Skip to main content

Safe Attachments and Safe Links

Emails containing malicious attachments and links are commonly used in attacks against large institutions. The university uses Microsoft Safe Attachments and Safe Links to better protect faculty, staff and students from phishing attacks and malware infections.

Learn more about Safe Attachments and Safe Links below, or click on a header to expand the selection and uncover additional information about specific questions.

Safe Attachments

Safe Attachments is a proven and effective security tool to reduce the chances of malicious attachments infecting computers or distributing ransomware. With Safe Attachments, all suspicious attachments go through a real-time behavioral malware analysis engine which uses machine-learning techniques to evaluate the content for suspicious activity. Suspicious and unsafe attachments are removed and the recipient is notified of the action. Safe Attachments is not noticeable to most email users.

What happens if Safe Attachments detects and unsafe attachment?

If an unsafe email attachment is detected by the scanning engine, then it will be removed from the email and replaced by a short text file informing the user that the original attachment was found to be malicious. If an attachment has been replaced by a text file, it will look similar to the example below:

Safe Attachments screenshot

Safe Attachments works on email coming from both internal and external sources. This further protects our email users from internal threats such as compromised devices or compromised user accounts. Please note, email deliveries with large attachments may be slightly delayed while the technology scans the content.


Does Safe Attachments affect file storage?

Yes. Safe Attachments uses the same advanced scanning engine used for emails to proactively scan documents in OneDrive and SharePoint and identify malware. If a document is identified as malicious, it will be blocked from opening, copying, moving or sharing. To learn more about Safe Attachments in Office 365 applications, visit the Microsoft Safe Attachments overview page.


Do I still need to be careful of the attachments I choose to open?

Yes. Safe Attachments is a proven and effective security tool, but it is not perfect and it's implementation doesn't guarantee that all files are safe. There is still a chance that malicious attachments could make it to a user’s inbox. Continue to use extreme caution when opening attachments, especially from an unknown source. If anything about the email looks suspicious, please report it to your local help desk or security team.


What is Safe Attachments blocks something I need?

If you believe that the Safe Attachments engine has unnecessarily blocked an attachment or a file in Office 365, contact your IT support, help desk or information security team for assistance.


Safe Links

Phishing emails often contain a hyperlink or a URL that directs the user to a malicious website. Safe Links is a feature that scans all inbound email messages and provides time-of-click verification of URLs and links to provide an extra layer of protection against phishing emails.

How does Safe Links affect links in emails?

The Safe Links security engine rewrites any URL in the body of an email when it is delivered. Depending on the type of email you receive and the email client you are using, you may notice a few visual changes to the URL. Most people receive emails formatted in HTML, and there is no visual change in links for HTML emails. The URL rewrite is not noticeable in most email clients. In newer clients, hovering over the link will show the complete, rewritten URL, which will be begin with "" Below is an example of how a rewritten link may appear in an HTML email:

Safe links screenshot


What will Safe Links look like in plaintext emails?

Plaintext emails are emails that do not allow for any formatting. While not as common as HTML emails, if you receive plaintext emails, you will see a visual difference in the hyperlink. Rewritten URLs will show in the body of the email. Below is an example of how a rewritten link may appear in a plaintext email:

Safe links screenshot 3


What happens when I click on a Safe Link?

Upon clicking a link, you may notice that the browser first takes you to the subdomain used to rewrite the URL. This is part of the Safe Link workflow. The webpage is being scanned for any malicious content. If you click a non-malicious link, you will be redirected to your intended destination after a few moments. This redirection is usually not noticeable and should not cause significant delays. If a link is determined to be malicious by the Safe Links scanning engine, you will see the following screen (or a similar one) instead of the webpage:

Safe Links scanning engine screenshot

There are other messages you might encounter after Safe Links scans a webpage, but they look similar to the screenshots above. More examples can be found on the Microsoft webpage.


Will Safe Links impact other Office 365 applications?

Yes. Safe Links security features will also apply to any URL in OneDrive, SharePoint and Teams. There will be no visual change for links in these platform, but the same protection will be applied.


How do I forward or reply to an email with a Safe Link?

Once a link has been rewritten to a Safe Link, it will remain rewritten when you forward or reply to a message. You will not need to take further action. If an email is received from an external user, links will be rewritten when that email is delivered to a university user’s mailbox. Additionally, any reply to that sender will contain the rewritten URL links. If the email is using the common HTML formatting, this URL rewrite should not be noticeable to either the sender and the recipient.


What if Safe Links blocks a safe URL?

If you believe a URL has been blocked unnecessarily or a malicious website was not blocked successfully, please reach out to your IT support, Help Desk or Information Security team for assistance.

If you need to determine where an original URL points to, please use our Safe Links decoder to “unwrap” the actual URL from Safe Links. This tool should not be used as a method to bypass the Safe Links feature and users should still click on Safe Links versions of links unless they believe a resource is being blocked when it shouldn’t be.


Reviewed 2021-06-03