses are rewritten but when users hover over the web address they will see the words “Original URL” along with the original web address displayed.


If you receive a forwarded email which includes a URL Safe Links will scan this web address. If you hover over the link however, the web addresses may be shown with a prefix such as: ‘’

When clicking a web address a user may see the scan briefly take place using the rewritten link as shown.

If you receive an email from a high-send account such as an application account, Safe Links will rewrite the web address within the body of the email and display the original web address with a prefix such as ‘’. This is expected behaviour. See example.


If Safe Links has completed the scanning of the web address or link and has found potentially malicious content, users will be presented with the notification shown below informing them that their access to the link destination is blocked. Users cannot bypass this notification and continue to the website.


Important Note:

If you are being prevented from accessing a web address but you are not seeing the red web alert above which includes a link to this article, it is likely that access is being prevented by local organisation security policies and not Safe Links.

In this instance, we would recommend that you follow your organisation’s procedures and contact your IT support or NHSmail Local Administrator.

Please do not raise a request to review a Safe Links blocked web address unless you have been presented with the above Safe Links web alert.

How to request a review of a blocked Web address

If an NHSmail user or Local Administrator would like to request a review of the classification of a web address as malicious, as they believe this has been classified incorrectly (known as a false positive), they should contact using the template below. If the below template is not used, the Helpdesk will close the ticket.

To NHSmail Helpdesk,

I am experiencing an issue with web address access within an email that I have received.

I have attempted to reach [insert web address] however access has been restricted. Please investigate.

Detailed information :

  • Date/Time:
  • Recipients address:
  • Sender’s address:
  • Target web address:

Many thanks,



Are other email security features being replaced by Safe Links?

All existing email security features will remain active and in place. Safe Links has been added to your mailbox to build on and enhance existing security features.

Do I need to still need to be aware of email security threats i.e., reporting phishing, only clicking links I recognise etc?

You should continue to be aware of any malicious emails, links or attachments and only interact with content which you reasonably believe to be safe. For further information on the email security best practices which all NHSmail users should be adhering to please see this section of the NHSmail Support Site.

How does the licencing for Safe Links work?

The licences which enable Safe Links for each NHSmail user’s mailbox are applied centrally. Local Administrators are not required to apply these licences.

Will having Safe Links enabled for my mailbox affect how I send links to others via email?

Safe Links will have no impact on how you send web addresses to others via email and you can continue to do this as normal. Safe Links scans received emails only.

When I click on a link that is suspected of being malicious, I am seeing a yellow warning web alert and not the red malicious content web alert – what should I do?

If you are seeing the below yellow warning message instead of the red malicious content alert, please refresh the page and/or re-click the URL.

How can I report a link which has been blocked, which I believe is a safe and legitimate link (a false positive)?

If an NHSmail user or Local Administrator would like to request a review of the classification of a URL as malicious as they believe this has been classified incorrectly (known as a false positive), they should contact using the template outlined above in this article.

How long will I have to wait for a reply to my request for a review of the classification of a URL?

Requests are submitted by the NHSmail helpdesk directly to Microsoft for review. Typically, an analysis of the URL takes 24-48 hours so please continue to attempt access throughout this period.

Note: The time it takes for Microsoft to analyse a link may vary and this time period is indicative only.

What can I do if I don’t agree with the outcome of the classification review?

If after submitting a request for Microsoft to analyse the blocked URL via the NHSmail helpdesk you are still unable to reach the location after 2 days, please raise an escalation directly to It is rare that following Microsoft investigation that a legitimate URL would remain blocked.

How can I report a link which has not been blocked, but I think is suspicious?

If you believe you have received a suspicious link within an email that has not been blocked, please report this by following the guidance here.

Can I disable Safe Links for individual users / all users at my organisation?

Safe Links cannot be disabled as it is a feature which is enabled and managed centrally. Neither NHSmail users nor Local Administrators can disable Safe Links. If you believe that Safe Links is causing issues in your use of NHSmail, please raise a ticket with

Can Local Administrators add / remove URLs from the Safe Links blocked list?

The web addresses which are blocked as part of Safe Links are determined by Microsoft and cannot be changed. However, if you believe a blocked URL has been incorrectly classified, you should report this to using the template outlined above in this article.

How will this affect application accounts?

Newly created application accounts will have Safe Links applied to them from the 28th October 2022. If your application sends out web addresses, these will be re-written with a Microsoft prefix at the point of click and scanned for malicious content. We recommend that application accounts are monitored regularly to ensure they are functioning as expected.

Last Reviewed Date 01/11/2022
Updated on 01/11/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top