Configure Safe Attachments & Safe Links

About This Lab

In this hands-on lab you will configure a complete email and collaboration threat protection stack using Microsoft Defender for Office 365. Starting with a review of the MDO protection policies in the Microsoft Defender portal, you will create and deploy Safe Attachments policies with Dynamic Delivery to detonate suspicious files in a sandbox without delaying mail flow, configure Safe Links policies to rewrite and scan URLs at time of click, extend protection to SharePoint Online, OneDrive for Business, and Microsoft Teams, validate your configuration with EICAR test files and test URLs, and set up monitoring dashboards and alerts to track protection effectiveness. By the end of this lab you will have a production-grade MDO deployment actively defending against weaponized attachments and malicious URLs.

🏢 Enterprise Use Case

Woodgrove Bank is a regional financial institution with 4,200 employees across 35 branch locations. Over the past quarter, Woodgrove Bank's SOC has observed a 340% increase in weaponized email attachments targeting their loan processing and treasury departments. Threat actors are using macro-enabled Excel attachments disguised as wire transfer confirmations and PDF files embedded with exploit kits. Additionally, the security team has identified a surge in credential-harvesting URLs embedded in emails that impersonate internal HR portals and benefits enrollment pages.

The CISO has mandated an immediate deployment of Safe Attachments with Dynamic Delivery to ensure zero-day attachment threats are detonated in a sandbox before reaching user mailboxes, while still delivering the email body promptly. Safe Links must be deployed with time-of-click URL scanning, click-through blocking, and full URL rewriting to prevent users from navigating to known and unknown phishing pages. Protection must also extend to SharePoint and OneDrive to prevent lateral spread of malicious documents shared internally. Success criteria: 100% of inbound attachments scanned, zero click-throughs to known malicious URLs, full visibility into threat metrics within 30 days, and zero disruption to legitimate business email flow.

🎯 What You Will Learn

1. Navigate the MDO threat protection stack and understand the email security pipeline
2. Create a Safe Attachments policy with Dynamic Delivery using the portal and PowerShell
3. Configure detonation settings and quarantine actions for detected malicious attachments
4. Create a Safe Links policy with time-of-click scanning and click-through blocking
5. Manage Safe Links URL exception lists and document trusted URL entries
6. Enable Safe Attachments protection for SharePoint Online, OneDrive, and Microsoft Teams
7. Compare and apply Standard vs. Strict preset security policies
8. Validate Safe Attachments using the EICAR test file and observe Dynamic Delivery behavior
9. Test Safe Links protection with controlled URL click scenarios
10. Monitor protection reports, analyze threat metrics, and configure alerting

🔑 Why This Matters

Email remains the #1 initial access vector in enterprise cyberattacks. According to Microsoft's Digital Defense Report, over 80% of ransomware incidents begin with a phishing email containing either a weaponized attachment or a malicious URL. Traditional signature-based antimalware solutions miss zero-day threats because they rely on known indicators. Safe Attachments addresses this gap by detonating every attachment in a cloud sandbox, observing its behavior, and blocking it if malicious activity is detected. Safe Links complements this by rewriting every URL in inbound email and scanning it at time of click, so even if a URL was benign at delivery time but was later weaponized, the user is still protected. Together, Safe Attachments and Safe Links form the foundation of the Microsoft Defender for Office 365 protection stack. and mastering their configuration is essential for any organization serious about defending against modern email-borne threats.

• Microsoft 365 E5 or Defender for Office 365 Plan 1/Plan 2 license. Safe Attachments and Safe Links require at least MDO Plan 1; preset security policies and advanced reporting require Plan 2
• Security Administrator role. Required to create and manage threat protection policies in the Microsoft Defender portal
• Exchange Online PowerShell module. Install the Exchange Online Management module for PowerShell-based policy configuration
• Test mailbox. A non-production mailbox for sending EICAR test files and validating Safe Links behavior without impacting business users
• Access to the Microsoft Defender portal. Navigate to security.microsoft.com and verify you can access the Email & collaboration section
• Basic understanding of email flow. Familiarity with MX records, mail transport rules, and Exchange Online concepts

Before creating any policies, you need to understand the Microsoft Defender for Office 365 protection stack and how Safe Attachments and Safe Links fit into the overall email security pipeline. Every inbound email passes through multiple layers of protection in a specific order.

Navigate to the Defender Portal

• Open security.microsoft.com in your browser
• In the left navigation, expand Email & collaboration
• Click Policies & rules → Threat policies
• Review the Threat policies page. this is the central hub for all email protection settings

Understanding the Email Protection Stack

Microsoft Defender for Office 365 processes email through these layers in order:

• 1. Connection filtering. Blocks email from known malicious IP addresses at the SMTP connection level
• 2. Anti-malware. Scans attachments for known malware signatures using multiple antimalware engines
• 3. Mail flow rules (transport rules). Applies organization-specific routing and content rules
• 4. Anti-spam filtering. Evaluates message content, headers, and sender reputation to classify spam
• 5. Anti-phishing. Detects impersonation attempts, spoofing, and social engineering patterns
• 6. Safe Attachments. Detonates attachments in a cloud sandbox to detect zero-day malware (this lab)
• 7. Safe Links. Rewrites URLs and scans them at time of click for malicious content (this lab)
• 8. Zero-hour Auto Purge (ZAP). Retroactively removes messages from mailboxes if they are reclassified as malicious after delivery

Review Existing Policies

• On the Threat policies page, note the Templated policies section: Anti-malware, Anti-spam, Anti-phishing, Safe Attachments, and Safe Links
• Click Safe Attachments. review any existing policies. A new tenant typically has no custom Safe Attachments policies
• Click Safe Links. review any existing policies. Note the Built-in protection policy that provides baseline Safe Links coverage
• Review the Preset security policies tile. this shows whether Standard or Strict protection presets are active

Safe Attachments opens every attachment in a cloud-based sandbox (detonation chamber), observes its behavior for malicious activity. such as spawning processes, modifying registry keys, or reaching out to command-and-control servers. and blocks it if threats are detected. The Dynamic Delivery action delivers the email body immediately while the attachment is being scanned, then attaches the clean file once detonation completes.

Portal Instructions

• Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Safe Attachments
• Click + Create to start the policy wizard
• Name: Enter Organization Safe Attachments
• Description: Enter Dynamic Delivery Safe Attachments policy for all users. detonates attachments in sandbox while delivering email body immediately
• Click Next
• Users and domains: Under Domains, add your organization's accepted domain (e.g., contoso.com)
• Click Next
• Settings:
  • Safe Attachments unknown malware response: Select Dynamic Delivery
  • Check Enable redirect (optional. sends detected attachments to a security mailbox for investigation)
  • If redirect is enabled, enter a security mailbox address: secops@contoso.com
  • Check Apply the Safe Attachments detection response if scanning can't complete
• Click Next, review the summary, and click Submit

PowerShell Configuration

# WHAT: Create a Safe Attachments policy with Dynamic Delivery action via Exchange Online PowerShell
# WHY:  Safe Attachments detonates every inbound attachment in a cloud sandbox to detect zero-day malware.
#       Dynamic Delivery delivers the email body immediately while the attachment is being scanned,
#       minimizing user disruption (1-2 min attachment delay vs blocking the entire message).
# OUTPUT: SafeAttachmentPolicy and SafeAttachmentRule objects created in Exchange Online
#   - Action DynamicDelivery: Email body delivered instantly; attachment arrives after scan completes
#   - ActionOnError $true: If scanning service is unavailable, the configured action still applies
#     (prevents unscanned attachments from being delivered during outages)
#   - Redirect $false: Detected attachments are quarantined (enable redirect in Step 3 for SOC analysis)

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

# Create Safe Attachments Policy (defines WHAT to do with attachments)
New-SafeAttachmentPolicy -Name "Organization Safe Attachments" `
    -Enable $true `
    -Action DynamicDelivery `
    -ActionOnError $true `
    -Redirect $false

# Create Safe Attachments Rule (defines WHO the policy applies to)
# RecipientDomainIs scopes the policy to all users in the specified domain
# Priority 0 = highest priority (processed first if multiple rules exist)
New-SafeAttachmentRule -Name "Organization Safe Attachments Rule" `
    -SafeAttachmentPolicy "Organization Safe Attachments" `
    -RecipientDomainIs "contoso.com" `
    -Priority 0

Understanding Safe Attachments Actions

• Off. Attachments are not scanned by Safe Attachments (not recommended)
• Monitor. Delivers the message with the attachment, then tracks what happens if malware is detected. Use for initial testing only
• Block. Blocks the entire message (email + attachment) if malware is detected. The message is quarantined
• Replace. Delivers the email but replaces the attachment with a notification that the attachment was removed due to malware detection
• Dynamic Delivery (recommended). Delivers the email body immediately with a placeholder attachment while the real attachment is scanned. Once scanning completes, the clean attachment is attached. If malware is detected, the attachment is quarantined

When Safe Attachments detects a malicious file, the attachment is quarantined and (optionally) redirected to a security mailbox for manual investigation. Properly configuring quarantine and redirect settings ensures your SOC team has full visibility into every blocked threat.

Configure Redirect for Detected Attachments

• Navigate to Threat policies → Safe Attachments
• Click on the Organization Safe Attachments policy you created in Step 2
• Click Edit settings
• Enable Redirect and enter your security operations mailbox: secops@contoso.com
• This ensures every blocked attachment is forwarded to the SOC for analysis
• Click Save

PowerShell. Enable Redirect

# WHAT: Enable attachment redirect so detected malicious files are sent to the SOC for forensic analysis
# WHY:  When Safe Attachments blocks a malicious attachment, the SOC needs the original file to:
#       1. Extract IOCs (file hashes, embedded URLs, macros)
#       2. Determine if other users received the same attachment
#       3. Update threat intelligence feeds and block lists
#       The redirect sends a copy of the quarantined attachment to the specified security mailbox.
# OUTPUT: Policy updated. Verify Redirect=True and RedirectAddress shows your SOC mailbox.
#   - ActionOnError $true: If scanning fails, the configured action (block/quarantine) still applies
#     This prevents unscanned attachments from being delivered during service outages.

Set-SafeAttachmentPolicy -Identity "Organization Safe Attachments" `
    -Redirect $true `
    -RedirectAddress "secops@contoso.com" `
    -ActionOnError $true

# Verify the updated policy configuration
Get-SafeAttachmentPolicy -Identity "Organization Safe Attachments" |
    Format-List Name, Action, Redirect, RedirectAddress, ActionOnError, Enable

Configure Quarantine Policies

• Navigate to Threat policies → Quarantine policies
• Review the default quarantine policy. AdminOnlyAccessPolicy restricts quarantine access to admins only
• For Safe Attachments, the recommended quarantine policy is AdminOnlyAccessPolicy. end users should not be able to release malware from quarantine
• Optionally create a custom quarantine policy with notification settings so users are informed when an attachment is quarantined
• Configure quarantine notifications to send periodic digest emails to users about their quarantined messages

PowerShell. Review Quarantine Settings

# List existing quarantine policies
Get-QuarantinePolicy | Select-Object Name, EndUserQuarantinePermissionsValue,
    ESNEnabled, OrganizationBrandingEnabled | Format-Table -AutoSize

# View quarantine messages from Safe Attachments detections
Get-QuarantineMessage -StartReceivedDate (Get-Date).AddDays(-7) -EndReceivedDate (Get-Date) |
    Where-Object { $_.PolicyType -eq "SafeAttachmentPolicy" } |
    Select-Object Subject, SenderAddress, ReceivedTime, ReleaseStatus |
    Sort-Object ReceivedTime -Descending

Safe Links protects users from malicious URLs by rewriting links in inbound email messages and scanning them at time of click. Unlike traditional URL filtering that only checks at delivery time, Safe Links performs real-time URL analysis when the user actually clicks the link. protecting against delayed weaponization attacks where a URL is benign at delivery but later redirected to a phishing or malware page.

Portal Instructions

• Navigate to Threat policies → Safe Links
• Click + Create to start the policy wizard
• Name: Enter Organization Safe Links
• Description: Enter Time-of-click URL scanning with click-through blocking for all users across email, Teams, and Office apps
• Click Next
• Users and domains: Add your domain (e.g., contoso.com)
• Click Next
• URL & click protection settings:
  • On: Safe Links checks a list of known, malicious links when users click links in email. Enable
  • Apply Safe Links to email messages sent within the organization. Enable
  • Apply real-time URL scanning for suspicious links and links that point to files. Enable
  • Wait for URL scanning to complete before delivering the message. Enable
  • Do not rewrite URLs. keep this UNCHECKED (URL rewriting must be enabled)
  • On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. Enable
  • On: Safe Links checks a list of known, malicious links when users click links in Office 365 apps. Enable
  • Track user clicks. Enable
  • Let users click through to the original URL. keep this UNCHECKED (block click-through)
  • Display the organization branding on notification and warning pages. Enable
• Click Next, review, and click Submit

PowerShell Configuration

# WHAT: Create a Safe Links policy with comprehensive URL scanning across email, Teams, and Office apps
# WHY:  Safe Links rewrites URLs in email and scans them at "time of click" - not just at delivery.
#       This protects against delayed weaponization attacks where a URL is benign when the email arrives
#       but is later redirected to a phishing/malware page. The policy below enables all protective features.
# OUTPUT: SafeLinksPolicy and SafeLinksRule objects created. URLs in email will be rewritten to route
#         through Microsoft’s scanning service (safelinks.protection.outlook.com).
# KEY PARAMETERS:
#   - AllowClickThrough $false: Users CANNOT bypass the block page (critical for regulated industries)
#   - ScanUrls $true: Enables real-time scanning including links to downloadable files
#   - DeliverMessageAfterScan $true: Holds email delivery until URL scan completes (prevents race condition)
#   - EnableForInternalSenders $true: Scans internal-to-internal emails too (prevents internal phishing)
#   - DisableUrlRewrite $false: URLs ARE rewritten (required for time-of-click scanning to work)

# Create Safe Links Policy (defines scanning behavior)
New-SafeLinksPolicy -Name "Organization Safe Links" `
    -EnableSafeLinksForEmail $true `
    -EnableSafeLinksForTeams $true `
    -EnableSafeLinksForOffice $true `
    -TrackClicks $true `
    -AllowClickThrough $false `
    -ScanUrls $true `
    -EnableForInternalSenders $true `
    -DeliverMessageAfterScan $true `
    -DisableUrlRewrite $false

# Create Safe Links Rule (defines WHO the policy applies to)
New-SafeLinksRule -Name "Organization Safe Links Rule" `
    -SafeLinksPolicy "Organization Safe Links" `
    -RecipientDomainIs "contoso.com" `
    -Priority 0

Key Safe Links Parameters Explained

• EnableSafeLinksForEmail. Enables URL scanning in email messages
• EnableSafeLinksForTeams. Extends protection to URLs shared in Microsoft Teams chats and channels
• EnableSafeLinksForOffice. Scans URLs in Office documents (Word, Excel, PowerPoint)
• ScanUrls. Enables real-time scanning of URLs, including links that point to downloadable content
• AllowClickThrough. When $false, users cannot click through the warning page to reach a malicious URL
• DeliverMessageAfterScan. Holds message delivery until URL scanning is complete, preventing users from clicking unscanned links
• DisableUrlRewrite. When $false, URLs are rewritten to route through the Safe Links scanning service
• EnableForInternalSenders. Applies Safe Links scanning to emails sent between internal users (critical for preventing internal phishing)
• TrackClicks. Records all URL clicks for reporting and investigation purposes

Some legitimate business URLs may be incorrectly flagged or cause issues when rewritten by Safe Links. You can configure a "Do not rewrite" list to exclude specific trusted URLs from Safe Links scanning. Every exception should be documented with a business justification and reviewed quarterly.

Portal Instructions

• Navigate to Threat policies → Safe Links
• Click on the Organization Safe Links policy
• Click Edit URL & click protection settings
• Scroll to the Do not rewrite the following URLs section
• Click Manage URLs
• Add any trusted URLs that should bypass Safe Links scanning

PowerShell. Add URL Exceptions

# Add trusted URLs to the Safe Links exception list
# Use wildcards carefully. each entry should have a documented business justification
Set-SafeLinksPolicy -Identity "Organization Safe Links" `
    -DoNotRewriteUrls @{
        Add = "https://banking-partner.woodgrovebank.com/*",
              "https://internal-training.contoso.com/*",
              "https://approved-vendor-portal.example.com/login"
    }

# Verify the exception list
Get-SafeLinksPolicy -Identity "Organization Safe Links" |
    Select-Object -ExpandProperty DoNotRewriteUrls

# Review all Safe Links policies and their exception lists
Get-SafeLinksPolicy | ForEach-Object {
    Write-Host "Policy: $($_.Name)" -ForegroundColor Cyan
    Write-Host "Exceptions:" -ForegroundColor Yellow
    $_.DoNotRewriteUrls | ForEach-Object { Write-Host " . $_" }
    Write-Host ""
}

URL Exception Best Practices

• Minimize exceptions. Every URL excluded from scanning is a potential attack surface. Only add URLs with a documented business need
• Use specific paths. Instead of excluding an entire domain (https://example.com/*), exclude only the specific path needed (https://example.com/specific-app/callback)
• Document each exception. Maintain a register recording: URL pattern, business justification, requestor, approval date, and next review date
• Review quarterly. Schedule a quarterly review of all Safe Links exceptions to remove entries that are no longer needed
• Never exclude email provider domains. Do not add exceptions for domains like gmail.com, outlook.com, or yahoo.com
• Test before adding. Before adding an exception, test whether the URL can work with Safe Links rewriting. Many modern web applications are compatible with URL rewriting

Safe Attachments protection extends beyond email to cover files stored in SharePoint Online, OneDrive for Business, and shared in Microsoft Teams. When enabled, files uploaded to these services are scanned for malware. If a malicious file is detected, it is blocked. users cannot open, download, copy, or share the file until it is removed by an administrator. This prevents lateral spread of malware through internal collaboration.

Portal Instructions

• Navigate to security.microsoft.com → Policies & rules → Threat policies
• Click Safe Attachments
• Click Global settings
• Enable Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
• Enable Turn on Safe Documents for Office clients. this scans documents opened in Protected View before allowing users to exit Protected View
• Leave Allow people to click through Protected View even if Safe Documents identified the file as malicious UNCHECKED
• Click Save

PowerShell Configuration

# WHAT: Enable Safe Attachments scanning for SharePoint Online, OneDrive, and Microsoft Teams
# WHY:  Without this, malware uploaded to SharePoint/OneDrive can spread through internal sharing
#       and Teams file attachments - bypassing email-based Safe Attachments scanning entirely.
#       This is a tenant-wide toggle (no per-policy configuration needed).
# OUTPUT: EnableATPForSPOTeamsODB = True | EnableSafeDocs = True | AllowSafeDocsOpen = False
#   - EnableATPForSPOTeamsODB: Scans files uploaded to SharePoint/OneDrive/Teams asynchronously
#   - EnableSafeDocs: Scans documents opened in Protected View before allowing users to edit
#   - AllowSafeDocsOpen $false: Blocks users from exiting Protected View for malicious documents
Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true `
    -EnableSafeDocs $true `
    -AllowSafeDocsOpen $false

Verify the Configuration

# Verify the global ATP policy for Office 365
Get-AtpPolicyForO365 | Format-List EnableATPForSPOTeamsODB,
    EnableSafeDocs, AllowSafeDocsOpen

# Expected output:
# EnableATPForSPOTeamsODB : True
# EnableSafeDocs          : True
# AllowSafeDocsOpen       : False

How Safe Attachments Works for SharePoint/OneDrive/Teams

• Asynchronous scanning. Files are scanned asynchronously after upload. A small delay can occur between file upload and detection
• Heuristic-based selection. The service uses heuristics, smart signals, and sharing activity to identify files that should be scanned. Not every file is detonated
• Blocked file behavior. When a malicious file is detected, it remains in the document library but is blocked from being opened, copied, moved, or shared. Users see a visual indicator that the file is blocked
• Administrator actions. Admins can review blocked files in Quarantine and either release them (false positive) or delete them permanently
• Safe Documents. Extends protection to Office desktop clients by scanning documents opened in Protected View before allowing the user to exit to the normal editing view

Microsoft provides two preset security policy profiles. Standard and Strict. that bundle recommended settings for anti-spam, anti-phishing, anti-malware, Safe Attachments, and Safe Links into a single package. These presets are based on Microsoft's recommended settings and are updated automatically as the threat landscape evolves.

Standard vs. Strict Comparison

• Standard protection. Balanced protection suitable for most users. Provides strong security without significant impact on legitimate email flow. Recommended for all users as a baseline
• Strict protection. Aggressive protection for high-value targets (executives, finance, legal). More aggressive filtering may result in increased false positives but provides maximum protection against advanced threats

Key Differences for Safe Attachments & Safe Links

Applying Preset Policies

• Navigate to Threat policies → Preset security policies
• Under Standard protection, click Manage protection settings
• Toggle the status to Enabled
• Under Apply Exchange Online Protection, select All recipients or specific groups
• Under Apply Defender for Office 365 protection, select All recipients or specific groups
• Click Next and Confirm
• Repeat for Strict protection if needed. apply to high-value targets (executives, finance, HR)

The EICAR test file is a standardized, non-malicious file used to test antimalware and sandboxing solutions. It contains a specific string that all antimalware vendors recognize as a test indicator. Using EICAR allows you to validate that Safe Attachments is actively scanning and blocking malicious attachments without using actual malware.

Create an EICAR Test File

• Open Notepad on your test machine
• Paste the following EICAR test string (this is not malware. it is a universally recognized test pattern):

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

• Save the file as eicar-test.txt
• Optionally, rename it to eicar-test.docx or zip it as eicar-test.zip to test different file type handling

Send the Test Email

• From an external email account (e.g., a personal Gmail or Outlook.com account), compose a new email
• Address it to your test mailbox in the organization (e.g., testuser@contoso.com)
• Subject: Safe Attachments EICAR Test
• Attach the eicar-test.txt file
• Send the email

Observe Dynamic Delivery Behavior

• Sign in to the test mailbox in Outlook or OWA
• Within 1–2 minutes, you should receive the email without the attachment (Dynamic Delivery placeholder)
• The email body contains a message indicating the attachment is being scanned
• After scanning completes (typically 1–5 minutes), the attachment is either:
  • Attached. if the file is clean (it will appear in the email)
  • Quarantined. if the file is malicious (EICAR test should be quarantined)
• Verify the EICAR file was quarantined by navigating to security.microsoft.com → Email & collaboration → Review → Quarantine

PowerShell. Check Message Trace

# WHAT: Trace the EICAR test message through the Exchange Online mail pipeline
# WHY:  After sending the EICAR test file, you need to confirm it was processed by Safe Attachments.
#       The message trace shows the delivery status, and the detail trace shows each processing step
#       including Safe Attachments scanning, Dynamic Delivery, and quarantine actions.
# OUTPUT:
#   1. Message trace: Shows Received timestamp, sender, subject, and delivery Status
#      Status should be "Quarantined" or "FilteredAsSpam" if Safe Attachments blocked the attachment
#   2. Message trace detail: Shows the sequence of processing events (RECEIVE, DELIVER, QUARANTINE)
#      Look for the "Advanced Threat Protection" event confirming detonation occurred

# Search for the EICAR test email in the last 2 hours
Get-MessageTrace -RecipientAddress "testuser@contoso.com" `
    -StartDate (Get-Date).AddHours(-2) `
    -EndDate (Get-Date) |
    Where-Object { $_.Subject -like "*EICAR*" } |
    Select-Object Received, SenderAddress, Subject, Status, MessageTraceId |
    Format-Table -AutoSize

# Get the detailed processing timeline for the EICAR message
# Each event shows what happened at each stage of the mail pipeline
$trace = Get-MessageTrace -RecipientAddress "testuser@contoso.com" `
    -StartDate (Get-Date).AddHours(-2) -EndDate (Get-Date) |
    Where-Object { $_.Subject -like "*EICAR*" }

Get-MessageTraceDetail -MessageTraceId $trace.MessageTraceId `
    -RecipientAddress "testuser@contoso.com" |
    Select-Object Date, Event, Action, Detail |
    Format-Table -AutoSize

Validating Safe Links protection requires sending an email with test URLs and verifying that time-of-click scanning intercepts malicious links. Microsoft provides specific test URLs and methods to validate Safe Links without using actual phishing infrastructure.

Test URL Rewriting

• Send an email from an external account to your test mailbox containing a benign URL (e.g., https://www.microsoft.com)
• Open the received email in Outlook or OWA
• Hover over the link. you should see the URL has been rewritten to route through the Safe Links service (URL starts with https://nam01.safelinks.protection.outlook.com/ or similar)
• Click the link. it should open normally after Safe Links scanning confirms it is benign

Test Malicious URL Blocking

• Use the Tenant Allow/Block List to temporarily add a test URL to the block list:
  • Navigate to Threat policies → Tenant Allow/Block Lists → URLs
  • Click + Block
  • Enter a test URL: https://test-blocked-url.example.com
  • Set Remove block entry after to 1 day
  • Click Add
• Send an email containing the blocked URL to your test mailbox
• Click the link in the received email
• You should see the Safe Links warning page indicating the URL is blocked
• Verify that you cannot click through (because AllowClickThrough is set to $false)

Test Safe Links in Microsoft Teams

• In a Microsoft Teams chat, send the blocked test URL to another user
• The recipient should see the URL rewritten and blocked when clicked
• Verify the Teams Safe Links experience. users see a warning dialog within the Teams client

PowerShell. Review Safe Links Click Data

# Check recent Safe Links URL trace data
Get-SafeLinksDetailReport -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) |
    Select-Object ClickTime, NetworkMessageId, Url, Action,
        UserPrincipalName, IsClickedThrough |
    Sort-Object ClickTime -Descending |
    Format-Table -AutoSize

# Check the Tenant Allow/Block List for blocked URLs
Get-TenantAllowBlockListItems -ListType Url -Block |
    Select-Object Value, Action, ExpirationDate, Notes |
    Format-Table -AutoSize

Now that Safe Attachments and Safe Links are deployed, you need ongoing monitoring to ensure the policies are working effectively and to detect trends in threat activity. Microsoft Defender for Office 365 provides built-in reports, dashboards, and alerting capabilities to track protection metrics.

Review Built-in Reports

• Navigate to security.microsoft.com → Reports → Email & collaboration reports
• Threat protection status report. Shows a summary of all threats detected by MDO, including Safe Attachments and Safe Links detections, broken down by action (blocked, quarantined, replaced)
• URL protection report. Displays all URL clicks processed by Safe Links, categorized by action (allowed, blocked, click-through, pending)
• Mail flow status report. Shows overall email delivery status including messages affected by MDO policies
• Review the Threat Explorer (Plan 2 only) at Email & collaboration → Explorer for advanced investigation of detected threats

PowerShell. Get Report Data

# Get Safe Attachments report data
Get-MailDetailATPReport -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) |
    Group-Object -Property Action |
    Select-Object Name, Count |
    Sort-Object Count -Descending

# Get Safe Links report data
Get-SafeLinksDetailReport -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) |
    Group-Object -Property Action |
    Select-Object Name, Count |
    Sort-Object Count -Descending

Additional Reporting Commands

# Get top targeted users by Safe Attachments detections
Get-MailDetailATPReport -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) |
    Group-Object -Property RecipientAddress |
    Select-Object Name, Count |
    Sort-Object Count -Descending |
    Select-Object -First 10

# Get top clicked URLs from Safe Links
Get-SafeLinksDetailReport -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) |
    Where-Object { $_.Action -eq "Blocked" } |
    Group-Object -Property Url |
    Select-Object Name, Count |
    Sort-Object Count -Descending |
    Select-Object -First 10

# Get daily detection trends
Get-MailDetailATPReport -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) |
    Group-Object -Property { $_.Date.ToString("yyyy-MM-dd") } |
    Select-Object Name, Count |
    Sort-Object Name

Configure Alert Policies

• Navigate to security.microsoft.com → Policies & rules → Alert policy
• Review the default alert policies related to MDO:
  • A potentially malicious URL click was detected. Fires when a user clicks a URL blocked by Safe Links
  • Email messages containing malicious URL removed after delivery. Fires when ZAP removes a message with a malicious URL
  • Email messages containing malware removed after delivery. Fires when ZAP removes a message with malicious attachment
  • Messages have been delayed. Fires when Safe Attachments scanning causes significant delivery delays
• Ensure these alert policies are enabled and configured to send notifications to your SOC team distribution list
• Click each alert policy → Edit policy → verify the Email recipients field includes your SOC mailbox (e.g., soc-alerts@contoso.com)

What You Accomplished

Congratulations! In this lab you have deployed a comprehensive email threat protection stack for Woodgrove Bank:

• A Safe Attachments policy with Dynamic Delivery that scans every inbound attachment in a cloud sandbox
• Detonation and quarantine settings with redirect to the SOC mailbox for forensic analysis
• A Safe Links policy with time-of-click URL scanning, click-through blocking, and URL rewriting across email, Teams, and Office apps
• A managed URL exception list with documented business justifications and quarterly review process
• Safe Attachments for SharePoint, OneDrive, and Teams to prevent lateral malware spread through collaboration
• Preset security policies applied for Standard and Strict protection profiles
• A validated deployment tested with the EICAR test file and controlled URL blocking scenarios
• Monitoring dashboards and alerts for ongoing threat visibility and SOC notification

🚀 Next Steps

• Next Lab: Attack Simulation Training & Security Awareness
• Configure anti-phishing policies to complement Safe Attachments and Safe Links with impersonation protection
• Deploy Attack Simulation Training to test user resilience against phishing. see MDO Lab 02
• Set up automated investigation and response (AIR) to auto-remediate detected threats
• Integrate MDO alerts with Microsoft Sentinel for cross-product correlation and unified incident management
• Review Threat Explorer weekly to identify targeted attack patterns specific to your organization
• Schedule quarterly reviews of Safe Links URL exception lists and quarantine release patterns
• Consider deploying Priority Account Protection for executives and high-risk users