CIS.M365.2.1.1 - (L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy)
Overview
2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.
Note: E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Built-in Policies provided by MS. In order to Pass the highest priority policy must match all settings recommended.
Rationale
Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user.
Impact
User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked.
Remediation action:
To create a Safe Links policy:
- Navigate to Microsoft 365 admin center https://admin.microsoft.com.
- Under Email & collaboration select Policies & rules
- Select Threat policies then Safe Links
- Click on +Create
- Name the policy then click Next
- In Domains select all valid domains for the organization and Next
- Ensure the following URL & click protection settings are defined:
- Checked On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default
- Checked Apply Safe Links to email messages sent within the organization
- Checked Apply real-time URL scanning for suspicious links and links that point to files
- Checked Wait for URL scanning to complete before delivering the message
- Unchecked Do not rewrite URLs, do checks via Safe Links API only.
Teams
- Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.
Office 365 Apps
- Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten
Click protection settings
- Checked: Track user clicks
- Unchecked: Let users click through the original URL
- There is no recommendation for organization branding
- Click Next twice and finally Submit.
PowerShell
- Connect using
Connect-ExchangeOnline. - Run the following PowerShell script to create a policy at highest priority that will apply to all valid domains on the tenant:
# Create the Policy
$params = @{
Name = "CIS SafeLinks Policy"
EnableSafeLinksForEmail = $true
EnableSafeLinksForTeams = $true
EnableSafeLinksForOffice = $true
TrackClicks = $true
AllowClickThrough = $false
ScanUrls = $true
EnableForInternalSenders = $true
DeliverMessageAfterScan = $true
DisableUrlRewrite = $false
}
New-SafeLinksPolicy @params
# Create the rule for all users in all valid domains and associate with Policy
New-SafeLinksRule -Name "CIS SafeLinks" -SafeLinksPolicy "CIS SafeLinks Policy" -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0
Related links
- Microsoft 365 Admin Center
- Set-SafeLinksPolicy
- Set up Safe Links policies in Microsoft Defender for Office 365
- Preset security policies in cloud organizations
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 73
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.1.1 |
| Severity | Medium |
| Suite | CIS |
| Category | CIS E5 Level 2 |
| PowerShell test | Test-MtCisSafeLink |
| Tags | CIS, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.2.1.1, L2 |
Source
- Pester test:
tests/cis/Test-MtCisSafeLink.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSafeLink.ps1