Safe Links


Safe Links Protection is enabled for all NHSmail accounts to protect and enhance the security of the platform. Safe Links is part of Microsoft Defender for Office 365 and identifies and blocks malicious web addresses received by NHSmail accounts.

Important Note:

All NHSmail users should continue to adhere to email security best practice i.e., only interacting with content which they believe to be safe and reporting any suspicious emails.

For a further information on email security best practices, please see this section of the NHSmail Support Site.

The below guidance is for NHSmail users and Local Administrators who wish to understand more about how this functionality works.


Safe Links will cover all emails from external to accounts and to accounts. It will also cover Teams messages and Chats and Office 365 products, for example PowerPoint.

Emails sent from accounts to external accounts are not covered by Safe Links.

Important Note:

New application accounts created after 26th October 2023 will have Safe Links applied to them for Exchange, Teams AND Office applications.

It is important that application owners read the appropriate Microsoft guidance to ensure their applications are configured to correctly work with these enhanced security features.

Note: Safe Links is not a web filter and will does not block specific types of sites i.e., gambling sites. It will only block a web address that is received via email based on malicious content.

How Safe Links works


Safe Links provides time-of-click protection by scanning web addresses in received emails at the point at which they are clicked. In the background web addresses are rewritten but when users hover over the web address they will see the words “Original URL” along with the original web address displayed.


If you receive a forwarded email which includes a URL Safe Links will scan this web address. If you hover over the link however, the web addresses may be shown with a prefix such as: ‘’

When clicking a web address a user may see the scan briefly take place using the rewritten link as shown.

If you receive an email from a high-send account such as an application account, Safe Links will rewrite the web address within the body of the email and display the original web address with a prefix such as ‘’. This is expected behaviour. See example.


If Safe Links has completed the scanning of the web address or link and has found potentially malicious content, users will be presented with the notification shown below informing them that their access to the link destination is blocked. Users cannot bypass this notification and continue to the website.


Microsoft Teams

URLs are validated at the time of click for the user in chats, group chats, channels, and tabs.  URLs in Teams are checked against a list of known malicious links when the protected user clicks the link (time-of-click protection). URLs aren’t rewritten.  

  • If the link was clicked in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot appears in the default web browser. 
  • If the link was clicked from a pinned tab, the warning page appears in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons. 
  • NHSmail will not Let users click through to the original URL setting so users can’t click through to the original URL if malicious. 

If the user who sent the link isn’t protected by a Safe Links policy where Teams protection is turned on, the user is free to click through to the original URL on their computer or device. 

Safe Links settings for Office apps

Safe Links protection for Office apps checks links in Office documents, not links in email messages. But, it can check links in attached Office documents in email messages after the document is opened. 

Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.    

Safe Links protection for Office apps has the following client requirements: 

  • Microsoft 365 Apps or Microsoft 365 Business Premium: 
  • Current versions of Word, Excel, and PowerPoint on Windows, Mac, or in a web browser. 
  • Office apps on iOS or Android devices. 
  • Visio on Windows. 
  • OneNote in a web browser. 
  • Outlook for Windows when opening saved EML or MSG files. 

For more information about the recommended values for Standard and Strict policy settings, see Safe Links policy settings. 

How Safe Links works in Office apps 

At a high level, here’s how Safe Links protection works for URLs in Office apps. The supported Office apps are described in the previous section. 

  1. A user signs in using their work or school account in an organization that includes Microsoft 365 Apps or Microsoft 365 Business Premium. 
  2. The user opens and clicks on a link an Office document in a supported Office app.
  3. Safe Links immediately checks the URL before opening the target website: 
  • If the URL points to a website that has been determined to be malicious, a malicious website warning page (or a different warning page) opens. 
  • If the URL points to a downloadable file, and the Safe Links policy that applies to the user is configured to scan links to downloadable content (Apply real-time URL scanning for suspicious links and links that point to files), the downloadable file is checked. 
  • If the URL is considered safe, the user is taken to the website. 
  • If Safe Links scanning is unable to complete, Safe Links protection doesn’t trigger. In Office desktop clients, the user is warned before they proceed to the destination website. 

Important Note:

If you are being prevented from accessing a web address but you are not seeing the red web alert above which includes a link to this article, it is likely that access is being prevented by local organisation security policies and not Safe Links.

In this instance, we would recommend that you follow your organisation’s procedures and contact your IT support or NHSmail Local Administrator.

Please do not raise a request to review a Safe Links blocked web address unless you have been presented with the above Safe Links web alert.

How to request a review of a blocked Web address

If an NHSmail user or Local Administrator would like to request a review of the classification of a web address as malicious, as they believe this has been classified incorrectly (known as a false positive), they should contact using the template below. If the below template is not used, the Helpdesk will close the ticket.

To NHSmail Helpdesk,

I am experiencing an issue with web address access within an email that I have received.

I have attempted to reach [insert web address] however access has been restricted. Please investigate.

Detailed information :

  • Date/Time:
  • Recipients address:
  • Sender’s address:
  • Target web address:

Many thanks,



Are other email security features being replaced by Safe Links?

All existing email security features will remain active and in place. Safe Links has been added to your mailbox to build on and enhance existing security features.

Do I need to still need to be aware of email security threats i.e., reporting phishing, only clicking links I recognise etc?

You should continue to be aware of any malicious emails, links or attachments and only interact with content which you reasonably believe to be safe. For further information on the email security best practices which all NHSmail users should be adhering to please see this section of the NHSmail Support Site.

How does the licencing for Safe Links work?

The licences which enable Safe Links for each NHSmail user’s mailbox are applied centrally. Local Administrators are not required to apply these licences.

Will having Safe Links enabled for my mailbox affect how I send links to others via email?

Safe Links will have no impact on how you send web addresses to others via email and you can continue to do this as normal. Safe Links scans received emails only.

When I click on a link that is suspected of being malicious, I am seeing a yellow warning web alert and not the red malicious content web alert – what should I do?

If you are seeing the below yellow warning message instead of the red malicious content alert, please refresh the page and/or re-click the URL.

How can I report a link which has been blocked, which I believe is a safe and legitimate link (a false positive)?

If an NHSmail user or Local Administrator would like to request a review of the classification of a URL as malicious as they believe this has been classified incorrectly (known as a false positive), they should contact using the template outlined above in this article.

How long will I have to wait for a reply to my request for a review of the classification of a URL?

Requests are submitted by the NHSmail helpdesk directly to Microsoft for review. Typically, an analysis of the URL takes 24-48 hours so please continue to attempt access throughout this period.

Note: The time it takes for Microsoft to analyse a link may vary and this time period is indicative only.

What can I do if I don’t agree with the outcome of the classification review?

If after submitting a request for Microsoft to analyse the blocked URL via the NHSmail helpdesk you are still unable to reach the location after 2 days, please raise an escalation directly to It is rare that following Microsoft investigation that a legitimate URL would remain blocked.

How can I report a link which has not been blocked, but I think is suspicious?

If you believe you have received a suspicious link within an email that has not been blocked, please report this by following the guidance here.

Can I disable Safe Links for individual users / all users at my organisation?

Safe Links cannot be disabled as it is a feature which is enabled and managed centrally. Neither NHSmail users nor Local Administrators can disable Safe Links. If you believe that Safe Links is causing issues in your use of NHSmail, please raise a ticket with

Can Local Administrators add / remove URLs from the Safe Links blocked list?

The web addresses which are blocked as part of Safe Links are determined by Microsoft and cannot be changed. However, if you believe a blocked URL has been incorrectly classified, you should report this to using the template outlined above in this article.

How will this affect application accounts?

Newly created application accounts will have Safe Links applied to them from the 28th October 2022. If your application sends out web addresses, these will be re-written with a Microsoft prefix at the point of click and scanned for malicious content. We recommend that application accounts are monitored regularly to ensure they are functioning as expected.

Last Reviewed Date 25/10/2023
Updated on 11/03/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top