Safe Links Protection is enabled for all NHSmail accounts to protect and enhance the security of the platform. Safe Links is part of Microsoft Defender for Office 365 and identifies and blocks malicious web addresses received by NHSmail accounts.
The below guidance is for NHSmail users and Local Administrators who wish to understand more about how this functionality works.
Safe Links will cover all emails from external to nhs.net accounts and nhs.net to nhs.net accounts. It will also cover Teams messages and Chats and Office 365 products, for example PowerPoint.
Emails sent from nhs.net accounts to external accounts are not covered by Safe Links.
How Safe Links works
Safe Links provides time-of-click protection by scanning web addresses in received emails at the point at which they are clicked. In the background web addresses are rewritten but when users hover over the web address they will see the words “Original URL” along with the original web address displayed.
If you receive a forwarded email which includes a URL Safe Links will scan this web address. If you hover over the link however, the web addresses may be shown with a prefix such as: ‘https://gbr01.safelinks.protection.outlook.com’
When clicking a web address a user may see the scan briefly take place using the rewritten link as shown.
If you receive an email from a high-send account such as an application account, Safe Links will rewrite the web address within the body of the email and display the original web address with a prefix such as ‘https://gbr01.safelinks.protection.outlook.com’. This is expected behaviour. See example.
If Safe Links has completed the scanning of the web address or link and has found potentially malicious content, users will be presented with the notification shown below informing them that their access to the link destination is blocked. Users cannot bypass this notification and continue to the website.
URLs are validated at the time of click for the user in chats, group chats, channels, and tabs. URLs in Teams are checked against a list of known malicious links when the protected user clicks the link (time-of-click protection). URLs aren’t rewritten.
- If the link was clicked in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot appears in the default web browser.
- If the link was clicked from a pinned tab, the warning page appears in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons.
- NHSmail will not Let users click through to the original URL setting so users can’t click through to the original URL if malicious.
If the user who sent the link isn’t protected by a Safe Links policy where Teams protection is turned on, the user is free to click through to the original URL on their computer or device.
Safe Links settings for Office apps
Safe Links protection for Office apps checks links in Office documents, not links in email messages. But, it can check links in attached Office documents in email messages after the document is opened.
Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.
Safe Links protection for Office apps has the following client requirements:
- Microsoft 365 Apps or Microsoft 365 Business Premium:
- Current versions of Word, Excel, and PowerPoint on Windows, Mac, or in a web browser.
- Office apps on iOS or Android devices.
- Visio on Windows.
- OneNote in a web browser.
- Outlook for Windows when opening saved EML or MSG files.
- Supported Office apps and Microsoft 365 services are configured to use modern authentication. For more information, see How modern authentication works for Office client apps.
- Users are signed in using their work or school accounts. For more information, see Sign in to Office.
For more information about the recommended values for Standard and Strict policy settings, see Safe Links policy settings.
How Safe Links works in Office apps
At a high level, here’s how Safe Links protection works for URLs in Office apps. The supported Office apps are described in the previous section.
- A user signs in using their work or school account in an organization that includes Microsoft 365 Apps or Microsoft 365 Business Premium.
- The user opens and clicks on a link an Office document in a supported Office app.
- Safe Links immediately checks the URL before opening the target website:
- If the URL points to a website that has been determined to be malicious, a malicious website warning page (or a different warning page) opens.
- If the URL points to a downloadable file, and the Safe Links policy that applies to the user is configured to scan links to downloadable content (Apply real-time URL scanning for suspicious links and links that point to files), the downloadable file is checked.
- If the URL is considered safe, the user is taken to the website.
- If Safe Links scanning is unable to complete, Safe Links protection doesn’t trigger. In Office desktop clients, the user is warned before they proceed to the destination website.
How to request a review of a blocked Web address
If an NHSmail user or Local Administrator would like to request a review of the classification of a web address as malicious, as they believe this has been classified incorrectly (known as a false positive), they should contact firstname.lastname@example.org using the template below. If the below template is not used, the Helpdesk will close the ticket.
All existing email security features will remain active and in place. Safe Links has been added to your mailbox to build on and enhance existing security features.
You should continue to be aware of any malicious emails, links or attachments and only interact with content which you reasonably believe to be safe. For further information on the email security best practices which all NHSmail users should be adhering to please see this section of the NHSmail Support Site.
The licences which enable Safe Links for each NHSmail user’s mailbox are applied centrally. Local Administrators are not required to apply these licences.
Safe Links will have no impact on how you send web addresses to others via email and you can continue to do this as normal. Safe Links scans received emails only.
Requests are submitted by the NHSmail helpdesk directly to Microsoft for review. Typically, an analysis of the URL takes 24-48 hours so please continue to attempt access throughout this period.
Note: The time it takes for Microsoft to analyse a link may vary and this time period is indicative only.
If after submitting a request for Microsoft to analyse the blocked URL via the NHSmail helpdesk you are still unable to reach the location after 2 days, please raise an escalation directly to email@example.com. It is rare that following Microsoft investigation that a legitimate URL would remain blocked.
If you believe you have received a suspicious link within an email that has not been blocked, please report this by following the guidance here.
Safe Links cannot be disabled as it is a feature which is enabled and managed centrally. Neither NHSmail users nor Local Administrators can disable Safe Links. If you believe that Safe Links is causing issues in your use of NHSmail, please raise a ticket with firstname.lastname@example.org.
Newly created application accounts will have Safe Links applied to them from the 28th October 2022. If your application sends out web addresses, these will be re-written with a Microsoft prefix at the point of click and scanned for malicious content. We recommend that application accounts are monitored regularly to ensure they are functioning as expected.
|Last Reviewed Date||25/10/2023|